diff --git a/.github/actions/get_aprl/entrypoint.py b/.github/actions/get_aprl/entrypoint.py
index 8d57333b1..f0608103c 100644
--- a/.github/actions/get_aprl/entrypoint.py
+++ b/.github/actions/get_aprl/entrypoint.py
@@ -93,6 +93,7 @@ def get_aprl_recos():
github_file_extension = '.yaml'
github_branch = 'master'
retrieved_recos = []
+ timestamp = datetime.date.today().strftime("%B %d, %Y")
# Get last commit to APRL reco
if (verbose): print("DEBUG: Scanning GitHub repository {0} for {1} files...".format(github_repo, github_file_extension))
r = requests.get(f'https://api.github.com/repos/{github_org}/{github_repo}/commits')
@@ -131,7 +132,9 @@ def get_aprl_recos():
item['severity'] = item['recommendationImpact']
item['category'] = item['recommendationControl']
item['guid'] = item['aprlGuid']
- item['source'] = file_path
+ item['sourceFile'] = file_path
+ item['sourceType'] = 'aprl'
+ item['timestamp'] = timestamp
retrieved_recos += aprl_recos
if verbose: print("DEBUG: {0} recommendations found in file {1}".format(len(aprl_recos), file_path))
else:
diff --git a/.github/actions/get_service_guides/entrypoint.py b/.github/actions/get_service_guides/entrypoint.py
index db5d5b8f1..8a38be748 100644
--- a/.github/actions/get_service_guides/entrypoint.py
+++ b/.github/actions/get_service_guides/entrypoint.py
@@ -75,6 +75,11 @@
args_verbose = (sys.argv[3].lower() == 'true')
except:
args_verbose = True
+try:
+ args_overwrite = (sys.argv[4].lower() == 'true')
+except:
+ args_overwrite = False
+
# These parameters haven't been implemented in the github action
args_print_json = False
args_extract_key_phrases_checklist = False
@@ -197,10 +202,11 @@ def short_pillar(pillar):
else: return pillar
# Function to parse markdown
-def parse_markdown(markdown, service, verbose=False):
+def parse_markdown(markdown, service, source=None, verbose=False):
recos = []
waf_pillars = ['cost optimization', 'operational excellence', 'performance efficiency', 'reliability', 'security']
processing_pillar = ''
+ timestamp = datetime.date.today().strftime("%B %d, %Y")
if (verbose): print("DEBUG: Processing markdown file...")
line_count = 0
for line in markdown.split('\n'):
@@ -211,7 +217,10 @@ def parse_markdown(markdown, service, verbose=False):
if (verbose): print("DEBUG: Processing pillar '{0}'".format(processing_pillar))
if (line[0:4] == '> - ') and (processing_pillar != ''):
reco = line[4:]
- recos.append({'waf': processing_pillar, 'service': service, 'text': remove_markdown(reco), 'description': '', 'type': 'checklist'})
+ reco_object = {'waf': processing_pillar, 'service': service, 'text': remove_markdown(reco), 'description': '', 'type': 'checklist', 'sourceType': 'wafsg', 'timestamp': timestamp}
+ if source:
+ reco_object['sourceFile'] = source
+ recos.append(reco_object)
# If line matches a pattern that starts with "|" then comes a text, then "|" and a description and a closing "|"
if (line[0:1] == '|'):
line_table_items = line.split('|')
@@ -258,7 +267,7 @@ def get_waf_service_guide_recos():
if r.status_code == 200:
svcguide = r.text
if (args_verbose): print("DEBUG: Parsing service guide '{0}', {1} characters retrieved...".format(file_path, len(svcguide)))
- svc_recos = parse_markdown(svcguide, service, verbose=False)
+ svc_recos = parse_markdown(svcguide, service, source=file_path, verbose=False)
if (len(svc_recos) > 0):
retrieved_recos += svc_recos
if args_verbose: print("DEBUG: {0} recommendations found for service '{1}'".format(len(svc_recos), service))
@@ -315,24 +324,33 @@ def get_waf_service_guide_recos():
# If file exists, try to match the recos in the file by the text field and update the GUIDs
# If file doesn't exist, generate random GUIDs for each reco
def update_guids(checklist, filename):
- # If file exists
+ # If file exists, we can either overwrite it and generate new GUIDs or try to match the recos by text
+ # Note that if matching the recos by GUID, the old recos that do not exactly match the text of the new ones will be lost
if os.path.isfile(filename):
- if (args_verbose): print("DEBUG: Retrieving checklist GUIDs from file {0}...".format(filename))
- existing_checklist = load_json(filename)
- for reco in checklist['items']:
- # Find a reco in the existing checklist that matches the text
- existing_reco = [x for x in existing_checklist['items'] if x['text'] == reco['text']]
- if len(existing_reco) > 0:
- # Verify that the existing reco has a GUID
- if 'guid' in existing_reco[0]:
- reco['guid'] = existing_reco[0]['guid']
+ if args_overwrite:
+ if (args_verbose): print("DEBUG: File {0} not found, generating new GUIDs...".format(filename))
+ for reco in checklist['items']:
+ reco['guid'] = str(uuid.uuid4())
+ if 'checklist_match' in reco:
+ reco['checklist_match_guid'] = str(uuid.uuid4())
+ return checklist
+ else:
+ if (args_verbose): print("DEBUG: Retrieving checklist GUIDs from file {0}...".format(filename))
+ existing_checklist = load_json(filename)
+ for reco in checklist['items']:
+ # Find a reco in the existing checklist that matches the text
+ existing_reco = [x for x in existing_checklist['items'] if x['text'] == reco['text']]
+ if len(existing_reco) > 0:
+ # Verify that the existing reco has a GUID
+ if 'guid' in existing_reco[0]:
+ reco['guid'] = existing_reco[0]['guid']
+ else:
+ if (args_verbose): print("DEBUG: reco {0} not found in file {1}, generating new GUID...".format(reco['text'], filename))
+ reco['guid'] = str(uuid.uuid4())
+ # If no reco was found, generate a new GUID
else:
- if (args_verbose): print("DEBUG: reco {0} not found in file {1}, generating new GUID...".format(reco['text'], filename))
reco['guid'] = str(uuid.uuid4())
- # If no reco was found, generate a new GUID
- else:
- reco['guid'] = str(uuid.uuid4())
- return checklist
+ return checklist
# If file doesn't exist, generate GUIDs for each reco
else:
if (args_verbose): print("DEBUG: File {0} not found, generating new GUIDs...".format(filename))
diff --git a/.github/actions/get_the_aks_checklist/entrypoint.py b/.github/actions/get_the_aks_checklist/entrypoint.py
index 9af53e424..fd320798c 100644
--- a/.github/actions/get_the_aks_checklist/entrypoint.py
+++ b/.github/actions/get_the_aks_checklist/entrypoint.py
@@ -79,6 +79,8 @@ def get_theaks_recos():
item['waf'] = 'Resiliency'
elif 'operations' in item['category'].lower() or 'management' in item['category'].lower():
item['waf'] = 'Operational Excellence'
+ item['sourceType'] = 'theakscl'
+ item['sourceFile'] = file_url
retrieved_recos += theaks_recos
if verbose: print("DEBUG: {0} recommendations found in file {1}".format(len(theaks_recos), file_path))
else:
diff --git a/.github/actions/recov2lint/Dockerfile b/.github/actions/recov2lint/Dockerfile
new file mode 100644
index 000000000..7f50a89b5
--- /dev/null
+++ b/.github/actions/recov2lint/Dockerfile
@@ -0,0 +1,6 @@
+FROM python:3.8-slim-buster
+WORKDIR /app
+COPY requirements.txt requirements.txt
+COPY entrypoint.py entrypoint.py
+RUN pip3 install -r requirements.txt
+ENTRYPOINT ["python3", "/app/entrypoint.py"]
\ No newline at end of file
diff --git a/.github/actions/recov2lint/README.md b/.github/actions/recov2lint/README.md
new file mode 100644
index 000000000..4047d343f
--- /dev/null
+++ b/.github/actions/recov2lint/README.md
@@ -0,0 +1,26 @@
+# Retrieve recommendations from Well Architected service guides
+
+This action retrieves the recommendations described in [Well-Architected Service Guides](https://learn.microsoft.com/azure/well-architected/service-guides/?product=popular) and stores it as a new checklist.
+
+## Inputs
+
+## `services`
+
+**Optional** Service(s) whose service guide will be downloaded (leave blank for all service guides). You can specify multiple comma-separated values. Default `""`.
+
+## `output_folder`
+
+**Optional** Folder where the new checklists will be stored. Default `"./checklists-ext"`.
+
+## `verbose`
+
+**Optional** Whether script output is verbose or not. Default `"true"`.
+
+## Example usage
+
+```
+uses: ./.github/actions/get_service_guides
+with:
+ output_file: './checklists'
+ service: 'Azure Kubernetes Service'
+```
diff --git a/.github/actions/recov2lint/action.yml b/.github/actions/recov2lint/action.yml
new file mode 100644
index 000000000..e7108a043
--- /dev/null
+++ b/.github/actions/recov2lint/action.yml
@@ -0,0 +1,18 @@
+# action.yml
+name: 'Validate PRs for v2 recommendations and checklists.'
+description: 'Verify that no duplicate names exist and that all YAML files conform to the schemas.'
+inputs:
+ folder:
+ description: 'Folder where the recommendations are stored'
+ required: false
+ default: './v2 (string)'
+ verbose:
+ description: 'Verbose output, true/false (string)'
+ required: false
+ default: 'true'
+runs:
+ using: 'docker'
+ image: 'Dockerfile'
+ args:
+ - '${{ inputs.folder }}'
+ - '${{ inputs.verbose }}'
diff --git a/.github/actions/recov2lint/entrypoint.py b/.github/actions/recov2lint/entrypoint.py
new file mode 100644
index 000000000..f55421dc4
--- /dev/null
+++ b/.github/actions/recov2lint/entrypoint.py
@@ -0,0 +1,139 @@
+# This scripts runs checks on the v2 recommendations and checklists
+import jsonschema
+import sys
+import yaml
+import json
+import os
+from pathlib import Path
+from collections import Counter
+
+
+# The script has been modified to be run from a github action with positional parameters
+# 1. Root Folder where the v2 recommendations, checklists and schemas are stored
+# 2. Verbose
+try:
+ root_folder = sys.argv[1]
+except:
+ root_folder = './v2'
+try:
+ verbose = (sys.argv[2].lower() == 'true')
+except:
+ verbose = True
+
+# Print the parameters
+if verbose: print("INFO: Running recov2lint with parameters: root_folder='{0}', verbose={1}".format(root_folder, verbose))
+
+# Constants
+checklist_subfolder = os.path.join(root_folder, 'checklists')
+reco_subfolder = os.path.join(root_folder, 'recos')
+schema_subfolder = os.path.join(root_folder, 'schema')
+reco_schema_file = os.path.join(schema_subfolder, 'recommendation.schema.json')
+checklist_schema_file = os.path.join(schema_subfolder, 'checklist.schema.json')
+
+# Verify that the root folder and the subfolders exist
+if not os.path.exists(root_folder):
+ print(f"ERROR: Root folder '{root_folder}' does not exist.")
+ sys.exit(1)
+if not os.path.exists(checklist_subfolder):
+ print(f"ERROR: Checklist subfolder '{checklist_subfolder}' does not exist.")
+ sys.exit(1)
+if not os.path.exists(reco_subfolder):
+ print(f"ERROR: Reco subfolder '{reco_subfolder}' does not exist.")
+ sys.exit(1)
+if not os.path.exists(schema_subfolder):
+ print(f"ERROR: Schema subfolder '{schema_subfolder}' does not exist.")
+ sys.exit(1)
+if not os.path.exists(reco_schema_file):
+ print(f"ERROR: Reco schema file '{reco_schema_file}' does not exist.")
+ sys.exit(1)
+if not os.path.exists(checklist_schema_file):
+ print(f"ERROR: Checklist schema file '{checklist_schema_file}' does not exist.")
+ sys.exit(1)
+
+# Gets all YAML files in a folder and parses them into a list of objects, adding the filepath for reference
+def get_yml_objects(folder, verbose=False):
+ files = list(Path(folder).rglob( '*.*' ))
+ if verbose: print("DEBUG: Found {0} files in folder {1}".format(len(files), folder))
+ objects = []
+ for file in files:
+ if (file.suffix == '.yaml') or (file.suffix == '.yml'):
+ try:
+ with open(file.resolve()) as f:
+ object = yaml.safe_load(f)
+ except Exception as e:
+ print("ERROR: Error when loading YAML file {0} - {1}". format(file, str(e)))
+ item = {
+ 'filepath': str(file.resolve()),
+ 'object': object
+ }
+ objects.append(item)
+ if verbose: print("DEBUG: Loaded {0} objects from folder {1}".format(len(objects), folder))
+ return objects
+
+# Given a list of objects, compares them with a JSON schema
+def get_invalid_objects(items, schema_file, verbose=False):
+ # Retrieve checklists schema
+ if verbose: print("DEBUG: Loading schema from", schema_file)
+ with open(schema_file, 'r') as stream:
+ try:
+ schema = json.load(stream)
+ except:
+ print("ERROR: Error loading JSON schema from", schema_file)
+ return None
+ # Start validation
+ if verbose: print("DEBUG: Starting validation with schema {0}...".format(schema_file))
+ object_counter = 0
+ finding_counter = 0
+ for item in items:
+ object = item['object']
+ object_counter +=1
+ if 'name' in object:
+ object_name = object['name']
+ else:
+ object_name = 'unnamed'
+ try:
+ jsonschema.validate(object, schema)
+ if verbose: print("DEBUG: Checklist '{0}' in '{1}' validates correctly against the schema.".format(object_name, item['filepath']))
+ except jsonschema.exceptions.ValidationError as e:
+ print("ERROR: Object '{0}' in '{1}' does not validate against the schema.".format(object_name, item['filepath']))
+ print("DEBUG: -", str(e))
+ finding_counter += 1
+ except jsonschema.exceptions.SchemaError as e:
+ print("ERROR: Schema", schema_file, "does not seem to be valid.")
+ if verbose: print("DEBUG: -", str(e))
+ sys.exit(1)
+ except Exception as e:
+ print("ERROR: Unknown error validating checklist '{0}' against the schema {1}: {2}".format(cl['name'], schema_file,str(e)))
+ return finding_counter
+
+
+# Get all recos
+v2recos = get_yml_objects(reco_subfolder)
+# Look for duplicate names
+name_list = [reco['object']['name'] for reco in v2recos if 'name' in reco['object']]
+name_counts = Counter(name_list)
+duplicate_names = [item for item, count in name_counts.items() if count > 1]
+if len(duplicate_names) > 0:
+ print("ERROR: Duplicate reco names found: {0}".format(duplicate_names))
+ sys.exit(1)
+else:
+ print("INFO: No duplicate reco names found in {0} recommendations.".format(len(v2recos)))
+# Validate recos
+reco_errors = get_invalid_objects(v2recos, reco_schema_file, verbose=verbose)
+if reco_errors > 0:
+ print("ERROR: {0} recos did not validate against the schema.".format(reco_errors))
+ sys.exit(1)
+else:
+ print("INFO: {0} recommendations validated from folder {2}, {1} non-compliances found.".format(len(v2recos), reco_errors, reco_subfolder))
+
+# Get all checklists
+v2checklists = get_yml_objects(checklist_subfolder)
+# Validate checklists
+checklist_errors = get_invalid_objects(v2checklists, checklist_schema_file, verbose=verbose)
+if checklist_errors > 0:
+ print("ERROR: {0} checklists did not validate against the schema.".format(checklist_errors))
+ sys.exit(1)
+else:
+ print("INFO: {0} checklists validated from folder {2}, {1} non-compliances found.".format(len(v2checklists), checklist_errors, checklist_subfolder))
+
+
diff --git a/.github/actions/recov2lint/requirements.txt b/.github/actions/recov2lint/requirements.txt
new file mode 100644
index 000000000..da9426234
--- /dev/null
+++ b/.github/actions/recov2lint/requirements.txt
@@ -0,0 +1,2 @@
+pyyaml
+jsonschema
\ No newline at end of file
diff --git a/.github/workflows/autotagv2.yml b/.github/workflows/autotagv2.yml
new file mode 100644
index 000000000..80e9daf2b
--- /dev/null
+++ b/.github/workflows/autotagv2.yml
@@ -0,0 +1,46 @@
+name: Autotag
+
+env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+on:
+ pull_request:
+ branches: [v2]
+ paths:
+ - '**.yml'
+ - '**.yaml'
+
+jobs:
+ autotag:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - id: files
+ uses: masesgroup/retrieve-changed-files@v2
+ - id: alzimpact
+ name: Verify whether the modified files have an impact on the ALZ checklist
+ run: |
+ echo "DEBUG: Running on $SHELL"
+ pip install -r ./scripts/requirements.txt
+ alz_files=$(python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --checklist-file ./v2/checklists/alz.yaml --only-filenames)
+ alz_files_count=$(echo "$alz_files" | wc -l)
+ echo "$alz_files_count reco files found in the ALZ checklist:"
+ echo "$alz_files" | head -2
+ echo "..."
