Merge branch 'main' into patch-10

docs/content/services/batch/batch-accounts/_index.md

@@ -14,8 +14,8 @@ The presented resiliency recommendations in this guidance include Batch Accounts
 {{< table style="table-striped" >}}
 | Recommendation | Impact | Design Area | State | ARG Query Available |
 |:--------------------------------------------------------------------------------------------------------------------------|:------:|:------------:|:-------:|:-------------------:|
-| [BA-1 Monitor Batch account quota](#ba-1---monitor-batch-account-quota) | Medium | Monitoring | Preview | No |
-| [BA-3 Create an Azure Batch pool across Availability Zones](#ba-3---create-an-azure-batch-pool-across-availability-zones) | High | Availability | Preview | No |
+| [BA-1 - Monitor Batch account quota](#ba-1---monitor-batch-account-quota) | Medium | Monitoring | Preview | No |
+| [BA-3 - Create an Azure Batch pool across Availability Zones](#ba-3---create-an-azure-batch-pool-across-availability-zones) | High | Availability | Preview | No |
 
 {{< /table >}}
 

docs/content/services/compute/compute-gallery/_index.md

@@ -12,11 +12,11 @@ The presented resiliency recommendations in this guidance include Compute Galler
 ## Summary of Recommendations
 
 {{< table style="table-striped" >}}
-| Recommendation                                                                                                                                                      |   Category   | Impact |  State  | ARG Query Available |
-|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------:|:------:|:-------:|:-------------------:|
-| [CG-1 - A minimum of three replicas should be kept for production image versions](#cg-1---a-minimum-of-three-replicas-should-be-kept-for-production-image-versions) | Availability | Medium | Preview |         Yes         |
-| [CG-2 - Zone redundant storage should be used for image versions](#cg-2---zone-redundant-storage-should-be-used-for-image-versions)                                 | Availability | Medium | Preview |         Yes         |
-| [CG-3 - Consider using hyper-V generation version 2 images where possible](#cg-3---consider-using-hyper-v-generation-version-2-images-where-possible)               | Availability |  Low   | Preview |         Yes         |
+| Recommendation                                                                                                                                                      |   Category   | Impact |  State   | ARG Query Available |
+|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------:|:------:|:--------:|:-------------------:|
+| [CG-1 - A minimum of three replicas should be kept for production image versions](#cg-1---a-minimum-of-three-replicas-should-be-kept-for-production-image-versions) | Availability | Medium | Verified |         Yes         |
+| [CG-2 - Zone redundant storage should be used for image versions](#cg-2---zone-redundant-storage-should-be-used-for-image-versions)                                 | Availability | Medium | Verified |         Yes         |
+| [CG-3 - Consider creating TrustedLaunchSupported images where possible](#cg-3---consider-creating-trustedlaunchsupported-images-where-possible)        | Availability |  Low   | Verified |         Yes         |
 {{< /table >}}
 
 {{< alert style="info" >}}
@@ -77,15 +77,15 @@ You can also choose the account type for each of the target regions. The default
 
 <br><br>
 
-### CG-3 - Consider using hyper-V generation version 2 images where possible
+### CG-3 - Consider creating TrustedLaunchSupported images where possible
 
-**Category: Availability**
+**Category: Access & Security**
 
 **Impact: Low**
 
 **Guidance**
 
-We recommend that you create a generation 2 virtual machine to take advantage of features like Secure Boot, vTPM, trusted launch VMs, large boot volume. Your choice to create a generation 1 or generation 2 virtual machine depends on which guest operating system you want to install and the boot method you want to use to deploy the virtual machine. You can't change a virtual machine's generation after you've created it. So it is recommended to review the [considerations](https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v#which-guest-operating-systems-are-supported) first.
+We recommend that you create a Trusted Launch Supported Images to take advantage of features like Secure Boot, vTPM, trusted launch VMs, large boot volume. Trusted Launch Supported Images are Gen 2 Images by default. You can’t change a virtual machine’s generation after you’ve created it. So it is recommended to review the [considerations](https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v#which-guest-operating-systems-are-supported) first.
 