+ echo "$alz_files" | tail -2
+ for input_file in ${{ steps.files.outputs.all }}; do
+ echo "Processing '$input_file'..."
+ if [[ "$alz_files" == *"$input_file"* ]]; then
+ echo "Modification to file '$input_file' detected, which seems to be a reco leveraged by the ALZ checklist"
+ echo "alz_impact=yes" >> $GITHUB_OUTPUT
+ else
+ echo "'$input_file' has no ALZ impact"
+ fi
+ done
+ - name: add ALZ label
+ if: ${{ steps.alzimpact.outputs.alz_impact == 'yes' }}
+ uses: actions-ecosystem/action-add-labels@v1
+ id: addalzlabel
+ with:
+ labels: 'landingzone'
+ github_token: ${{ secrets.WORKFLOW_PAT }}
\ No newline at end of file
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 5f30701b5..e9e6bc5df 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -26,7 +26,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check that GUIDs are unique
id: checklistlint
- uses: ./.github/actions/get_the_aks_checklist
+ uses: ./.github/actions/review-checklists-lint
with:
file_extension: 'en.json'
key_name: 'guid'
diff --git a/.github/workflows/linterv2.yml b/.github/workflows/linterv2.yml
new file mode 100644
index 000000000..c364036ec
--- /dev/null
+++ b/.github/workflows/linterv2.yml
@@ -0,0 +1,21 @@
+---
+name: Lint v2 recommendations and checklists
+on:
+ # push:
+ # branches-ignore: [main]
+ pull_request:
+ branches: [v2]
+
+jobs:
+ build:
+ name: Lint v2 recommendations and checklists
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v2
+ - name: Check unique names and schema conformity
+ id: checklistlint
+ uses: ./.github/actions/recov2lint
+ with:
+ folder: './v2'
+ verbose: 'false'
diff --git a/.github/workflows/translatev2.yml b/.github/workflows/translatev2.yml
new file mode 100644
index 000000000..ffc9b00a7
--- /dev/null
+++ b/.github/workflows/translatev2.yml
@@ -0,0 +1,159 @@
+name: Translation
+
+env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+on:
+ push:
+ branches: [ v2 ]
+ paths:
+ - '**.yaml'
+ - '**.yml'
+ workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+ translate:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+ # Get list of files that have been changed in the push
+ - id: files
+ uses: masesgroup/retrieve-changed-files@v2
+ # Set variables that indicate whether XLSX files have been modified, which would indicate that
+ - name: Set variables
+ id: variables
+ run: |
+ echo "v1_output_folder=v2/checklists" >> $GITHUB_OUTPUT
+ echo "clv2_file_list=('./v2/checklists/alz.yaml' './v2/checklists/waf.yaml' './v2/checklists/app_delivery.yaml')" >> $GITHUB_OUTPUT
+ # this action has been triggered by an automated action
+ - id: automationresult
+ name: Verify whether this action is a result of another action
+ run: |
+ for input_file in ${{ steps.files.outputs.all }}; do
+ if [[ "$input_file" == *"xlsx" ]]; then
+ echo "Modification to XLSX file $input_file detected, this seems to be the output of an automated PR"
+ echo "excel_file_changed=yes" >> $GITHUB_OUTPUT
+ else
+ echo "$input_file is not an XLSX file"
+ fi
+ done
+
+ # Find out the impacted checklists
+ - id: climpact
+ if: ${{ steps.automationresult.outputs.excel_file_changed != 'yes' }}
+ name: Verify whether the modified files have an impact on the defined v2 checklists
+ run: |
+ # Install Python dependencies to run the checklist CLI
+ pip install -r ./scripts/requirements.txt
+ # The list of impacted checklists will be passed as an array
+ impacted_cl_files=()
+ done_something=no
+ clv2_file_list=${{ steps.variables.outputs.clv2_file_list }}
+ echo "Checking impact of changes in files ${{ steps.files.outputs.all }} to the following ${#clv2_file_list[@]} v2 checklists: ${clv2_file_list[@]}..."
+ for cl_file in "${clv2_file_list[@]}"; do
+ echo "Processing v2 checklist '${cl_file}'..."
+ cl_name=$(echo $cl_file | cut -d/ -f4 | cut -d. -f1)
+ cl_reco_files=$(python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --checklist-file ./v2/checklists/alz.yaml --only-filenames)
+ cl_reco_files_count=$(echo "$cl_reco_files" | wc -l)
+ echo "$cl_reco_files_count reco files found referenced in the checklist $cl_file"
+ for input_file in ${{ steps.files.outputs.all }}; do
+ echo "- Processing changed file '$input_file'..."
+ if [[ "$cl_reco_files" == *"$input_file"* ]]; then
+ echo " * Modification to file '$input_file' detected, which seems to be a reco leveraged by the checklist $cl_name in $cl_file"
+ impacted_cl_files+="$cl_file"
+ done_something=yes
+ else
+ echo " * '$input_file' has no impact to the checklist $cl_name in $cl_file"
+ fi
+ done
+ done
+ echo "impacted_cl_files=(${impacted_cl_files[@]})" >> $GITHUB_OUTPUT
+ echo "done_something=$done_something" >> $GITHUB_OUTPUT
+ # Process the impacted checklists and generate v1 versions
+ - name: Generate v1 JSON checklists and translate them
+ id: clv1
+ if: ${{ steps.climpact.outputs.done_something == 'yes' }}
+ env:
+ AZURE_TRANSLATOR_SUBSCRIPTION_KEY: ${{ secrets.AZURE_TRANSLATOR_SUBSCRIPTION_KEY }}
+ AZURE_TRANSLATOR_ENDPOINT: ${{ secrets.AZURE_TRANSLATOR_ENDPOINT }}
+ AZURE_TRANSLATOR_REGION: ${{ secrets.AZURE_TRANSLATOR_REGION }}
+ run: |
+ # First we put the GH variable into a local one. Doing a loop against the GH variable directly doesn't work.
+ cl_v2_files=${{ steps.climpact.outputs.impacted_cl_files }}
+ # We will pass the list of generated v1 checklists as an array
+ cl_v1_files=()
+ echo "Generating v1 checklists for the following v2 files: $cl_v2_files..."
+ # We run now through the list of impacted checklists
+ for cl_file in "${cl_v2_files[@]}"; do
+ cl_name=$(echo $cl_file | cut -d/ -f4 | cut -d. -f1)
+ cl_v1_file="./${{ steps.variables.outputs.v1_output_folder }}/${cl_name}_checklist.en.json"
+ cl_v1_files+="$cl_v1_file"
+ # Generate v1 JSON for the checklist
+ echo "Generating v1 JSON for checklist $cl_name in $cl_file into $cl_v1_file..."
+ python3 ./scripts/cl.py export-checklist --input-folder ./v2/recos --service-dictionary ./scripts/service_dictionary.json --checklist-file $cl_file --output-file $cl_v1_file --verbose
+ # Sort modified file
+ # python3 ./scripts/sort_checklist.py --input-file $input_file
+ # Update the timestamp in the modified file
+ # python3 ./scripts/timestamp_checklist.py --input-file $input_file
+ # Translate the checklist
+ echo "Translating $cl_v1_file (this can take a few minutes)..."
+ python3 ./scripts/translate.py --input-file $cl_v1_file
+ done
+ echo "cl_v1_files=(${cl_v1_files[@]})" >> $GITHUB_OUTPUT
+
+ # Generate macro-free spreadsheets and Azure Monitor workbooks
+ - name: Setup python
+ if: ${{ steps.climpact.outputs.done_something == 'yes' }}
+ uses: actions/setup-python@v2
+ with:
+ python-version: 3.8 #install the python needed
+ - name: Install dependencies
+ if: ${{ steps.climpact.outputs.done_something == 'yes' }}
+ run: |
+ python -m pip install --upgrade pip
+ pip install requests openpyxl
+ # Create Excel spreadsheets
+ - name: Execute excel python script # run file
+ if: ${{ steps.climpact.outputs.done_something == 'yes' }}
+ run: |
+ # First we put the GH variable into a local one. Doing a loop against the GH variable directly doesn't work.
+ cl_v1_files="${{ steps.clv1.outputs.cl_v1_files }}"
+ # For each file we will generate a macro-free Excel file
+ for cl_file in "${cl_v1_files[@]}"; do
+ echo "Generating macro-free Excel file for $cl_file..."
+ python3 ./scripts/update_excel_openpyxl.py --checklist-file="$cl_v1_file" --find-all --excel-file="./spreadsheet/macrofree/review_checklist_empty.xlsx" --output-name-is-input-name --output-path="./spreadsheet/macrofree/" --verbose
+ done
+
+ # Create Azure Monitor workbooks
+ # Note that workbook creation might not work with some of the v1 checklists generated from v2, since categories and subcategories might be missing.
+ # The workbook creation script should instead pick service names instead of categories for the tabs.
+ - name: Execute workbook python script # run file
+ if: ${{ steps.climpact.outputs.done_something == 'yes' }}
+ run: |
+ # First we put the GH variable into a local one. Doing a loop against the GH variable directly doesn't work.
+ cl_v1_files="${{ steps.clv1.outputs.cl_v1_files }}"
+ # For each file we will generate a macro-free Excel file
+ for cl_file in "${cl_v1_files[@]}"; do
+ # Create workbooks for the modified file, both with and without reco counters
+ echo "Generating workbooks for the v1 checklist file: $cl_file..."
+ python3 ./scripts/workbook_create.py --checklist-file="$cl_file" --output-path="./workbooks/" --blocks-path="./workbooks/blocks/"
+ python3 ./scripts/workbook_create.py --checklist-file="$cl_file" --output-path="./workbooks/" --blocks-path="./workbooks/blocks/" --counters
+ # Extra static commands to generate a network-specific ALZ workbook
+ # python3 ./scripts/workbook_create.py --checklist-file ./checklists/alz_checklist.en.json --output-path ./workbooks --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size medium
+ # python3 ./scripts/workbook_create.py --checklist-file ./checklists/alz_checklist.en.json --output-file ./workbooks/alz_checklist.en_network_counters.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny --counters
+ # python3 ./scripts/workbook_create.py --checklist-file ./checklists/alz_checklist.en.json --output-file ./workbooks/alz_checklist.en_network_tabcounters.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny --tab-counters
+ # App delivery
+ # python3 ./scripts/workbook_create.py --checklist-file ./checklists/network_appdelivery_checklist.en.json --output-file ./workbooks/appdelivery_checklist.en_network_workbook.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny
+ # python3 ./scripts/workbook_create.py --checklist-file ./checklists/network_appdelivery_checklist.en.json --output-file ./workbooks/appdelivery_checklist.en_network_counters_workbook.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny --counters
+ done
+ # Create the PR if any change was made
+ - name: Create pull request
+ uses: peter-evans/create-pull-request@v6
+ if: ${{ steps.climpact.outputs.done_something == 'yes' }}
+ with:
+ title: 'Automated actions after change to ${{ steps.files.outputs.all }}'
+ body: 'Processed changed files ${{ steps.files.outputs.all }}'
+ labels: 'automated'
+ token: ${{ secrets.WORKFLOW_PAT }}
diff --git a/checklists-ext/appservicewebapps_sg_checklist.en.json b/checklists-ext/appservicewebapps_sg_checklist.en.json
index fd6463e21..f76a5606a 100644
--- a/checklists-ext/appservicewebapps_sg_checklist.en.json
+++ b/checklists-ext/appservicewebapps_sg_checklist.en.json
@@ -6,194 +6,217 @@
"service": "App Service Web Apps",
"text": "(App Service plan) Choose the Premium tier of an App Service plan for production workloads. Set the maximum and minimum number of workers according to your capacity planning. For more information, see App Service plan overview.",
"description": "A premium App Service plan offers advanced scaling features and ensures redundancy if failures occur.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a8bc7080-3d8a-43b1-aefc-1dcfdf45fff3"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service plan) Enable zone redundancy. Consider provisioning more than three instances to enhance fault tolerance. Check regional support for zone redundancy because not all regions offer this feature.",
"description": "Your application can withstand failures in a single zone when multiple instances are spread across zones. Traffic automatically shifts to healthy instances in other zones and maintains application reliability if one zone is unavailable.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6421eda8-605d-4058-baf3-5d39c62695f2"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service) Consider disabling the application request routing (ARR) affinity feature. ARR affinity creates sticky sessions that redirect users to the node that handled their previous requests.",
"description": "Incoming requests are evenly distributed across all available nodes when you disable ARR affinity. Evenly distributed requests prevent traffic from overwhelming any single node. Requests can be seamlessly redirected to other healthy nodes if a node is unavailable. Avoid session affinity to ensure that your App Service instance remains stateless. A stateless App Service reduces complexity and ensures consistent behavior across nodes. Remove sticky sessions so that App Service can add or remove instances to scale horizontally.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0b2003b3-120d-47e2-b088-6326688f6020"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service) Define automatic healing rules based on request count, slow requests, memory limits, and other indicators that are part of your performance baseline. Consider this configuration as part of your scaling strategy.",
"description": "Automatic healing rules help your application recover automatically from unexpected problems. The configured rules trigger healing actions when thresholds are breached. Automatic healing enables automatic proactive maintenance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c3976ed2-a374-4e1e-aaa9-6b5152dc79e6"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service) Enable the health check feature and provide a path that responds to the health check requests.",
"description": "Health checks can detect problems early. Then the system can automatically take corrective actions when a health check request fails. The load balancer routes traffic away from unhealthy instances, which directs users to healthy nodes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7ad7026a-e2e6-4e45-a0b4-9c707fe0e388"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Assign managed identities to the web app. To maintain isolation boundaries, don't share or reuse identities across applications. Make sure that you securely connect to your container registry if you use containers for your deployment.",
"description": "The application retrieves secrets from Key Vault to authenticate outward communication from the application. Azure manages the identity and doesn't require you to provision or rotate any secrets. You have distinct identities for granularity of control. Distinct identities make revocation easy if an identity is compromised.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a7caacdd-d39b-4e31-8dcf-c40f4c2bf86d"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Configure custom domains for applications. Disable HTTP and only accept HTTPS requests.",
"description": "Custom domains enable secure communication through HTTPS using Transport Layer Security (TLS) protocol, which ensures the protection of sensitive data and builds user trust.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "669b3cbe-e126-445b-8707-ac7ed7a242f8"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) valuate whether App Service built-in authentication is the right mechanism to authenticate users that access your application. App Service built-in authentication integrates with Microsoft Entra ID. This feature handles token validation and user identity management across multiple sign-in providers and supports OpenID Connect. With this feature, you don't have authorization at a granular level, and you don't have a mechanism to test authentication.",
"description": "When you use this feature, you don't have to use authentication libraries in application code, which reduces complexity. The user is already authenticated when a request reaches the application.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "707d4208-95aa-44b5-946a-95951187fbbe"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Configure the application for virtual network integration. Use private endpoints for App Service apps. Block all public traffic. Route the container image pull through the virtual network integration. All outgoing traffic from the application passes through the virtual network.",
"description": "Get the security benefits of using an Azure virtual network. For example, the application can securely access resources within the network. Add a private endpoint to help protect your application. Private endpoints limit direct exposure to the public network and allow controlled access through the reverse proxy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "41d2b47e-9224-4f24-a14f-d7c389adc40a"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) To implement hardening: - Disable basic authentication that uses a username and password in favor of Microsoft Entra ID-based authentication. - Turn off remote debugging so that inbound ports aren't opened. - Enable CORS policies to tighten incoming requests. - Disable protocols, such as FTP.",
"description": "We don't recommend basic authentication as a secure deployment method. Microsoft Entra ID employs OAuth 2.0 token-based authentication, which offers numerous advantages and enhancements that address the limitations that are associated with basic authentication. Policies restrict access to application resources, only allow requests from specific domains, and secure cross-region requests.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "87580a6c-f8fb-4cf4-9086-3cb2e6bf09ab"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Always use Key Vault references as app settings.",
"description": "Secrets are kept separate from your app's configuration. App settings are encrypted at rest. App Service also manages secret rotations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "14f83da8-4052-4d06-bd6c-ca6ea753c62e"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service plan) Enable Microsoft Defender for Cloud for App Service.",
"description": "Get real-time protection for resources that run in an App Service plan. Guard against threats and enhance your overall security posture.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d55d6834-894e-4fa9-a5da-93d42d703e02"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service plan) Enable diagnostic logging and add instrumentation to your app. The logs are sent to Azure Storage accounts, Azure Event Hubs, and Log Analytics. For more information about audit log types, see Supported log types.",
"description": "Logging captures access patterns. It records relevant events that provide valuable insights into how users interact with an application or platform. This information is crucial for accountability, compliance, and security purposes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "47eb1ae3-41cf-4925-8ad5-7c9d865e4392"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service plan) Choose Free or Basic tiers for lower environments. We recommend these tiers for experimental use. Remove the tiers when you no longer need them.",
"description": "The Free and Basic tiers are budget-friendly compared to higher tiers. They provide a cost-effective solution for nonproduction environments that don't need the full features and performance of premium plans.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "353d556b-015a-4ae6-9352-4551b7c7e267"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service plan) Take advantage of discounts and explore preferred pricing for: - Lower environments with dev/test plans. - Azure reservations and Azure savings plans for dedicated compute that you provision in the Premium V3 tier and App Service Environment. Use reserved instances for stable workloads that have predictable usage patterns.",
"description": "Dev/test plans provide reduced rates for Azure services, which makes them cost-effective for nonproduction environments. Use reserved instances to prepay for compute resources and get significant discounts.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5ad6a3b4-65eb-407e-8547-ce4ecdf9fe89"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service) Monitor costs that App Service resources incur. Run the cost analysis tool in the Azure portal. Create budgets and alerts to notify stakeholders.",
"description": "You can identify cost spikes, inefficiencies, or unexpected expenses early on. This proactive approach helps you to provide budgetary controls to prevent overspending.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4cf20e78-3047-4eca-a608-421414e82e4b"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service plan) Scale in when demand decreases. To scale in, define scale rules to reduce the number of instances in Azure Monitor.",
"description": "Prevent wastage and reduce unnecessary expenses.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "68b1b702-d272-4c97-8b70-727ba42a9b27"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service) Monitor the health of your instances and activate instance health probes. Set up a specific path for handling health probe requests.",
"description": "You can detect problems promptly and take necessary actions to maintain availability and performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5fe0c2c9-3403-47be-9e45-265107d05c71"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service) Enable diagnostics logs for the application and the instance. Frequent logging can slow down the performance of the system, add to storage costs, and introduce risk if you have unsecure access to logs. Follow these best practices: - Log the right level of information. - Set retention policies. - Keep an audit trail of authorized access and unauthorized attempts. - Treat logs as data and apply data-protection controls.",
"description": "Diagnostic logs provide valuable insights into your app's behavior. Monitor traffic patterns and identify anomalies.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e6afc11c-557b-4621-8716-606b90f670c7"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service) Take advantage of App Service managed certificates to offload certification management to Azure.",
"description": "App Service automatically handles processes like certificate procurement, certificate verification, certificate renewal, and importing certificates from Key Vault. Alternatively, upload your certificate to Key Vault and authorize the App Service resource provider to access it.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "15a2cb5e-2a24-49f7-8d54-042d22543f54"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service plan) Validate app changes in the staging slot before you swap it with the production slot.",
"description": "Avoid downtime and errors. Quickly revert to the last-known good state if you detect a problem after a swap.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ce8266e4-c481-4133-a5ce-2ee070954eeb"
},
{
"waf": "Performance",
"service": "App Service Web Apps",
"text": "Enable the Always On setting when applications share a single App Service plan. App Service apps automatically unload when idle to save resources. The next request triggers a cold start, which can cause request timeouts.",
"description": "The application is never unloaded with Always On enabled.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7a02f601-b092-4772-a044-a48a3caa335c"
},
{
"waf": "Performance",
"service": "App Service Web Apps",
"text": "Consider using HTTP/2 for applications to improve protocol efficiency.",
"description": "Choose HTTP/2 over HTTP/1.1 because HTTP/2 fully multiplexes connections, reuses connections to reduce overhead, and compresses headers to minimize data transfer.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0a0eaf20-6b30-45ac-b302-0b7cb940fc90"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -230,6 +253,6 @@
"name": "App Service Web Apps Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/aprl_checklist.en.json b/checklists-ext/aprl_checklist.en.json
index 565810fc5..ca6358ede 100644
--- a/checklists-ext/aprl_checklist.en.json
+++ b/checklists-ext/aprl_checklist.en.json
@@ -27,7 +27,9 @@
"severity": "High",
"category": "High Availability",
"guid": "bb6deb9d-24fa-4ee8-bc23-ac3ebc7fdf8e",
- "source": "azure-resources/AAD/domainServices/recommendations.yaml",
+ "sourceFile": "azure-resources/AAD/domainServices/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Gets Entry Domain Services that are using the Standard SKU\nresources\n| where type == \"microsoft.aad/domainservices\"\n| extend sku = properties.sku\n| where sku =~ 'Standard'\n| project recommendationId='bb6deb9d-24fa-4ee8-bc23-ac3ebc7fdf8e', name=name, id=id, tags=tags, param1=strcat('SKU:', sku)\n"
},
{
@@ -56,7 +58,9 @@
"severity": "High",
"category": "High Availability",
"guid": "a3058909-fcf8-4450-88b5-499f57449178",
- "source": "azure-resources/AAD/domainServices/recommendations.yaml",
+ "sourceFile": "azure-resources/AAD/domainServices/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Gets Entry Domain Services that are using only one replicaSet\nresources\n| where type == \"microsoft.aad/domainservices\"\n| extend replicaSets = properties.replicaSets\n| where array_length(replicaSets) < 2\n| project recommendationId='a3058909-fcf8-4450-88b5-499f57449178', name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)\n"
},
{
@@ -85,7 +89,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "74fcb9f2-9a25-49a6-8c42-d32851c4afb7",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure VMware Solution resources that don't have one or more service health alerts covering AVS private clouds in the deployed subscription and region pairs.\n//full list of private clouds\n(resources\n| where ['type'] == \"microsoft.avs/privateclouds\"\n| extend locale = tolower(location)\n| extend subscriptionId = tolower(subscriptionId)\n| project id, name, tags, subscriptionId, locale)\n| join kind=leftouter\n//Alert ID's that include all incident types filtered by AVS Service Health alerts\n((resources\n| where type == \"microsoft.insights/activitylogalerts\"\n| extend alertproperties = todynamic(properties)\n| where alertproperties.condition.allOf[0].field == \"category\" and alertproperties.condition.allOf[0].equals == \"ServiceHealth\"\n| where alertproperties.condition.allOf[1].field == \"properties.impactedServices[*].ServiceName\" and set_has_element(alertproperties.condition.allOf[1].containsAny, \"Azure VMware Solution\")\n| extend locale = strcat_array(split(tolower(alertproperties.condition.allOf[2].containsAny),' '), '')\n| mv-expand todynamic(locale)\n| where locale != \"global\"\n| project subscriptionId, tostring(locale) )\n| union\n//Alert ID's that include only some of the incident types after filtering by service health alerts covering AVS private clouds.\n(resources\n| where type == \"microsoft.insights/activitylogalerts\"\n| extend subscriptionId = tolower(subscriptionId)\n| extend alertproperties = todynamic(properties)\n| where alertproperties.condition.allOf[0].field == \"category\" and alertproperties.condition.allOf[0].equals == \"ServiceHealth\"\n| where alertproperties.condition.allOf[2].field == \"properties.impactedServices[*].ServiceName\" and set_has_element(alertproperties.condition.allOf[2].containsAny, \"Azure VMware Solution\")\n| extend locale = strcat_array(split(tolower(alertproperties.condition.allOf[3].containsAny),' '), '')\n| mv-expand todynamic(locale)\n| mv-expand alertproperties.condition.allOf[1].anyOf\n| extend incidentType = alertproperties_condition_allOf_1_anyOf.equals\n| where locale != \"global\"\n| project id, subscriptionId, locale, incidentType\n| distinct subscriptionId, tostring(locale), tostring(incidentType)\n| summarize incidentTypes=count() by subscriptionId, locale\n| where incidentTypes == 5 //only include this subscription, region pair if it includes all the incident types.\n| project subscriptionId, locale)) on subscriptionId, locale\n| where subscriptionId1 == \"\" or locale1 == \"\" or isnull(subscriptionId1) or isnull(locale1)\n| project recommendationId = \"74fcb9f2-9a25-49a6-8c42-d32851c4afb7\", name, id, tags, param1 = \"avsServiceHealthAlertsAllIncidentTypesConfigured: False\"\n\n"
},
{
@@ -114,7 +120,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "29d7a115-dfb6-4df1-9205-04824109548f",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -143,7 +151,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "f86355e3-de7c-4dad-8080-1b0b411e66c8",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -176,7 +186,9 @@
"severity": "Low",
"category": "High Availability",
"guid": "9ec5b4c8-3dd8-473a-86ee-3273290331b9",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure VMware Solution resources that aren't configured as stretched clusters and in supported regions.\nresources\n| where ['type'] == \"microsoft.avs/privateclouds\"\n| extend avsproperties = todynamic(properties)\n| where avsproperties.availability.strategy != \"DualZone\"\n| where location in (\"uksouth\", \"westeurope\", \"germanywestcentral\", \"australiaeast\")\n| project recommendationId = \"9ec5b4c8-3dd8-473a-86ee-3273290331b9\", name, id, tags, param1 = \"stretchClusters: Disabled\"\n\n"
},
{
@@ -205,7 +217,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "4232eb32-3241-4049-9e14-9b8005817b56",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure VMware Solution resources that don't have a vSAN capacity critical alert with a threshold of 75% or a warning capacity of 70%.\n(\nresources\n| where ['type'] == \"microsoft.avs/privateclouds\"\n| extend scopeId = tolower(tostring(id))\n| project ['scopeId'], name, id, tags\n| join kind=leftouter (\nresources\n| where type == \"microsoft.insights/metricalerts\"\n| extend alertProperties = todynamic(properties)\n| mv-expand alertProperties.scopes\n| mv-expand alertProperties.criteria.allOf\n| extend scopeId = tolower(tostring(alertProperties_scopes))\n| extend metric = alertProperties_criteria_allOf.metricName\n| extend threshold = alertProperties_criteria_allOf.threshold\n| project scopeId, tostring(metric), toint(['threshold'])\n| where metric == \"DiskUsedPercentage\"\n| where threshold == 75\n) on scopeId\n| where isnull(['threshold'])\n| project recommendationId = \"4232eb32-3241-4049-9e14-9b8005817b56\", name, id, tags, param1 = \"vsanCapacityCriticalAlert: isNull or threshold != 75\"\n)\n| union (\nresources\n| where ['type'] == \"microsoft.avs/privateclouds\"\n| extend scopeId = tolower(tostring(id))\n| project ['scopeId'], name, id, tags\n| join kind=leftouter (\nresources\n| where type == \"microsoft.insights/metricalerts\"\n| extend alertProperties = todynamic(properties)\n| mv-expand alertProperties.scopes\n| mv-expand alertProperties.criteria.allOf\n| extend scopeId = tolower(tostring(alertProperties_scopes))\n| extend metric = alertProperties_criteria_allOf.metricName\n| extend threshold = alertProperties_criteria_allOf.threshold\n| project scopeId, tostring(metric), toint(['threshold'])\n| where metric == \"DiskUsedPercentage\"\n| where threshold == 70\n) on scopeId\n| where isnull(['threshold'])\n| project recommendationId = \"4232eb32-3241-4049-9e14-9b8005817b56\", name, id, tags, param1 = \"vsanCapacityWarningAlert: isNull or threshold != 70\"\n)\n\n"
},
{
@@ -234,7 +248,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "fa4ab927-bced-429a-971a-53350de7f14b",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -263,7 +279,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "4ee5d535-c47b-470a-9557-4a3dd297d62f",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure VMware Solution resources that don't have a Cluster CPU capacity critical alert with a threshold of 95%.\nresources\n| where ['type'] == \"microsoft.avs/privateclouds\"\n| extend scopeId = tolower(tostring(id))\n| project ['scopeId'], name, id, tags\n| join kind=leftouter (\nresources\n| where type == \"microsoft.insights/metricalerts\"\n| extend alertProperties = todynamic(properties)\n| mv-expand alertProperties.scopes\n| mv-expand alertProperties.criteria.allOf\n| extend scopeId = tolower(tostring(alertProperties_scopes))\n| extend metric = alertProperties_criteria_allOf.metricName\n| extend threshold = alertProperties_criteria_allOf.threshold\n| project scopeId, tostring(metric), toint(['threshold'])\n| where metric == \"EffectiveCpuAverage\"\n| where threshold == 95\n) on scopeId\n| where isnull(['threshold'])\n| project recommendationId = \"4ee5d535-c47b-470a-9557-4a3dd297d62f\", name, id, tags, param1 = \"hostCpuCriticalAlert: isNull or threshold != 95\"\n\n"
},
{