 **Resources**
 

docs/content/services/compute/image-templates/_index.md

@@ -12,10 +12,10 @@ The presented resiliency recommendations in this guidance include Image Template
 ## Summary of Recommendations
 
 {{< table style="table-striped" >}}
-| Recommendation                                                                                                              |     Category      | Impact |  State  | ARG Query Available |
-|:----------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:|
-| [IT-1 - Use Generation 2 virtual machine source image](#it-1---use-generation-2-virtual-machine-source-image)               |   Availability    |  Low   | Preview |         No          |
-| [IT-2 - Replicate your Image Templates to a secondary region](#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery |  Low   | Preview |         Yes         |
+| Recommendation                                                                                                              |     Category      | Impact |  State   | ARG Query Available |
+|:----------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:--------:|:-------------------:|
+| [IT-1 - Use Generation 2 virtual machine source image](#it-1---use-generation-2-virtual-machine-source-image)               |   Availability    |  Low   | Verified |         No          |
+| [IT-2 - Replicate your Image Templates to a secondary region](#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery |  Low   | Verified |         Yes         |
 {{< /table >}}
 
 {{< alert style="info" >}}

docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql

@@ -1 +1 @@
-// under-development
+// cannot-be-validated-with-arg

docs/content/services/compute/virtual-machine-scale-sets/_index.md

@@ -22,8 +22,8 @@ The presented resiliency recommendations in this guidance include Virtual Machin
 | [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts) | Availability | High | Verified | Yes |
 | [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading) | System Efficiency | Medium | Preview | Yes |
 | [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex) | Availability | High | Verified | Yes |
-| [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated) | Automation | Low | Preview | Yes |
-| [VMSS-10 - Upgrade VMSS Image versions scheduled to be deprecated or already retired](#vmss-10---upgrade-vmss-image-versions-scheduled-to-be-deprecated-or-already-retired) | Governance | High | Preview | Yes |
+| [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated) | Automation | Low | Verified | Yes |
+| [VMSS-10 - Upgrade VMSS Image versions scheduled to be deprecated or already retired](#vmss-10---upgrade-vmss-image-versions-scheduled-to-be-deprecated-or-already-retired) | Governance | High | Preview | No |
 | [VMSS-11 - Production VMSS instances should be using SSD disks](#vmss-11---production-vmss-instances-should-be-using-ssd-disks) | System Efficiency | High | Verified | Yes |
 
 {{< /table >}}
@@ -254,6 +254,7 @@ Enabling automatic VM guest patching for your Azure VMs helps ease update manage
 **Resources**
 
 - [Automatic VM Guest Patching for Azure VMs](https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching)
+- [Auto OS Image Upgrades](https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade)
 
 **Resource Graph Query**
 

docs/content/services/compute/virtual-machine-scale-sets/code/vmss-10/vmss-10.kql

@@ -1,7 +1 @@
-// Azure Resource Graph Query
-// This query will check if the VMSS are currently using the latest image.  If not the Image reference will be empty
-resources
-| where type == "microsoft.compute/virtualmachinescalesets"
-| extend VMSSName = name
-| extend ImageReference = tostring(properties.virtualMachineProfile.storageProfile.imageReference.version)
-| project recommendationId="vmss-10",name,id, tags, param1="ImageReference"
+//cannot be validated with arg

docs/content/services/container/aks/_index.md

@@ -36,7 +36,7 @@ The presented resiliency recommendations in this guidance include Aks and associ
 | [AKS-20 - Configure system nodepool count](#aks-20---configure-system-nodepool-count)                                         |   Availability    |  High   | Preview |         Yes          |
 | [AKS-21 - Configure user nodepool count](#aks-21---configure-user-nodepool-count)                                         |   Availability    |  High   | Preview |         Yes          |
 | [AKS-22 - Configure pod disruption budgets (PDBs)](#aks-22---configure-pod-disruption-budgets-pdbs)                                         |   Availability    |  Medium   | Preview |         No          |
-| [AKS-23 - Nodepool subnet size needs to accommodate maximum auto-scale settings](#aks-23---nodepool-subnet-size-needs-to-accommodate-maximum-auto-scale-settings)                                         |   Availability    |  High   | Preview |         No          |
+| [AKS-23 - Nodepool subnet size needs to accommodate maximum auto-scale settings](#aks-23---nodepool-subnet-size-needs-to-accommodate-maximum-auto-scale-settings)                                         |   Availability    |  High   | Preview |         Yes          |
 | [AKS-24 - Enforce resource quotas at the namespace level](#aks-24---enforce-resource-quotas-at-the-namespace-level)                                         |   Availability    |  High   | Preview |         No          |
 