@@ -292,7 +310,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "029208c8-5186-4a76-8ee8-6e3445fef4dd",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure VMware Solution resources that don't have a cluster host memory critical alert with a threshold of 95%.\nresources\n| where ['type'] == \"microsoft.avs/privateclouds\"\n| extend scopeId = tolower(tostring(id))\n| project ['scopeId'], name, id, tags\n| join kind=leftouter (\nresources\n| where type == \"microsoft.insights/metricalerts\"\n| extend alertProperties = todynamic(properties)\n| mv-expand alertProperties.scopes\n| mv-expand alertProperties.criteria.allOf\n| extend scopeId = tolower(tostring(alertProperties_scopes))\n| extend metric = alertProperties_criteria_allOf.metricName\n| extend threshold = alertProperties_criteria_allOf.threshold\n| project scopeId, tostring(metric), toint(['threshold'])\n| where metric == \"UsageAverage\"\n| where threshold == 95\n) on scopeId\n| where isnull(['threshold'])\n| project recommendationId = \"029208c8-5186-4a76-8ee8-6e3445fef4dd\", name, id, tags, param1 = \"hostMemoryCriticalAlert: isNull or threshold != 95\"\n\n"
},
{
@@ -321,7 +341,9 @@
"severity": "High",
"category": "Governance",
"guid": "a5ef7c05-c611-4842-9af5-11efdc99123a",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -350,7 +372,9 @@
"severity": "High",
"category": "Security",
"guid": "e0ac2f57-c8c0-4b8c-a7c8-19e5797828b5",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -379,7 +403,9 @@
"severity": "High",
"category": "High Availability",
"guid": "fcc2e257-23af-4c68-aac8-9cc03033c939",
- "source": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceFile": "azure-resources/AVS/privateClouds/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -412,7 +438,9 @@
"severity": "High",
"category": "High Availability",
"guid": "baf3bfc0-32a2-4c0c-926d-c9bf0b49808e",
- "source": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceFile": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all API Management instances that aren't Premium\nresources\n| where type =~ 'Microsoft.ApiManagement/service'\n| extend skuName = sku.name\n| where tolower(skuName) != tolower('premium')\n| project recommendationId = \"baf3bfc0-32a2-4c0c-926d-c9bf0b49808e\", name, id, tags, param1=strcat(\"SKU: \", skuName)\n\n"
},
{
@@ -445,7 +473,9 @@
"severity": "High",
"category": "High Availability",
"guid": "740f2c1c-8857-4648-80eb-47d2c56d5a50",
- "source": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceFile": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Premium API Management instances that aren't zone redundant\nresources\n| where type =~ 'Microsoft.ApiManagement/service'\n| extend skuName = sku.name\n| where tolower(skuName) == tolower('premium')\n| where isnull(zones) or array_length(zones) < 2\n| extend zoneValue = iff((isnull(zones)), \"null\", zones)\n| project recommendationId = \"740f2c1c-8857-4648-80eb-47d2c56d5a50\", name, id, tags, param1=\"Zones: No Zone or Zonal\", param2=strcat(\"Zones value: \", zoneValue )\n\n"
},
{
@@ -478,7 +508,9 @@
"severity": "High",
"category": "High Availability",
"guid": "e35cf148-8eee-49d1-a1c9-956160f99e0b",
- "source": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceFile": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all API Management instances that aren't upgraded to platform version stv2\nresources\n| where type =~ 'Microsoft.ApiManagement/service'\n| extend plat_version = properties.platformVersion\n| extend skuName = sku.name\n| where tolower(plat_version) != tolower('stv2')\n| project recommendationId = \"e35cf148-8eee-49d1-a1c9-956160f99e0b\", name, id, tags, param1=strcat(\"Platform Version: \", plat_version) , param2=strcat(\"SKU: \", skuName)\n\n"
},
{
@@ -507,7 +539,9 @@
"severity": "Low",
"category": "High Availability",
"guid": "c79680ea-de85-44fa-a596-f31fa17a952f",
- "source": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceFile": "azure-resources/ApiManagement/service/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -536,7 +570,9 @@
"severity": "High",
"category": "High Availability",
"guid": "8dbcd94b-0948-4df3-b608-1946726c3abf",
- "source": "azure-resources/App/containerApps/recommendations.yaml",
+ "sourceFile": "azure-resources/App/containerApps/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -565,7 +601,9 @@
"severity": "High",
"category": "High Availability",
"guid": "f4201965-a88d-449d-b3b4-021394719eb2",
- "source": "azure-resources/App/managedEnvironments/recommendations.yaml",
+ "sourceFile": "azure-resources/App/managedEnvironments/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// The query filters the qualified Container app environments that do not have Zone Redundancy enabled.\nresources\n| where type =~ \"microsoft.app/managedenvironments\"\n| where tobool(properties.zoneRedundant) == false\n| project recommendationId = \"f4201965-a88d-449d-b3b4-021394719eb2\", name, id, tags, param1 = \"AvailabilityZones: Single Zone\"\n| order by id asc\n"
},
{
@@ -594,7 +632,9 @@
"severity": "Low",
"category": "Governance",
"guid": "bb4c8db4-f821-475b-b1ea-16e95358665e",
- "source": "azure-resources/AppConfiguration/configurationStores/recommendations.yaml",
+ "sourceFile": "azure-resources/AppConfiguration/configurationStores/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Purge protection should be enabled for App Configuration stores to prevent accidental deletion of configuration data.\nresources\n| where type =~ \"Microsoft.AppConfiguration/configurationStores\"\n| where sku.name <> \"free\"\n| where (properties.enablePurgeProtection <> true) or isnull(properties.enablePurgeProtection )\n| project recommendationId = \"bb4c8db4-f821-475b-b1ea-16e95358665e\", name, id, tags, param1 = \"Enable purge protection\"\n"
},
{
@@ -623,7 +663,9 @@
"severity": "High",
"category": "High Availability",
"guid": "2102a57a-a056-4d5e-afe5-9df9f92177ca",
- "source": "azure-resources/AppConfiguration/configurationStores/recommendations.yaml",
+ "sourceFile": "azure-resources/AppConfiguration/configurationStores/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Upgrade to App Configuration Standard tier\nresources\n| where type =~ \"Microsoft.AppConfiguration/configurationStores\"\n| where sku.name == \"free\"\n| project recommendationId = \"2102a57a-a056-4d5e-afe5-9df9f92177ca\", name, id, tags, param1 = \"Upgrade to Standard SKU\"\n"
},
{
@@ -656,7 +698,9 @@
"severity": "High",
"category": "High Availability",
"guid": "67205887-0733-466e-b50e-b1cd7316c514",
- "source": "azure-resources/Automation/automationAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Automation/automationAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -685,7 +729,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "3464854d-6f75-4922-95e4-a2a308b53ce6",
- "source": "azure-resources/Batch/batchAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Batch/batchAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -714,7 +760,9 @@
"severity": "High",
"category": "High Availability",
"guid": "71cfab8f-d588-4742-b175-b6e07ae48dbd",
- "source": "azure-resources/Batch/batchAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Batch/batchAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -743,7 +791,9 @@
"severity": "High",
"category": "High Availability",
"guid": "5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8",
- "source": "azure-resources/Cache/Redis/recommendations.yaml",
+ "sourceFile": "azure-resources/Cache/Redis/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Cache for Redis instances with one or no Zones selected\nresources\n| where type =~ \"microsoft.cache/redis\"\n| where array_length(zones) <= 1 or isnull(zones)\n| project recommendationId = \"5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8\", name, id, tags, param1 = \"AvailabilityZones: Single Zone\"\n| order by id asc\n\n"
},
{
@@ -772,7 +822,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "cabc1f98-c8a7-44f7-ab24-977982ef3f70",
- "source": "azure-resources/Cache/Redis/recommendations.yaml",
+ "sourceFile": "azure-resources/Cache/Redis/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -801,7 +853,9 @@
"severity": "Medium",
"category": "Security",
"guid": "c474fc96-4e6a-4fb0-95d0-a26b3f35933c",
- "source": "azure-resources/Cache/Redis/recommendations.yaml",
+ "sourceFile": "azure-resources/Cache/Redis/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Azure Redis cache services not protected by private endpoints.\nResources\n| where type =~ \"microsoft.cache/redis\"\n| where properties['publicNetworkAccess'] == \"Enabled\"\n| project recommendationId = \"c474fc96-4e6a-4fb0-95d0-a26b3f35933c\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -842,7 +896,9 @@
"severity": "High",
"category": "Business Continuity",
"guid": "9437634c-d69e-2747-b13e-631c13182150",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Avoid combining Traffic Manager and Front Door\nresources\n| where type == \"microsoft.network/trafficmanagerprofiles\"\n| mvexpand(properties.endpoints)\n| extend endpoint=tostring(properties_endpoints.properties.target)\n| project name, trafficmanager=id, matchname=endpoint, tags\n| join (\n resources\n | where type =~ \"microsoft.cdn/profiles/afdendpoints\"\n | extend matchname= tostring(properties.hostName)\n | extend splitid=split(id, \"/\")\n | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), \"/\"))\n | project name, id, matchname, frontdoorid, type\n | union\n (cdnresources\n | where type =~ \"Microsoft.Cdn/Profiles/CustomDomains\"\n | extend matchname= tostring(properties.hostName)\n | extend splitid=split(id, \"/\")\n | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), \"/\"))\n | project name, id, matchname, frontdoorid, type)\n )\n on matchname\n| project\n recommendationId = \"9437634c-d69e-2747-b13e-631c13182150\",\n name=split(trafficmanager, \"/\")[-1],\n id=trafficmanager,\n tags,\n param1=strcat(\"hostname:\", matchname),\n param2=strcat(\"frontdoorid:\", frontdoorid)\n\n"
},
{
@@ -871,7 +927,9 @@
"severity": "High",
"category": "Security",
"guid": "6c40b7ae-2bea-5748-be1a-9e9e3b834649",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -908,7 +966,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "52bc9a7b-23c8-bc4c-9d2a-7bc43b50104a",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -945,7 +1005,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "1ad74c3c-e3d7-0046-b83f-a2199974ef15",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -974,7 +1036,9 @@
"severity": "High",
"category": "Security",
"guid": "d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Use end-to-end TLS\ncdnresources\n| where type == \"microsoft.cdn/profiles/afdendpoints/routes\"\n| extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols\n| project id,name,forwardingProtocol,supportedProtocols,tags\n| where forwardingProtocol !~ \"httpsonly\" or supportedProtocols has \"http\"\n| project recommendationId= \"d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1\", name,id,tags,param1=strcat(\"forwardingProtocol:\",forwardingProtocol),param2=strcat(\"supportedProtocols:\",supportedProtocols)\n\n"
},
{
@@ -1003,7 +1067,9 @@
"severity": "High",
"category": "Security",
"guid": "24ab9f11-a3e4-3043-a985-22cf94c4933a",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Use HTTP to HTTPS redirection\ncdnresources\n| where type == \"microsoft.cdn/profiles/afdendpoints/routes\"\n| extend httpsRedirect=tostring(properties.httpsRedirect)\n| project id,name,httpsRedirect,tags\n| where httpsRedirect !~ \"enabled\"\n| project recommendationId= \"24ab9f11-a3e4-3043-a985-22cf94c4933a\", name,id,tags,param1=strcat(\"httpsRedirect:\",httpsRedirect)\n\n"
},
{
@@ -1032,7 +1098,9 @@
"severity": "High",
"category": "Security",
"guid": "29d65c41-2fad-d142-95eb-9eab95f6c0a5",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -1061,7 +1129,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "4638c2c0-03de-6d42-9e09-82ee4478cbf3",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -1090,7 +1160,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "cd6a32af-747a-e649-82a7-a98f528ca842",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -1119,7 +1191,9 @@
"severity": "Medium",
"category": "Security",
"guid": "1bd2b7e8-400f-e64a-99a2-c572f7b08a62",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Enable the WAF\n\nresources\n| where type =~ \"microsoft.cdn/profiles\" and sku has \"AzureFrontDoor\"\n| project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name)\n| join kind= fullouter (\n cdnresources\n | where type == \"microsoft.cdn/profiles/securitypolicies\"\n | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id'])\n | extend splitid=split(id, \"/\")\n | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), \"/\"))\n | project secpolname=name, cdnprofileid, wafpolicyid\n )\n on cdnprofileid\n| project name, cdnprofileid, secpolname, wafpolicyid,skuname\n| join kind = fullouter (\n resources\n | where type == \"microsoft.network/frontdoorwebapplicationfirewallpolicies\"\n | extend\n managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != \"[]\", true, false),\n enabledState = tostring(properties.policySettings.enabledState)\n | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags)\n )\n on wafpolicyid\n| where name != \"\"\n| summarize\n associatedsecuritypolicies=countif(secpolname != \"\"),\n wafswithmanagedrules=countif(managedrulesenabled == 1)\n by name, id=cdnprofileid, tags,skuname\n| where associatedsecuritypolicies == 0 or wafswithmanagedrules == 0\n| project\n recommendationId = \"1bd2b7e8-400f-e64a-99a2-c572f7b08a62\",\n name,\n id,\n todynamic(tags),\n param1 = strcat(\"associatedsecuritypolicies:\", associatedsecuritypolicies),\n param2 = strcat(\"wafswithmanagedrules:\", wafswithmanagedrules),\n param3 = strcat(\"skuname:\",skuname)\n\n"
},
{
@@ -1148,7 +1222,9 @@
"severity": "Low",
"category": "High Availability",
"guid": "38f3d542-6de6-a44b-86c6-97e3be690281",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Disable health probes when there is only one origin in an origin group\ncdnresources\n| where type =~ \"microsoft.cdn/profiles/origingroups\"\n| extend healthprobe=tostring(properties.healthProbeSettings)\n| project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe\n| join (\n cdnresources\n | where type =~ \"microsoft.cdn/profiles/origingroups/Origins\"\n | extend origingroupname = tostring(properties.originGroupName)\n )\n on origingroupname\n| summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != \"\") by origingroupname, id, tostring(tags), resourceGroup, subscriptionId\n| where origincount == 1 and enabledhealthprobecount != 0\n| project\n recommendationId = \"38f3d542-6de6-a44b-86c6-97e3be690281\",\n name=origingroupname,\n id,\n todynamic(tags),\n param1 = strcat(\"origincount:\", origincount),\n param2 = strcat(\"enabledhealthprobecount:\", enabledhealthprobecount)\n\n"
},
{
@@ -1177,7 +1253,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "5225bba3-28ec-1e43-8986-7eedfd466d65",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -1206,7 +1284,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "5783defe-b49e-d947-84f7-d8677593f324",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -1235,7 +1315,9 @@
"severity": "Medium",
"category": "Security",
"guid": "b515690d-3bf9-3a49-8d38-188e0fd45896",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -1264,7 +1346,9 @@
"severity": "Medium",
"category": "Security",
"guid": "1cfe7834-56ec-ff41-b11d-993734705dba",
- "source": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Cdn/profiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -1293,7 +1377,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "b49a39fd-f431-4b61-9062-f2157849d845",
- "source": "azure-resources/Compute/galleries/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/galleries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Query to list all image versions,its associated image name and version replica configurations per region in a compute gallery whose version replicas is less than 3\nresources\n| where type =~ \"microsoft.compute/galleries/images/versions\"\n| extend GalleryName = tostring(split(tostring(id), \"/\")[8]), ImageName = tostring(split(tostring(id), \"/\")[10])\n| mv-expand VersionReplicas = properties.publishingProfile.targetRegions\n| project RecommendationId=\"b49a39fd-f431-4b61-9062-f2157849d845\",name,id,tags,param1=strcat(\"GalleryName: \",GalleryName),param2=strcat(\"ImageName: \",ImageName),param3=strcat(\"VersionReplicaRegionName: \",VersionReplicas.name),param4=strcat(\"VersionReplicationCount: \",VersionReplicas.regionalReplicaCount),rc=toint(VersionReplicas.regionalReplicaCount)\n| where rc < 3\n| project-away rc\n\n"