 {{< /table >}}

docs/content/services/container/aks/code/aks-23/aks-23.kql

@@ -1 +1,25 @@
-// cannot-be-validated-with-arg
+// Azure Resource Graph Query
+// Returns each AKS cluster with nodepools that have user nodepools with a subnetmask that does not match autoscale configured max-nodes
+// Subtracting the network address, broadcast address, and default 3 addresses Azure reserves within each subnet
+
+resources
+| where type == "microsoft.containerservice/managedclusters"
+| extend nodePools = properties['agentPoolProfiles']
+| mv-expand nodePools = properties.agentPoolProfiles
+| where nodePools.enableAutoScaling == true
+| extend nodePoolName=nodePools.name, maxNodes = nodePools.maxCount, subnetId = tostring(nodePools.vnetSubnetID)
+| project clusterId = id, clusterName=name, nodePoolName=nodePools.name, toint(maxNodes), subnetId
+| join kind = leftouter (
+    resources
+    | where type == 'microsoft.network/virtualnetworks'
+    | extend subnets = properties.subnets
+    | mv-expand subnets
+    | project id = tostring(subnets.id), addressPrefix = tostring(subnets.properties['addressPrefix'])
+    | extend subnetmask = toint(substring(addressPrefix, indexof(addressPrefix, '/')+1, string_size(addressPrefix)))
+    | extend possibleMaxNodeCount = toint(exp2(32-subnetmask) - 5)
+) on $left.subnetId == $right.id
+| project-away id, subnetmask
+| where possibleMaxNodeCount <= maxNodes
+| extend param1 = strcat(nodePoolName, " autoscaler upper limit: ", maxNodes)
+| extend param2 = strcat("ip addresses on subnet: ", possibleMaxNodeCount)
+| project recommendationId="aks-23", name=clusterName, id=clusterId, param1, param2

docs/content/services/database/cosmosdb/_index.md

@@ -14,15 +14,15 @@ The presented resiliency recommendations in this guidance include Cosmos DB and
 {{< table style="table-striped" >}}
 | Recommendation                                                                                                                                                                                  |        Category        | Impact |  State  | ARG Query Available |
 |:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------:|:------:|:-------:|:-------------------:|
-| [COSMOS-1 – Configure at least two regions for high availability](#cosmos-1---configure-at-least-two-regions-for-high-availability)                                                             |      Availability      |  High  | Preview |         Yes         |
-| [COSMOS-2 – Enable service-managed failover for multi-region accounts with single write region](#cosmos-2---enable-service-managed-failover-for-multi-region-accounts-with-single-write-region) |   Disaster Recovery    |  High  | Preview |         Yes          |
-| [COSMOS-3 – Evaluate multi-region write capability](#cosmos-3---evaluate-multi-region-write-capability)                                                                                         |   Disaster Recovery    |  High  | Preview |         Yes         |
-| [COSMOS-4 – Choose appropriate consistency mode reflecting data durability requirements](#cosmos-4---choose-appropriate-consistency-mode-reflecting-data-durability-requirements)               |   Disaster Recovery    |  High  | Preview |         No          |
-| [COSMOS-5 – Configure continuous backup mode](#cosmos-5---configure-continuous-backup-mode)                                                                                                     |   Disaster Recovery    |  High  | Preview |         Yes         |
-| [COSMOS-6 – Ensure query results are fully drained](#cosmos-6---ensure-query-results-are-fully-drained)                                                                                         |   System Efficiency    |  High  | Preview |         No          |
-| [COSMOS-7 – Maintain singleton pattern in your client](#cosmos-7---maintain-singleton-pattern-in-your-client)                                                                                   |   System Efficiency    | Medium | Preview |         No          |
-| [COSMOS-8 – Implement retry logic in your client](#cosmos-8---implement-retry-logic-in-your-client)                                                                                             | Application Resilience | Medium | Preview |         No          |
-| [COSMOS-9 – Monitor Cosmos DB health and set up alerts](#cosmos-9---monitor-cosmos-db-health-and-set-up-alerts)                                                                                 |       Monitoring       | Medium | Preview |         No          |
+| [COSMOS-1 - Configure at least two regions for high availability](#cosmos-1---configure-at-least-two-regions-for-high-availability)                                                             |      Availability      |  High  | Verified |         Yes         |
+| [COSMOS-2 - Enable service-managed failover for multi-region accounts with single write region](#cosmos-2---enable-service-managed-failover-for-multi-region-accounts-with-single-write-region) |   Disaster Recovery    |  High  | Verified |         Yes          |
+| [COSMOS-3 - Evaluate multi-region write capability](#cosmos-3---evaluate-multi-region-write-capability)                                                                                         |   Disaster Recovery    |  High  | Verified |         Yes         |
+| [COSMOS-4 - Choose appropriate consistency mode reflecting data durability requirements](#cosmos-4---choose-appropriate-consistency-mode-reflecting-data-durability-requirements)               |   Disaster Recovery    |  High  | Preview |         No          |
+| [COSMOS-5 - Configure continuous backup mode](#cosmos-5---configure-continuous-backup-mode)                                                                                                     |   Disaster Recovery    |  High  | Verified |         Yes         |
+| [COSMOS-6 - Ensure query results are fully drained](#cosmos-6---ensure-query-results-are-fully-drained)                                                                                         |   System Efficiency    |  High  | Preview |         No          |
+| [COSMOS-7 - Maintain singleton pattern in your client](#cosmos-7---maintain-singleton-pattern-in-your-client)                                                                                   |   System Efficiency    | Medium | Preview |         No          |
+| [COSMOS-8 - Implement retry logic in your client](#cosmos-8---implement-retry-logic-in-your-client)                                                                                             | Application Resilience | Medium | Preview |         No          |
+| [COSMOS-9 - Monitor Cosmos DB health and set up alerts](#cosmos-9---monitor-cosmos-db-health-and-set-up-alerts)                                                                                 |       Monitoring       | Medium | Preview |         No          |
 {{< /table >}}
 