},
{
@@ -1326,7 +1412,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "488dcc8b-f2e3-40ce-bf95-73deb2db095f",
- "source": "azure-resources/Compute/galleries/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/galleries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Query to list all image versions and its associated image and gallery name whose Storage account type is not using ZRS\nresources\n| where type =~ \"microsoft.compute/galleries/images/versions\"\n| extend GalleryName = tostring(split(tostring(id), \"/\")[8]), ImageName = tostring(split(tostring(id), \"/\")[10])\n| extend StorageAccountType = tostring(properties.publishingProfile.storageAccountType)\n| where StorageAccountType !has \"ZRS\"\n| project RecommendationId=\"488dcc8b-f2e3-40ce-bf95-73deb2db095f\",name,id,tags,param1=strcat(\"GalleryName: \",GalleryName),param2=strcat(\"ImageName: \",ImageName),param3=strcat(\"StorageAccountType: \",StorageAccountType)\n\n"
},
{
@@ -1363,7 +1451,9 @@
"severity": "Low",
"category": "High Availability",
"guid": "1c5e1e58-4e56-491c-8529-10f37af9d4ed",
- "source": "azure-resources/Compute/galleries/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/galleries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Query to list all images whose Hyper-V generation is not V2\nresources\n| where type =~ \"microsoft.compute/galleries/images\"\n| extend VMGeneration = properties.hyperVGeneration\n| where VMGeneration <> 'V2'\n| project RecommendationId=\"1c5e1e58-4e56-491c-8529-10f37af9d4ed\",name,id,tags,param1=strcat(\"VMGeneration: \",VMGeneration)\n\n"
},
{
@@ -1396,7 +1486,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "e7495e1c-0c75-0946-b266-b429b5c7f3bf",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all zonal VMs that are NOT deployed with Flex orchestration mode\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| where properties.orchestrationMode != \"Flexible\"\n| project recommendationId = \"e7495e1c-0c75-0946-b266-b429b5c7f3bf\", name, id, tags, param1 = strcat(\"orchestrationMode: \", tostring(properties.orchestrationMode))\n\n"
},
{
@@ -1425,7 +1517,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "94794d2a-eff0-2345-9b67-6f9349d0a627",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that do NOT have health monitoring enabled\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| join kind=leftouter (\n resources\n | where type == \"microsoft.compute/virtualmachinescalesets\"\n | mv-expand extension=properties.virtualMachineProfile.extensionProfile.extensions\n | where extension.properties.type in ( \"ApplicationHealthWindows\", \"ApplicationHealthLinux\" )\n | project id\n) on id\n| where id1 == \"\"\n| project recommendationId = \"94794d2a-eff0-2345-9b67-6f9349d0a627\", name, id, tags, param1 = \"extension: null\"\n\n"
},
{
@@ -1454,7 +1548,9 @@
"severity": "High",
"category": "High Availability",
"guid": "820f4743-1f94-e946-ae0b-45efafd87962",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that do NOT have automatic repair policy enabled\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| where properties.automaticRepairsPolicy.enabled == false\n| project recommendationId = \"820f4743-1f94-e946-ae0b-45efafd87962\", name, id, tags, param1 = \"automaticRepairsPolicy: Disabled\"\n\n"
},
{
@@ -1487,7 +1583,9 @@
"severity": "High",
"category": "Scalability",
"guid": "ee66ff65-9aa3-2345-93c1-25827cf79f44",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find VMSS instances associated with autoscale settings when autoscale is disabled\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| project name, id, tags\n| join kind=leftouter (\n resources\n | where type == \"microsoft.insights/autoscalesettings\"\n | where tostring(properties.targetResourceUri) contains \"Microsoft.Compute/virtualMachineScaleSets\"\n | project id = tostring(properties.targetResourceUri), autoscalesettings = properties\n) on id\n| where isnull(autoscalesettings) or autoscalesettings.enabled == \"false\"\n| project recommendationId = \"ee66ff65-9aa3-2345-93c1-25827cf79f44\", name, id, tags, param1 = \"autoscalesettings: Disabled\"\n| order by id asc\n\n"
},
{
@@ -1516,7 +1614,9 @@
"severity": "Low",
"category": "Scalability",
"guid": "3f85a51c-e286-9f44-b4dc-51d00768696c",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find VMSS instances associated with autoscale settings when predictiveAutoscalePolicy_scaleMode is disabled\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| project name, id, tags\n| join kind=leftouter (\n resources\n | where type == \"microsoft.insights/autoscalesettings\"\n | where tostring(properties.targetResourceUri) contains \"Microsoft.Compute/virtualMachineScaleSets\"\n | project id = tostring(properties.targetResourceUri), autoscalesettings = properties\n) on id\n| where autoscalesettings.enabled == \"true\" and autoscalesettings.predictiveAutoscalePolicy.scaleMode == \"Disabled\"\n| project recommendationId = \"3f85a51c-e286-9f44-b4dc-51d00768696c\", name, id, tags, param1 = \"predictiveAutoscalePolicy_scaleMode: Disabled\"\n| order by id asc\n\n"
},
{
@@ -1545,7 +1645,9 @@
"severity": "High",
"category": "High Availability",
"guid": "b5a63aa0-c58e-244f-b8a6-cbba0560a6db",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find VMSS instances where strictly zoneBalance is set to True\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| where properties.orchestrationMode == \"Uniform\" and properties.zoneBalance == true\n| project recommendationId = \"b5a63aa0-c58e-244f-b8a6-cbba0560a6db\", name, id, tags, param1 = \"strictly zoneBalance: Enabled\"\n| order by id asc\n\n"
},
{
@@ -1578,7 +1680,9 @@
"severity": "High",
"category": "High Availability",
"guid": "1422c567-782c-7148-ac7c-5fc14cf45adc",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find VMSS instances with one or no Zones selected\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| where array_length(zones) <= 1 or isnull(zones)\n| project recommendationId = \"1422c567-782c-7148-ac7c-5fc14cf45adc\", name, id, tags, param1 = \"AvailabilityZones: Single Zone\"\n| order by id asc\n\n"
},
{
@@ -1611,7 +1715,9 @@
"severity": "Low",
"category": "Other Best Practices",
"guid": "e4ffd7b0-ba24-c84e-9352-ba4819f908c0",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph query\n// Identifies VMs and VMSS with manual patch settings, excluding automatic patch modes\nresources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| join kind=inner (\n resources\n | where type == \"microsoft.compute/virtualmachines\"\n | project id = tostring(properties.virtualMachineScaleSet.id), vmproperties = properties\n) on id\n| extend recommendationId = \"e4ffd7b0-ba24-c84e-9352-ba4819f908c0\", param1 = \"patchMode: Manual\", vmproperties.osProfile.linuxConfiguration.patchSettings.patchMode\n| where isnotnull(vmproperties.osProfile.linuxConfiguration) and vmproperties.osProfile.linuxConfiguration.patchSettings.patchMode !in (\"AutomaticByPlatform\", \"AutomaticByOS\")\n| distinct recommendationId, name, id, param1\n| union (resources\n| where type == \"microsoft.compute/virtualmachinescalesets\"\n| join kind=inner (\n resources\n | where type == \"microsoft.compute/virtualmachines\"\n | project id = tostring(properties.virtualMachineScaleSet.id), vmproperties = properties\n) on id\n| extend recommendationId = \"e4ffd7b0-ba24-c84e-9352-ba4819f908c0\", param1 = \"patchMode: Manual\", vmproperties.osProfile.windowsConfiguration.patchSettings.patchMode\n| where isnotnull(vmproperties.osProfile.windowsConfiguration) and vmproperties.osProfile.windowsConfiguration.patchSettings.patchMode !in (\"AutomaticByPlatform\", \"AutomaticByOS\")\n| distinct recommendationId, name, id, param1)\n\n"
},
{
@@ -1640,7 +1746,9 @@
"severity": "High",
"category": "Governance",
"guid": "83d61669-7bd6-9642-a305-175db8adcdf4",
- "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "//cannot-be-validated-with-arg\n\n"
},
{
@@ -1673,7 +1781,9 @@
"severity": "High",
"category": "High Availability",
"guid": "273f6b30-68e0-4241-85ea-acf15ffb60bf",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that are not associated with a VMSS Flex instance\nresources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnull(properties.virtualMachineScaleSet.id)\n| project recommendationId=\"273f6b30-68e0-4241-85ea-acf15ffb60bf\", name, id, tags\n\n"
},
{
@@ -1702,18 +1812,20 @@
"severity": "High",
"category": "High Availability",
"guid": "2bd0be95-a825-6f47-a8c6-3db1fb5eb387",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that are not assigned to a Zone\nResources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnull(zones)\n| project recommendationId=\"2bd0be95-a825-6f47-a8c6-3db1fb5eb387\", name, id, tags, param1=\"No Zone\"\n\n"
},
{
- "description": "Availability sets will soon be retired. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.\n",
+ "description": "While availability sets are not scheduled for immediate deprecation, they are planned to be deprecated in the future. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.\n",
"aprlGuid": "a8d25876-7951-b646-b4e8-880c9031596b",
"recommendationTypeId": null,
"recommendationControl": "High Availability",
"recommendationImpact": "High",
"recommendationResourceType": "Microsoft.Compute/virtualMachines",
"recommendationMetadataState": "Active",
- "longDescription": "Availability sets will soon be retired. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.\n",
+ "longDescription": "While availability sets are not scheduled for immediate deprecation, they are planned to be deprecated in the future. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.\n",
"potentialBenefits": "Enhances reliability and future-proofs VMs",
"pgVerified": true,
"publishedToLearn": false,
@@ -1731,7 +1843,9 @@
"severity": "High",
"category": "High Availability",
"guid": "a8d25876-7951-b646-b4e8-880c9031596b",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs using Availability Sets\nresources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnotnull(properties.availabilitySet)\n| project recommendationId = \"a8d25876-7951-b646-b4e8-880c9031596b\", name, id, tags, param1=strcat(\"availabilitySet: \",properties.availabilitySet.id)\n\n"
},
{
@@ -1764,7 +1878,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "cfe22a65-b1db-fd41-9e8e-d573922709ae",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that do NOT have replication with ASR enabled\nresources\n| where type =~ \"Microsoft.Compute/virtualMachines\"\n| extend securityType = iif(isnull(properties.securityProfile.securityType), \"Standard\", properties.securityProfile.securityType)\n| where securityType !in~ (\"TrustedLaunch\", \"ConfidentialVM\")\n| project id, vmIdForJoin = tolower(id), name, tags\n| join kind = leftouter (\n recoveryservicesresources\n | where type =~ \"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems\"\n and properties.providerSpecificDetails.dataSourceInfo.datasourceType =~ \"AzureVm\"\n | project vmResourceId = tolower(properties.providerSpecificDetails.dataSourceInfo.resourceId)\n )\n on $left.vmIdForJoin == $right.vmResourceId\n| where isempty(vmResourceId)\n| project recommendationId = \"cfe22a65-b1db-fd41-9e8e-d573922709ae\", name, id, tags\n"
},
{
@@ -1801,7 +1917,9 @@
"severity": "High",
"category": "High Availability",
"guid": "122d11d7-b91f-8747-a562-f56b79bcfbdc",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that are not using Managed Disks\nResources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnull(properties.storageProfile.osDisk.managedDisk)\n| project recommendationId = \"122d11d7-b91f-8747-a562-f56b79bcfbdc\", name, id, tags\n\n"
},
{
@@ -1834,7 +1952,9 @@
"severity": "Low",
"category": "Scalability",
"guid": "4ea2878f-0d69-8d4a-b715-afc10d1e538e",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that only have OS Disk\nResources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where array_length(properties.storageProfile.dataDisks) < 1\n| project recommendationId = \"4ea2878f-0d69-8d4a-b715-afc10d1e538e\", name, id, tags\n\n"
},
{
@@ -1863,7 +1983,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "1981f704-97b9-b645-9c57-33f8ded9261a",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that do NOT have Backup enabled\n// Run query to see results.\nresources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| project name, id, tags\n| join kind=leftouter (\n recoveryservicesresources\n | where type =~ 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems'\n | where properties.dataSourceInfo.datasourceType =~ 'Microsoft.Compute/virtualMachines'\n | project idBackupEnabled=properties.sourceResourceId\n | extend name=strcat_array(array_slice(split(idBackupEnabled, '/'), 8, -1), '/')\n) on name\n| where isnull(idBackupEnabled)\n| project-away idBackupEnabled\n| project-away name1\n| project recommendationId = \"1981f704-97b9-b645-9c57-33f8ded9261a\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -1892,7 +2014,9 @@
"severity": "Low",
"category": "Governance",
"guid": "98b334c0-8578-6046-9e43-b6e8fce6318e",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that are NOT running\nResources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where properties.extended.instanceView.powerState.displayStatus != 'VM running'\n| project recommendationId = \"98b334c0-8578-6046-9e43-b6e8fce6318e\", name, id, tags\n\n"
},
{
@@ -1921,7 +2045,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "dfedbeb1-1519-fc47-86a5-52f96cf07105",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VM NICs that do not have Accelerated Networking enabled\nresources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| mv-expand nic = properties.networkProfile.networkInterfaces\n| project name, id, tags, lowerCaseNicId = tolower(nic.id), vmSize = tostring(properties.hardwareProfile.vmSize)\n| join kind = inner (\n resources\n | where type =~ 'Microsoft.Network/networkInterfaces'\n | where properties.enableAcceleratedNetworking == false\n | project nicName = split(id, \"/\")[8], lowerCaseNicId = tolower(id)\n )\n on lowerCaseNicId\n| summarize nicNames = make_set(nicName) by name, id, tostring(tags), vmSize\n| extend param1 = strcat(\"NicName: \", strcat_array(nicNames, \", \")), param2 = strcat(\"VMSize: \", vmSize)\n| project recommendationId = \"dfedbeb1-1519-fc47-86a5-52f96cf07105\", name, id, tags, param1, param2\n| order by id asc\n\n"
},
{
@@ -1950,7 +2076,9 @@
"severity": "Low",
"category": "Governance",
"guid": "73d1bb04-7d3e-0d47-bc0d-63afe773b5fe",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -1979,7 +2107,9 @@
"severity": "Medium",
"category": "Security",
"guid": "1f629a30-c9d0-d241-82ee-6f2eb9d42cb4",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs with PublicIPs directly associated with them\nResources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnotnull(properties.networkProfile.networkInterfaces)\n| mv-expand nic=properties.networkProfile.networkInterfaces\n| project name, id, tags, nicId = nic.id\n| extend nicId = tostring(nicId)\n| join kind=inner (\n Resources\n | where type =~ 'Microsoft.Network/networkInterfaces'\n | where isnotnull(properties.ipConfigurations)\n | mv-expand ipconfig=properties.ipConfigurations\n | extend publicIp = tostring(ipconfig.properties.publicIPAddress.id)\n | where publicIp != \"\"\n | project name, nicId = tostring(id), publicIp\n) on nicId\n| project recommendationId = \"1f629a30-c9d0-d241-82ee-6f2eb9d42cb4\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -2008,7 +2138,9 @@
"severity": "Low",
"category": "Security",
"guid": "82b3cf6b-9ae2-2e44-b193-10793213f676",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of virtual machines and associated NICs that do have an NSG associated to them and also an NSG associated to the subnet.\nResources\n| where type =~ 'Microsoft.Network/networkInterfaces'\n| where isnotnull(properties.networkSecurityGroup)\n| mv-expand ipConfigurations = properties.ipConfigurations, nsg = properties.networkSecurityGroup\n| project nicId = tostring(id), subnetId = tostring(ipConfigurations.properties.subnet.id), nsgName=split(nsg.id, '/')[8]\n| parse kind=regex subnetId with '/virtualNetworks/' virtualNetwork '/subnets/' subnet\n | join kind=inner (\n Resources\n | where type =~ 'Microsoft.Network/NetworkSecurityGroups' and isnotnull(properties.subnets)\n | project name, resourceGroup, subnet=properties.subnets\n | mv-expand subnet\n | project subnetId=tostring(subnet.id)\n ) on subnetId\n | project nicId\n| join kind=leftouter (\n Resources\n | where type =~ 'Microsoft.Compute/virtualMachines'\n | where isnotnull(properties.networkProfile.networkInterfaces)\n | mv-expand nic=properties.networkProfile.networkInterfaces\n | project vmName = name, vmId = id, tags, nicId = nic.id, nicName=split(nic.id, '/')[8]\n | extend nicId = tostring(nicId)\n) on nicId\n| project recommendationId = \"82b3cf6b-9ae2-2e44-b193-10793213f676\", name=vmName, id = vmId, tags, param1 = strcat(\"nic-name=\", nicName)\n\n"
},
{
@@ -2037,7 +2169,9 @@
"severity": "Medium",
"category": "Security",
"guid": "41a22a5e-5e08-9647-92d0-2ffe9ef1bdad",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VM NICs that have IPForwarding enabled. This feature is usually only required for Network Virtual Appliances\nResources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnotnull(properties.networkProfile.networkInterfaces)\n| mv-expand nic=properties.networkProfile.networkInterfaces\n| project name, id, tags, nicId = nic.id\n| extend nicId = tostring(nicId)\n| join kind=inner (\n Resources\n | where type =~ 'Microsoft.Network/networkInterfaces'\n | where properties.enableIPForwarding == true\n | project nicId = tostring(id)\n) on nicId\n| project recommendationId = \"41a22a5e-5e08-9647-92d0-2ffe9ef1bdad\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -2066,7 +2200,9 @@
"severity": "Low",
"category": "Other Best Practices",
"guid": "1cf8fe21-9593-1e4e-966b-779a294c0d30",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VM NICs that have DNS Server settings configured in any of the NICs\nResources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnotnull(properties.networkProfile.networkInterfaces)\n| mv-expand nic=properties.networkProfile.networkInterfaces\n| project name, id, tags, nicId = nic.id\n| extend nicId = tostring(nicId)\n| join kind=inner (\n Resources\n | where type =~ 'Microsoft.Network/networkInterfaces'\n | project name, id, dnsServers = properties.dnsSettings.dnsServers\n | extend hasDns = array_length(dnsServers) >= 1\n | where hasDns != 0\n | project name, nicId = tostring(id)\n) on nicId\n| project recommendationId = \"1cf8fe21-9593-1e4e-966b-779a294c0d30\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -2099,7 +2235,9 @@
"severity": "Medium",
"category": "Other Best Practices",
"guid": "3263a64a-c256-de48-9818-afd3cbc55c2a",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Disks configured to be Shared. This is not an indication of an issue, but if a disk with this configuration is assigned to two or more VMs without a proper disk control mechanism (like a WSFC) it can lead to data loss\nresources\n| where type =~ 'Microsoft.Compute/disks'\n| where isnotnull(properties.maxShares) and properties.maxShares >= 2\n| project id, name, tags, lowerCaseDiskId = tolower(id), diskState = tostring(properties.diskState)\n| join kind = leftouter (\n resources\n | where type =~ 'Microsoft.Compute/virtualMachines'\n | project osDiskVmName = name, lowerCaseOsDiskId = tolower(properties.storageProfile.osDisk.managedDisk.id)\n | join kind = fullouter (\n resources\n | where type =~ 'Microsoft.Compute/virtualMachines'\n | mv-expand dataDisks = properties.storageProfile.dataDisks\n | project dataDiskVmName = name, lowerCaseDataDiskId = tolower(dataDisks.managedDisk.id)\n )\n on $left.lowerCaseOsDiskId == $right.lowerCaseDataDiskId\n | project lowerCaseDiskId = coalesce(lowerCaseOsDiskId, lowerCaseDataDiskId), vmName = coalesce(osDiskVmName, dataDiskVmName)\n )\n on lowerCaseDiskId\n| summarize vmNames = make_set(vmName) by name, id, tostring(tags), diskState\n| extend param1 = strcat(\"DiskState: \", diskState), param2 = iif(isempty(vmNames[0]), \"VMName: n/a\", strcat(\"VMName: \", strcat_array(vmNames, \", \")))\n| project recommendationId = \"3263a64a-c256-de48-9818-afd3cbc55c2a\", name, id, tags, param1, param2\n| order by id asc\n\n"
},
{
@@ -2128,7 +2266,9 @@
"severity": "Low",
"category": "Security",
"guid": "70b1d2be-e6c4-b54e-9959-b1b690f9e485",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Disks with \"Enable public access from all networks\" enabled\nresources\n| where type =~ 'Microsoft.Compute/disks'\n| where properties.publicNetworkAccess == \"Enabled\"\n| project id, name, tags, lowerCaseDiskId = tolower(id)\n| join kind = leftouter (\n resources\n | where type =~ 'Microsoft.Compute/virtualMachines'\n | project osDiskVmName = name, lowerCaseOsDiskId = tolower(properties.storageProfile.osDisk.managedDisk.id)\n | join kind = fullouter (\n resources\n | where type =~ 'Microsoft.Compute/virtualMachines'\n | mv-expand dataDisks = properties.storageProfile.dataDisks\n | project dataDiskVmName = name, lowerCaseDataDiskId = tolower(dataDisks.managedDisk.id)\n )\n on $left.lowerCaseOsDiskId == $right.lowerCaseDataDiskId\n | project lowerCaseDiskId = coalesce(lowerCaseOsDiskId, lowerCaseDataDiskId), vmName = coalesce(osDiskVmName, dataDiskVmName)\n )\n on lowerCaseDiskId\n| summarize vmNames = make_set(vmName) by name, id, tostring(tags)\n| extend param1 = iif(isempty(vmNames[0]), \"VMName: n/a\", strcat(\"VMName: \", strcat_array(vmNames, \", \")))\n| project recommendationId = \"70b1d2be-e6c4-b54e-9959-b1b690f9e485\", name, id, tags, param1\n| order by id asc\n\n"
},
{
@@ -2161,7 +2301,9 @@
"severity": "Low",
"category": "Governance",
"guid": "c42343ae-2712-2843-a285-3437eb0b28a1",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs in \"Non-compliant\" state with Azure Policies\npolicyresources\n| where type =~ \"Microsoft.PolicyInsights/policyStates\" and properties.resourceType =~ \"Microsoft.Compute/virtualMachines\" and properties.complianceState =~ \"NonCompliant\"\n| project\n policyDefinitionId = tolower(properties.policyDefinitionId),\n policyAssignmentId = tolower(properties.policyAssignmentId),\n targetResourceId = tolower(properties.resourceId)\n// Join the policy definition details\n| join kind = leftouter (\n policyresources\n | where type =~ \"Microsoft.Authorization/policyDefinitions\"\n | project policyDefinitionId = tolower(id), policyDefinitionDisplayName = properties.displayName\n )\n on policyDefinitionId\n| project policyDefinitionId, policyDefinitionDisplayName, policyAssignmentId, targetResourceId\n// Join the policy assignment details\n| join kind = leftouter (\n policyresources\n | where type =~ \"Microsoft.Authorization/policyAssignments\"\n | project policyAssignmentId = tolower(id), policyAssignmentDisplayName = properties.displayName\n )\n on policyAssignmentId\n| project policyDefinitionId, policyDefinitionDisplayName, policyAssignmentId, policyAssignmentDisplayName, targetResourceId\n// Join the target resource details\n| join kind = leftouter (\n resources\n | where type =~ \"Microsoft.Compute/virtualMachines\"\n | project targetResourceId = tolower(id), targetResourceIdPreservedCase = id, targetResourceName = name, targetResourceTags = tags\n )\n on targetResourceId\n| project\n recommendationId = \"c42343ae-2712-2843-a285-3437eb0b28a1\",\n name = targetResourceName,\n id = targetResourceIdPreservedCase,\n tags = targetResourceTags,\n param1 = strcat(\"DefinitionName: \", policyDefinitionDisplayName),\n param2 = strcat(\"DefinitionID: \", policyDefinitionId),\n param3 = strcat(\"AssignmentName: \", policyAssignmentDisplayName),\n param4 = strcat(\"AssignmentID: \", policyAssignmentId)\n"
},
{
@@ -2190,7 +2332,9 @@
"severity": "High",
"category": "Security",
"guid": "f0a97179-133a-6e4f-8a49-8a44da73ffce",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure VM disks without Azure Disk Encryption or encryption at host enabled\nresources\n| where type =~ \"microsoft.compute/disks\"\n| project diskId = id, diskName = name, vmId = tolower(managedBy), azureDiskEncryption = iff(properties.encryptionSettingsCollection.enabled == true, true, false)\n| join kind=leftouter (resources\n| where type =~ \"microsoft.compute/virtualmachines\"\n| project vmId = tolower(id), vmName = name, encryptionAtHost = iff(properties.securityProfile.encryptionAtHost == true, true, false)) on vmId\n| where not(encryptionAtHost) and not(azureDiskEncryption)\n| project recommendationId = 'f0a97179-133a-6e4f-8a49-8a44da73ffce', name = vmName, id =vmId, param1 = strcat('diskName:',diskName), param2 = strcat('azureDiskEncryption:',iff(azureDiskEncryption, \"Enabled\", \"Disabled\")), param3 = strcat('encryptionAtHost:',iff(encryptionAtHost, \"Enabled\", \"Disabled\"))\n"
},
{
@@ -2223,7 +2367,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "b72214bb-e879-5f4b-b9cd-642db84f36f4",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Check for VMs without Azure Monitoring Agent extension installed, missing Data Collection Rule or Data Collection Rule without performance enabled.\nResources\n| where type == 'microsoft.compute/virtualmachines'\n| project idVm = tolower(id), name, tags\n| join kind=leftouter (\n InsightsResources\n | where type =~ \"Microsoft.Insights/dataCollectionRuleAssociations\" and id has \"Microsoft.Compute/virtualMachines\"\n | project idDcr = tolower(properties.dataCollectionRuleId), idVmDcr = tolower(substring(id, 0, indexof(id, \"/providers/Microsoft.Insights/dataCollectionRuleAssociations/\"))))\non $left.idVm == $right.idVmDcr\n| join kind=leftouter (\n Resources\n | where type =~ \"Microsoft.Insights/dataCollectionRules\"\n | extend\n isPerformanceEnabled = iif(properties.dataSources.performanceCounters contains \"Microsoft-InsightsMetrics\" and properties.dataFlows contains \"Microsoft-InsightsMetrics\", true, false),\n isMapEnabled = iif(properties.dataSources.extensions contains \"Microsoft-ServiceMap\" and properties.dataSources.extensions contains \"DependencyAgent\" and properties.dataFlows contains \"Microsoft-ServiceMap\", true, false)//,\n | where isPerformanceEnabled or isMapEnabled\n | project dcrName = name, isPerformanceEnabled, isMapEnabled, idDcr = tolower(id))\non $left.idDcr == $right.idDcr\n| join kind=leftouter (\n Resources\n | where type == 'microsoft.compute/virtualmachines/extensions' and (name contains 'AzureMonitorWindowsAgent' or name contains 'AzureMonitorLinuxAgent')\n | extend idVmExtension = tolower(substring(id, 0, indexof(id, '/extensions'))), extensionName = name)\non $left.idVm == $right.idVmExtension\n| where isPerformanceEnabled != 1 or (extensionName != 'AzureMonitorWindowsAgent' and extensionName != 'AzureMonitorLinuxAgent')\n| project recommendationId = \"b72214bb-e879-5f4b-b9cd-642db84f36f4\", name, id = idVm, tags, param1 = strcat('MonitoringExtension:', extensionName), param2 = strcat('DataCollectionRuleId:', idDcr), param3 = strcat('isPerformanceEnabled:', isPerformanceEnabled)\n\n"
},
{
@@ -2252,7 +2398,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "4a9d8973-6dba-0042-b3aa-07924877ebd5",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Virtual Machines without diagnostic settings enabled/with diagnostic settings enabled but not configured both performance counters and event logs/syslogs.\nresources\n| where type =~ \"microsoft.compute/virtualmachines\"\n| project name, id, tags, lowerCaseVmId = tolower(id)\n| join kind = leftouter (\n resources\n | where type =~ \"Microsoft.Compute/virtualMachines/extensions\" and properties.publisher =~ \"Microsoft.Azure.Diagnostics\"\n | project\n lowerCaseVmIdOfExtension = tolower(substring(id, 0, indexof(id, \"/extensions/\"))),\n extensionType = properties.type,\n provisioningState = properties.provisioningState,\n storageAccount = properties.settings.StorageAccount,\n // Windows\n wadPerfCounters = properties.settings.WadCfg.DiagnosticMonitorConfiguration.PerformanceCounters.PerformanceCounterConfiguration,\n wadEventLogs = properties.settings.WadCfg.DiagnosticMonitorConfiguration.WindowsEventLog,\n // Linux\n ladPerfCounters = properties.settings.ladCfg.diagnosticMonitorConfiguration.performanceCounters.performanceCounterConfiguration,\n ladSyslog = properties.settings.ladCfg.diagnosticMonitorConfiguration.syslogEvents\n | extend\n // Windows\n isWadPerfCountersConfigured = iif(array_length(wadPerfCounters) > 0, true, false),\n isWadEventLogsConfigured = iif(isnotnull(wadEventLogs) and array_length(wadEventLogs.DataSource) > 0, true, false),\n // Linux\n isLadPerfCountersConfigured = iif(array_length(ladPerfCounters) > 0, true, false),\n isLadSyslogConfigured = isnotnull(ladSyslog)\n | project\n lowerCaseVmIdOfExtension,\n extensionType,\n provisioningState,\n storageAccount,\n isPerfCountersConfigured = case(extensionType =~ \"IaaSDiagnostics\", isWadPerfCountersConfigured, extensionType =~ \"LinuxDiagnostic\", isLadPerfCountersConfigured, false),\n isEventLogsConfigured = case(extensionType =~ \"IaaSDiagnostics\", isWadEventLogsConfigured, extensionType =~ \"LinuxDiagnostic\", isLadSyslogConfigured, false)\n )\n on $left.lowerCaseVmId == $right.lowerCaseVmIdOfExtension\n| where isempty(lowerCaseVmIdOfExtension) or provisioningState !~ \"Succeeded\" or not(isPerfCountersConfigured and isEventLogsConfigured)\n| extend\n param1 = strcat(\"DiagnosticSetting: \", iif(isnotnull(extensionType), strcat(\"Enabled, partially configured (\", extensionType, \")\"), \"Not enabled\")),\n param2 = strcat(\"ProvisioningState: \", iif(isnotnull(provisioningState), provisioningState, \"n/a\")),\n param3 = strcat(\"storageAccount: \", iif(isnotnull(storageAccount), storageAccount, \"n/a\")),\n param4 = strcat(\"PerformanceCounters: \", case(isnull(isPerfCountersConfigured), \"n/a\", isPerfCountersConfigured, \"Configured\", \"Not configured\")),\n param5 = strcat(\"EventLogs/Syslogs: \", case(isnull(isEventLogsConfigured), \"n/a\", isEventLogsConfigured, \"Configured\", \"Not configured\"))\n| project recommendationId = \"4a9d8973-6dba-0042-b3aa-07924877ebd5\", name, id, tags, param1, param2, param3, param4, param5\n\n"
},
{
@@ -2281,7 +2429,9 @@
"severity": "High",
"category": "High Availability",
"guid": "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find VMS that do not have maintenance configuration assigned\nResources\n| extend resourceId = tolower(id)\n| project name, location, type, id, tags, resourceId, properties\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| join kind=leftouter (\nmaintenanceresources\n| where type =~ \"microsoft.maintenance/configurationassignments\"\n| project planName = name, type, maintenanceProps = properties\n| extend resourceId = tostring(maintenanceProps.resourceId)\n) on resourceId\n| where isnull(maintenanceProps)\n| project recommendationId = \"52ab9e5c-eec0-3148-8bd7-b6dd9e1be870\",name, id, tags\n| order by id asc\n\n"
},
{
@@ -2310,7 +2460,9 @@
"severity": "High",
"category": "Scalability",
"guid": "3201dba8-d1da-4826-98a4-104066545170",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs using A or B series families\nresources\n| where type == 'microsoft.compute/virtualmachines'\n| where properties.hardwareProfile.vmSize contains \"Standard_B\" or properties.hardwareProfile.vmSize contains \"Standard_A\"\n| project recommendationId = \"3201dba8-d1da-4826-98a4-104066545170\", name, id, tags, param1=strcat(\"vmSku: \" , properties.hardwareProfile.vmSize)\n\n"
},
{
@@ -2339,7 +2491,9 @@
"severity": "High",
"category": "Scalability",
"guid": "df0ff862-814d-45a3-95e4-4fad5a244ba6",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs that have an attached disk that is not in the Premium or Ultra sku tier.\n\nresources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| extend lname = tolower(name)\n| join kind=leftouter(resources\n | where type =~ 'Microsoft.Compute/disks'\n | where not(sku.tier =~ 'Premium') and not(sku.tier =~ 'Ultra')\n | extend lname = tolower(tostring(split(managedBy, '/')[8]))\n | project lname, name\n | summarize disks = make_list(name) by lname) on lname\n| where isnotnull(disks)\n| project recommendationId = \"df0ff862-814d-45a3-95e4-4fad5a244ba6\", name, id, tags, param1=strcat(\"AffectedDisks: \", disks)\n\n"
},
{