 {{< alert style="info" >}}

docs/content/services/database/db-for-mysql/_index.md

@@ -14,8 +14,8 @@ The presented resiliency recommendations in this guidance include DB for MySQL a
 {{< table style="table-striped" >}}
 | Recommendation                                    |                                Category                                 |     Impact      |      State       | ARG Query Available |
 |:--------------------------------------------------|:-----------------------------------------------------------------------:|:---------------:|:----------------:|:-------------------:|
-| [MYSQL-1 - Enable HA with zone redundancy](#mysql-1---enable-ha-with-zone-redundancy) | Availability | High | Preview |         Yes         |
-| [MYSQL-2 - Enable custom maintenance schedule](#mysql-2---enable-custom-maintenance-schedule) |     System Efficiency      | High | Preview |         Yes          |
+| [MYSQL-1 - Enable HA with zone redundancy](#mysql-1---enable-ha-with-zone-redundancy) | Availability | High | Verified |         Yes         |
+| [MYSQL-2 - Enable custom maintenance schedule](#mysql-2---enable-custom-maintenance-schedule) |     System Efficiency      | High | Verified |         Yes          |
 {{< /table >}}
 
 {{< alert style="info" >}}

docs/content/services/database/db-for-postgresql/_index.md

@@ -14,8 +14,8 @@ The presented resiliency recommendations in this guidance include Database for P
 {{< table style="table-striped" >}}
 | Recommendation                                    |  Category                                                               |  Impact         |  State            | ARG Query Available |
 | :------------------------------------------------ | :---------------------------------------------------------------------: | :------:        | :------:          | :-----------------: |
-| [PSQL-1 - Enable HA with zone redundancy](#psql-1---enable-ha-with-zone-redundancy) | Availability | High | Preview  |         Yes         |
-| [PSQL-2 - Enable custom maintenance schedule](#psql-1---enable-ha-with-zone-redundancy) | System Efficiency | High | Preview  |         Yes         |
+| [PSQL-1 - Enable HA with zone redundancy](#psql-1---enable-ha-with-zone-redundancy) | Availability | High | Verified  |         Yes         |
+| [PSQL-2 - Enable custom maintenance schedule](#psql-1---enable-ha-with-zone-redundancy) | System Efficiency | High | Verified  |         Yes         |
 {{< /table >}}
 
 {{< alert style="info" >}}