@@ -2372,7 +2526,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "9ab499d8-8844-424d-a2d4-8f53690eb8f8",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -2409,7 +2565,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "2de8fa5e-14f4-4c4c-857f-1520f87a629f",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -2438,7 +2596,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "fa0cf4f5-0b21-47b7-89a9-ee936f193ce1",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find eligible Disks that are not zonal nor zone redundant\nresources\n| where type == 'microsoft.compute/disks'\n| where sku has \"Premium_LRS\" or sku has \"StandardSSD_LRS\"\n| where sku.name has_cs 'ZRS' or array_length(zones) > 0\n| project recommendationId=\"fa0cf4f5-0b21-47b7-89a9-ee936f193ce1\", name, id, tags, param1 = sku, param2 = sku.name\n"
},
{
@@ -2467,7 +2627,9 @@
"severity": "High",
"category": "High Availability",
"guid": "302fda08-ee65-4fbe-a916-6dc0b33169c4",
- "source": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceFile": "azure-resources/Compute/virtualMachines/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Virtual Machines not associated with a Capacity Reservation, and provide details for Capacity Reservation like vmSize, location, and zone.\nresources\n| where type =~ 'Microsoft.Compute/virtualMachines'\n| where isnull(properties.capacityReservation)\n| extend zoneValue = iff(isnull(zones), \"null\", zones)\n| project recommendationId = \"302fda08-ee65-4fbe-a916-6dc0b33169c4\", name, id, tags, param1 = strcat(\"VmSize: \", properties.hardwareProfile.vmSize), param2 = strcat(\"Location: \", location), param3 = strcat(\"Zone: \", zoneValue)\n"
},
{
@@ -2496,7 +2658,9 @@
"severity": "High",
"category": "Scalability",
"guid": "eb005943-40a8-194b-9db2-474d430046b7",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Container Registries that are not using the Premium tier\nresources\n| where type =~ \"microsoft.containerregistry/registries\"\n| where sku.name != \"Premium\"\n| project recommendationId = \"eb005943-40a8-194b-9db2-474d430046b7\", name, id, tags, param1=strcat(\"SkuName: \", tostring(sku.name))\n| order by id asc\n\n"
},
{
@@ -2525,7 +2689,9 @@
"severity": "High",
"category": "High Availability",
"guid": "63491f70-22e4-3b4a-8b0c-845450e46fac",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Container Registries that do not have zone redundancy enabled\nresources\n| where type =~ \"microsoft.containerregistry/registries\"\n| where properties.zoneRedundancy != \"Enabled\"\n| project recommendationId = \"63491f70-22e4-3b4a-8b0c-845450e46fac\", name, id, tags, param1=strcat(\"zoneRedundancy: \", tostring(properties.zoneRedundancy))\n| order by id asc\n\n"
},
{
@@ -2558,7 +2724,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "36ea6c09-ef6e-d743-9cfb-bd0c928a430b",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Container Registries that do not have geo-replication enabled\nresources\n| where type =~ \"microsoft.containerregistry/registries\"\n| project registryName = name, registryId = id, tags, primaryRegion = location\n| join kind=leftouter (\n Resources\n | where type =~ \"microsoft.containerregistry/registries/replications\"\n | project replicationRegion=name, replicationId = id\n | extend registryId=strcat_array(array_slice(split(replicationId, '/'), 0, -3), '/')\n ) on registryId\n| project-away registryId1, replicationId\n| where isempty(replicationRegion)\n| project recommendationId = \"36ea6c09-ef6e-d743-9cfb-bd0c928a430b\", name=registryName, id=registryId, tags\n| order by id asc\n\n"
},
{
@@ -2587,7 +2755,9 @@
"severity": "Low",
"category": "Security",
"guid": "a5a0101a-a240-8742-90ba-81dbde9a0c0c",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -2616,7 +2786,9 @@
"severity": "Low",
"category": "Governance",
"guid": "8e389532-5db5-7e4c-9d4d-443b3e55ae82",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// List container registries that contain additional resources within the same resource group.\nresources\n| where type =~ \"microsoft.containerregistry/registries\"\n| project registryName=name, registryId=id, registryTags=tags, resourceGroupId=strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), resourceGroup, subscriptionId\n| join kind=inner (\n resources\n | where not(type =~ \"microsoft.containerregistry/registries\")\n | summarize recourceCount=count() by subscriptionId, resourceGroup\n | where recourceCount != 0\n) on resourceGroup, subscriptionId\n| project recommendationId = \"8e389532-5db5-7e4c-9d4d-443b3e55ae82\", name=registryName, id=registryId, tags=registryTags, param1=strcat('resourceGroupName:',resourceGroup), param2=strcat('resourceGroupId:',resourceGroupId)\n\n"
},
{
@@ -2649,7 +2821,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "3ef86f16-f65b-c645-9901-7830d6dc3a1b",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Container Registries that have their retention policy disabled\nresources\n| where type =~ \"microsoft.containerregistry/registries\"\n| where properties.policies.retentionPolicy.status == \"disabled\"\n| project recommendationId = \"3ef86f16-f65b-c645-9901-7830d6dc3a1b\", name, id, tags, param1='retentionPolicy:disabled'\n| order by id asc\n\n"
},
{
@@ -2678,7 +2852,9 @@
"severity": "Medium",
"category": "Security",
"guid": "03f4a7d8-c5b4-7842-8e6e-14997a34842b",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Container Registries that have anonymous pull access enabled\nresources\n| where type =~ \"microsoft.containerregistry/registries\"\n| where properties.anonymousPullEnabled == \"true\"\n| project recommendationId = \"03f4a7d8-c5b4-7842-8e6e-14997a34842b\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -2711,7 +2887,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "44107155-7a32-9348-89f3-d5aa7e7c5a1d",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -2744,7 +2922,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "d594cde6-4116-d143-a64a-25f63289a2f8",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -2773,7 +2953,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "e7f0fd54-fba0-054e-9ab8-e676f2851f88",
- "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerRegistry/registries/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure Container Registry resources that do not have soft delete enabled\nresources\n| where type =~ \"microsoft.containerregistry/registries\"\n| where properties.policies.softDeletePolicy.status == \"disabled\"\n| project recommendationId = \"e7f0fd54-fba0-054e-9ab8-e676f2851f88\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -2806,7 +2988,9 @@
"severity": "High",
"category": "High Availability",
"guid": "4f63619f-5001-439c-bacb-8de891287727",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns AKS clusters that do not have any availability zones enabled or only use a single zone\nresources\n| where type =~ \"Microsoft.ContainerService/managedClusters\"\n| project id, name, tags, location, pools = properties.agentPoolProfiles\n| mv-expand pool = pools\n| extend\n numOfAvailabilityZones = iif(isnull(pool.availabilityZones), 0, array_length(pool.availabilityZones))\n| where numOfAvailabilityZones < 2\n| project\n recommendationId = \"4f63619f-5001-439c-bacb-8de891287727\",\n id,\n name,\n tags,\n param1 = strcat(\"NodePoolName: \", pool.name),\n param2 = strcat(\"Mode: \", pool.mode),\n param3 = strcat(\"AvailabilityZones: \", iif(numOfAvailabilityZones == 0, \"None\", strcat(\"Zone \", strcat_array(pool.availabilityZones, \", \")))),\n param4 = strcat(\"Location: \", location)\n"
},
{
@@ -2835,7 +3019,9 @@
"severity": "High",
"category": "High Availability",
"guid": "5ee083cd-6ac3-4a83-8913-9549dd36cf56",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns each AKS cluster with nodepools that do not have system pods labelled with CriticalAddonsOnly\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| mv-expand agentPoolProfile = properties.agentPoolProfiles\n| where agentPoolProfile.mode =~ 'System' // system node pools\n| extend taint = tostring(parse_json(agentPoolProfile.nodeTaints))\n| extend hasCriticalAddonsTaint = agentPoolProfile.kubeletConfig has 'CriticalAddonsOnly'\n| extend hasNodeLabel = agentPoolProfile.customNodeLabels has 'CriticalAddonsOnly'\n| extend hasCriticalAddonsOnly = hasCriticalAddonsTaint or hasNodeLabel or isempty(taint)\n| extend nodePool = tostring(parse_json(agentPoolProfile.name))\n| where hasCriticalAddonsOnly\n| project\n recommendationId=\"5ee083cd-6ac3-4a83-8913-9549dd36cf56\",\n id,\n name,\n tags,\n param1=strcat(\"nodepoolName: \", nodePool)\n"
},
{
@@ -2872,7 +3058,9 @@
"severity": "High",
"category": "Security",
"guid": "ca324d71-54b0-4a3e-b9e4-10e767daa9fc",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns a list of AKS clusters not using AAD enabled\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| extend aadProfile = tostring (parse_json(properties.aadProfile))\n| extend disablelocalAdmin = tostring(parse_json(properties.disableLocalAccounts))\n| extend RBAC = tostring(parse_json(properties.enableRBAC))\n| where RBAC == \"false\"\n| project recommendationId=\"ca324d71-54b0-4a3e-b9e4-10e767daa9fc\", name, id, tags, param1=strcat(\"aadProfile: \", aadProfile), param2=strcat(\"disablelocalAdmin: \",disablelocalAdmin), param3=strcat(\"RBAC: \", RBAC)\n\n"
},
{
@@ -2905,7 +3093,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "c22db132-399b-4e7c-995d-577a60881be8",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Check AKS Clusters using kubenet network profile\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| extend networkProfile = tostring (parse_json(properties.networkProfile.networkPlugin))\n| where networkProfile ==\"kubenet\"\n| project recommendationId=\"c22db132-399b-4e7c-995d-577a60881be8\", name, id, tags, param1=strcat(\"networkProfile :\",networkProfile)\n\n"
},
{
@@ -2946,7 +3136,9 @@
"severity": "High",
"category": "Scalability",
"guid": "902c82ff-4910-4b61-942d-0d6ef7f39b67",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find AKS clusters with auto-scaling disabled\nResources\n| where type == \"microsoft.containerservice/managedclusters\"\n| extend autoScaling = tostring (parse_json(properties.agentPoolProfiles.[0].enableAutoScaling))\n| where autoScaling == \"false\"\n| project recommendationId=\"902c82ff-4910-4b61-942d-0d6ef7f39b67\", name, id, tags, param1=strcat(\"autoScaling :\", autoScaling)\n\n"
},
{
@@ -2979,7 +3171,9 @@
"severity": "Low",
"category": "Disaster Recovery",
"guid": "269a9f1a-6675-460a-831e-b05a887a8c4b",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find AKS clusters that do not have backup enabled\n\nresources\n| where type =~ 'Microsoft.ContainerService/managedClusters'\n| extend lname = tolower(name)\n| join kind=leftouter(recoveryservicesresources\n | where type =~ 'microsoft.dataprotection/backupvaults/backupinstances'\n | extend lname = tolower(tostring(split(properties.dataSourceInfo.resourceID, '/')[8]))\n | extend protectionState = properties.currentProtectionState\n | project lname, protectionState) on lname\n| where protectionState != 'ProtectionConfigured'\n| extend param1 = iif(isnull(protectionState), 'Protection Not Configured', strcat('Protection State: ', protectionState))\n| project recommendationId = \"269a9f1a-6675-460a-831e-b05a887a8c4b\", name, id, tags, param1\n\n"
},
{
@@ -3024,7 +3218,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "d3111036-355d-431b-ab49-8ddad042800b",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3057,7 +3253,9 @@
"severity": "High",
"category": "Governance",
"guid": "b002c030-72e6-4a37-8217-1cb276c43169",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3086,7 +3284,9 @@
"severity": "Low",
"category": "Scalability",
"guid": "9a1c17e5-c9a0-43db-b920-adaf54d1bcb7",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3119,7 +3319,9 @@
"severity": "Low",
"category": "Scalability",
"guid": "b4639ca7-6308-429a-8b98-92f0bf9bf813",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3152,7 +3354,9 @@
"severity": "High",
"category": "High Availability",
"guid": "0611251f-e70f-4243-8ddd-cfe894bec2e7",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns all AKS clusters not running on the Standard tier\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| where sku.tier != \"Standard\"\n| project recommendationId=\"0611251f-e70f-4243-8ddd-cfe894bec2e7\", id, name, tags, param1=strcat(\"skuName: \", sku.name), param2=strcat(\"skuTier: \", sku.tier)\n\n"
},
{
@@ -3181,7 +3385,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "dcaf8128-94bd-4d53-9235-3a0371df6b74",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns AKS clusters where either Azure Monitor is not enabled and/or Container Insights is not enabled\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| extend azureMonitor = tostring(parse_json(properties.azureMonitorProfile.metrics.enabled))\n| extend insights = tostring(parse_json(properties.addonProfiles.omsagent.enabled))\n| where isempty(azureMonitor) or isempty(insights)\n| project recommendationId=\"dcaf8128-94bd-4d53-9235-3a0371df6b74\",id, name, tags, param1=strcat(\"azureMonitorProfileEnabled: \", iff(isempty(azureMonitor), \"false\", azureMonitor)), param2=strcat(\"containerInsightsEnabled: \", iff(isempty(insights), \"false\", insights))\n\n"
},
{
@@ -3218,7 +3424,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "a7bfcc18-b0d8-4d37-81f3-8131ed8bead5",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns any AKS cluster nodepools that do not have Ephemeral Disks\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| mv-expand agentPoolProfile = properties.agentPoolProfiles\n| extend type = tostring(agentPoolProfile.osDiskType)\n| where type != 'Ephemeral'\n| project recommendationId=\"a7bfcc18-b0d8-4d37-81f3-8131ed8bead5\", name, id, param1=strcat(\"osDiskType: \", type)\n"
},
{
@@ -3251,7 +3459,9 @@
"severity": "Low",
"category": "Governance",
"guid": "26ebaf1f-c70d-4ebd-8641-4b60a0ce0094",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns a count of non-compliant policy items per AKS cluster\nPolicyResources\n| where type =~ 'Microsoft.PolicyInsights/PolicyStates'\n| extend complianceState = tostring(properties.complianceState)\n| where complianceState == 'NonCompliant'\n| where properties.resourceType =~ 'Microsoft.ContainerService/managedClusters'\n| extend\n id = tostring(properties.resourceId)\n| summarize count() by id\n| join kind=inner (\n resources\n | where type =~ 'Microsoft.ContainerService/managedClusters'\n | project id, name\n) on id\n| project recommendationId=\"26ebaf1f-c70d-4ebd-8641-4b60a0ce0094\", id, name, param1=strcat(\"numNonCompliantAlerts: \", count_)\n"
},
{
@@ -3284,7 +3494,9 @@
"severity": "Low",
"category": "Other Best Practices",
"guid": "5f3cbd68-692a-4121-988c-9770914859a9",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns AKS clusters where GitOps is not enabled\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| extend gitops = tostring (parse_json(properties.addOnProfiles.gitops.enabled))\n| where isempty(gitops)\n| project recommendationId=\"5f3cbd68-692a-4121-988c-9770914859a9\", id, name, tags, param1=strcat(\"gitopsEnabled: \", \"false\")\n\n"
},
{
@@ -3317,7 +3529,9 @@
"severity": "High",
"category": "High Availability",
"guid": "928fcc6f-5e9a-42d9-9bd4-260af42de2e5",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3350,7 +3564,9 @@
"severity": "High",
"category": "High Availability",
"guid": "cd6791b1-c60e-4b37-ac98-9897b1e6f4b8",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3379,7 +3595,9 @@
"severity": "High",
"category": "High Availability",
"guid": "bcfe71f1-ebed-49e5-a84a-193b81ad5d27",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3408,7 +3626,9 @@
"severity": "High",
"category": "High Availability",
"guid": "7f7ae535-a5ba-4665-b7e0-c451dbdda01f",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns each AKS cluster with nodepools that have system nodepools with less than 2 nodes\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| mv-expand agentPoolProfile = properties.agentPoolProfiles\n| extend taints = tostring(parse_json(agentPoolProfile.nodeTaints))\n| extend nodePool = tostring(parse_json(agentPoolProfile.name))\n| where taints has \"CriticalAddonsOnly=true:NoSchedule\" and agentPoolProfile.minCount < 2\n| project recommendationId=\"7f7ae535-a5ba-4665-b7e0-c451dbdda01f\", id, name, param1=strcat(\"nodePoolName: \", nodePool), param2=strcat(\"nodePoolMinNodeCount: \", agentPoolProfile.minCount)\n\n"
},
{
@@ -3437,7 +3657,9 @@
"severity": "High",
"category": "High Availability",
"guid": "005ccbbd-aeab-46ef-80bd-9bd4479412ec",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns each AKS cluster with nodepools that have user nodepools with less than 2 nodes\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| mv-expand agentPoolProfile = properties.agentPoolProfiles\n| extend taints = tostring(parse_json(agentPoolProfile.nodeTaints))\n| extend nodePool = tostring(parse_json(agentPoolProfile.name))\n| where taints !has \"CriticalAddonsOnly=true:NoSchedule\" and agentPoolProfile.minCount < 2\n| project recommendationId=\"005ccbbd-aeab-46ef-80bd-9bd4479412ec\", id, name, param1=strcat(\"nodePoolName: \", nodePool), param2=strcat(\"nodePoolMinNodeCount: \", agentPoolProfile.minCount)\n\n"
},
{
@@ -3470,7 +3692,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "a08a06a0-e41a-4b99-83bb-69ce8bca54cb",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -3499,7 +3723,9 @@
"severity": "High",
"category": "High Availability",
"guid": "e620fa98-7a40-41a0-bfc9-b4407297fb58",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns each AKS cluster with nodepools that have user nodepools with a subnetmask that does not match autoscale configured max-nodes\n// Subtracting the network address, broadcast address, and default 3 addresses Azure reserves within each subnet\n\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| extend nodePools = properties['agentPoolProfiles']\n| mv-expand nodePools = properties.agentPoolProfiles\n| where nodePools.enableAutoScaling == true\n| extend nodePoolName=nodePools.name, maxNodes = nodePools.maxCount, subnetId = tostring(nodePools.vnetSubnetID)\n| project clusterId = id, clusterName=name, nodePoolName=nodePools.name, toint(maxNodes), subnetId\n| join kind = leftouter (\n resources\n | where type == 'microsoft.network/virtualnetworks'\n | extend subnets = properties.subnets\n | mv-expand subnets\n | project id = tostring(subnets.id), addressPrefix = tostring(subnets.properties['addressPrefix'])\n | extend subnetmask = toint(substring(addressPrefix, indexof(addressPrefix, '/')+1, string_size(addressPrefix)))\n | extend possibleMaxNodeCount = toint(exp2(32-subnetmask) - 5)\n) on $left.subnetId == $right.id\n| project-away id, subnetmask\n| where possibleMaxNodeCount <= maxNodes\n| extend param1 = strcat(nodePoolName, \" autoscaler upper limit: \", maxNodes)\n| extend param2 = strcat(\"ip addresses on subnet: \", possibleMaxNodeCount)\n| project recommendationId=\"e620fa98-7a40-41a0-bfc9-b4407297fb58\", name=clusterName, id=clusterId, param1, param2\n\n"
},
{
@@ -3528,7 +3754,9 @@
"severity": "High",
"category": "High Availability",
"guid": "a01afc4c-7439-4919-b2da-3565992ea2a7",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -3557,7 +3785,9 @@
"severity": "High",
"category": "High Availability",
"guid": "f46b0d1d-56ef-4795-b98a-f6ee00cb341a",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns each AKS cluster with nodepools that have Linux nodepools not using Azure Linux\nresources\n| where type == \"microsoft.containerservice/managedclusters\"\n| mv-expand agentPoolProfile = properties.agentPoolProfiles\n| where agentPoolProfile.osType == 'Linux' and agentPoolProfile.osSKU != 'AzureLinux'\n| project recommendationid=\"f46b0d1d-56ef-4795-b98a-f6ee00cb341a\", name, id, param1=strcat(\"nodePoolName: \", agentPoolProfile.name)\n"
},
{
@@ -3586,7 +3816,9 @@
"severity": "High",
"category": "High Availability",
"guid": "9200aca6-0e83-4749-a5eb-e3939367bdc2",
- "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceFile": "azure-resources/ContainerService/managedClusters/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -3615,7 +3847,9 @@
"severity": "High",
"category": "High Availability",
"guid": "88856605-53d8-4bbd-a75b-4a7b14939d32",
- "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for MySQL instances that are not zone redundant\nresources\n| where type == \"microsoft.dbformysql/flexibleservers\"\n| where properties.highAvailability.mode != \"ZoneRedundant\"\n| project recommendationId = \"88856605-53d8-4bbd-a75b-4a7b14939d32\", name, id, tags, param1 = \"ZoneRedundant: False\"\n"
},
{
@@ -3644,7 +3878,9 @@
"severity": "High",
"category": "Scalability",
"guid": "82a9a0f2-24ee-496f-9ad2-25f81710942d",
- "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for MySQL instances that do not have a custom maintenance window\nresources\n| where type =~ \"microsoft.dbformysql/flexibleservers\"\n| where properties.maintenanceWindow.customWindow != \"Enabled\"\n| project recommendationId = \"82a9a0f2-24ee-496f-9ad2-25f81710942d\", name, id, tags, param1 = strcat(\"customWindow:\", properties['maintenanceWindow']['customWindow'])\n"
},
{
@@ -3673,7 +3909,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "5c96afc3-7d2e-46ff-a4c7-9c32850c441b",
- "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for MySQL instances that do not have geo redundant backup storage enabled\nresources\n| where type =~ \"microsoft.dbformysql/flexibleservers\"\n| where properties.backup.geoRedundantBackup != \"Enabled\"\n| project recommendationId = \"5c96afc3-7d2e-46ff-a4c7-9c32850c441b\", name, id, tags, param1 = strcat(\"geoRedundantBackup:\", properties['backup']['geoRedundantBackup'])\n"
},
{
@@ -3702,7 +3940,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "b49a8653-cc43-48c9-8513-a2d2e3f14dd1",
- "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for MySQL instances that do not have a read replica configured\nresources\n| where type =~ \"microsoft.dbformysql/flexibleservers\"\n| where properties.replicationRole == \"None\"\n| project recommendationId = \"b49a8653-cc43-48c9-8513-a2d2e3f14dd1\", name, id, tags, param1 = strcat(\"replicationRole:\", properties['replicationRole'])\n"
},
{
@@ -3731,7 +3971,9 @@
"severity": "High",
"category": "Scalability",
"guid": "8176a79d-8645-4e52-96be-a10fc0204fe5",
- "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for MySQL instances that do not have a storage auto-grow\nresources\n| where type =~ \"microsoft.dbformysql/flexibleservers\"\n| where properties.storage.autoGrow != \"Enabled\"\n| project recommendationId = \"8176a79d-8645-4e52-96be-a10fc0204fe5\", name, id, tags, param1 = strcat(\"autoGrow:\", properties['storage']['autoGrow'])\n"
},
{
@@ -3760,7 +4002,9 @@
"severity": "High",
"category": "High Availability",
"guid": "ca87914f-aac4-4783-ab67-82a6f936f194",
- "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for PostgreSQL instances that are not zone redundant\nresources\n| where type == \"microsoft.dbforpostgresql/flexibleservers\"\n| where properties.highAvailability.mode != \"ZoneRedundant\"\n| project recommendationId = \"ca87914f-aac4-4783-ab67-82a6f936f194\", name, id, tags, param1 = \"ZoneRedundant: False\"\n"
},
{
@@ -3789,7 +4033,9 @@
"severity": "High",
"category": "Scalability",
"guid": "b2bad57d-7e03-4c0f-9024-597c9eb295bb",
- "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for PostgreSQL instances that do not have a custom maintenance window\nresources\n| where type == \"microsoft.dbforpostgresql/flexibleservers\"\n| where properties.maintenanceWindow.customWindow != \"Enabled\"\n| project recommendationId = \"b2bad57d-7e03-4c0f-9024-597c9eb295bb\", name, id, tags, param1 = strcat(\"customWindow:\", properties['maintenanceWindow']['customWindow'])\n"
},
{
@@ -3818,7 +4064,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3",
- "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for PostgreSQL instances that do not have geo redundant backup storage configured\nresources\n| where type == \"microsoft.dbforpostgresql/flexibleservers\"\n| where properties.backup.geoRedundantBackup != \"Enabled\"\n| project recommendationId = \"31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3\", name, id, tags, param1 = strcat(\"geoRedundantBackup:\", properties['backup']['geoRedundantBackup'])\n"
},
{
@@ -3847,7 +4095,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "2ab85a67-26be-4ed2-a0bb-101b2513ec63",
- "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Database for PostgreSQL instances that are read replicas\nresources\n| where type == \"microsoft.dbforpostgresql/flexibleservers\"\n| where properties.replicationRole == \"AsyncReplica\"\n| project recommendationId = \"2ab85a67-26be-4ed2-a0bb-101b2513ec63\", name, id, tags, param1 = strcat(\"replicationRole:\", properties['replicationRole'])\n"
},
{
@@ -3876,7 +4126,9 @@
"severity": "High",
"category": "Scalability",
"guid": "6293a3cc-6b4a-4c0f-9ea7-b8ae8d7dd3d5",
- "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceFile": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -3905,7 +4157,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "0e835cc2-2551-a247-b1f1-3c5f25c9cb70",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -3934,7 +4188,9 @@
"severity": "High",
"category": "Scalability",
"guid": "c166602e-0804-e34b-be8f-09b4d56e1fcd",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -3963,7 +4219,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "5877a510-8444-7a4c-8412-a8dab8662f7e",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -3992,7 +4250,9 @@
"severity": "High",
"category": "Scalability",
"guid": "5c72f0d6-55ec-d941-be84-36c194fa78c0",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4021,7 +4281,9 @@
"severity": "High",
"category": "Scalability",
"guid": "362ad2b6-b92c-414f-980a-0cf69467ccce",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4054,7 +4316,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "cd77db98-9b13-6e4b-bd2b-74c2cb538628",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4083,7 +4347,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "3d3e53b5-ebd1-db42-b43b-d4fad74824ec",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4112,7 +4378,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "7fb90127-5364-bb4d-86fa-30778ed713fb",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4141,7 +4409,9 @@
"severity": "High",
"category": "High Availability",
"guid": "da4ea916-4df3-8c4d-8060-17b49da45977",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4170,7 +4440,9 @@
"severity": "Low",
"category": "High Availability",
"guid": "892ca809-e2b5-9a47-924a-71132bf6f902",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4199,7 +4471,9 @@
"severity": "Low",
"category": "Business Continuity",
"guid": "7e52d64d-8cc0-8548-a593-eb49ab45630d",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4228,7 +4502,9 @@
"severity": "High",
"category": "High Availability",
"guid": "84e44da6-8cd7-b349-b02c-c8bf72cf587c",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4257,7 +4533,9 @@
"severity": "High",
"category": "Scalability",
"guid": "4cbb7744-ff3d-0447-badb-baf068c95696",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4286,7 +4564,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "1b0d0893-bf0e-8f4c-9dc6-f18f145c1ecf",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4315,7 +4595,9 @@
"severity": "Low",
"category": "Business Continuity",
"guid": "e93fe702-e385-d741-ba37-1f1656482ecd",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4344,7 +4626,9 @@
"severity": "Medium",
"category": "Other Best Practices",
"guid": "b7e1d13f-54c9-1648-8a52-34c0abe8ce16",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4373,7 +4657,9 @@
"severity": "Low",
"category": "Business Continuity",
"guid": "a42297c4-7e4f-8b41-8d4b-114033263f0e",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4402,7 +4688,9 @@
"severity": "Low",
"category": "Disaster Recovery",
"guid": "932d45d6-b46d-e341-abfb-d97bce832f1f",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4431,7 +4719,9 @@
"severity": "High",
"category": "High Availability",
"guid": "12e9d852-5cdc-2743-bffe-ee21f2ef7781",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4460,7 +4750,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "a18d60f8-c98c-ba4e-ad6e-2fac72879df1",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4489,7 +4781,9 @@
"severity": "Low",
"category": "Disaster Recovery",
"guid": "c0e22580-3819-444d-8546-a80e4ed85c83",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4518,7 +4812,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "4fdb7112-4531-6f48-b60e-c917a6068d9b",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4547,7 +4843,9 @@
"severity": "High",
"category": "Other Best Practices",
"guid": "42aedaa8-6151-424d-b782-b8666c779969",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4576,7 +4874,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "20193ff9-dbcd-a74e-b197-71d7d9d3c1e6",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4605,7 +4905,9 @@
"severity": "High",
"category": "Scalability",
"guid": "397cdebb-9d6e-ab4f-83a1-8c481de0a3a7",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4634,7 +4936,9 @@
"severity": "High",
"category": "Scalability",
"guid": "5e722c4f-415a-9b4c-bd4c-96b74dce29ad",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4663,7 +4967,9 @@
"severity": "High",
"category": "High Availability",
"guid": "14310ba6-77ad-3641-a2db-57a2218b9bc7",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4692,7 +4998,9 @@
"severity": "High",
"category": "High Availability",
"guid": "b5af7e26-3939-1b48-8fba-f8d4a475c67a",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4729,7 +5037,9 @@
"severity": "High",
"category": "High Availability",
"guid": "8aa63c34-dd9d-49bd-9582-21ec310dfbdd",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -4762,7 +5072,9 @@
"severity": "Medium",
"category": "Personalized",
"guid": "028593be-956e-4736-bccf-074cb10b92f4",
- "source": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/Databricks/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4791,7 +5103,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "013ac34e-7c4b-425f-9e0c-216f0cc06181",
- "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceFile": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -4820,7 +5134,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7",
- "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceFile": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This resource graph query will return all AVD host pools that does not have scheduled agent updates configured\nresources\n| where type =~ \"Microsoft.DesktopVirtualization/hostpools\"\n| where isnull(properties.agentUpdate)\n| project recommendationId = \"979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7\", name, id, tags, param1 = 'No scheduled agent updates'\n"
},
{
@@ -4849,7 +5165,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "939cb85c-102a-4e0a-ab82-5c92116d3778",
- "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceFile": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4878,7 +5196,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "38721758-2cc2-4d6b-b7b7-8b47dadbf7df",
- "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceFile": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -4907,7 +5227,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "499769ae-67c9-492e-9ca5-cfd4cece5209",
- "source": "azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml",
+ "sourceFile": "azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -4940,7 +5262,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "783c6c18-760b-4867-9ced-3010a0bc5aa3",
- "source": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceFile": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -4969,7 +5293,9 @@
"severity": "High",
"category": "High Availability",
"guid": "eeba3a49-fef0-481f-a471-7ff01139b474",
- "source": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceFile": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// list all IoT Hubs that are using the Free tier\nresources\n| where type =~ \"microsoft.devices/iothubs\" and\n tostring(sku.tier) =~ 'Free'\n| project recommendationId=\"eeba3a49-fef0-481f-a471-7ff01139b474\", name, id, tags, param1=strcat(\"tier:\", tostring(sku.tier))\n\n"
},
{
@@ -4998,7 +5324,9 @@
"severity": "High",
"category": "High Availability",
"guid": "214cbc46-747e-4354-af6e-6bf0054196a5",
- "source": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceFile": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -5035,7 +5363,9 @@
"severity": "High",
"category": "Scalability",
"guid": "b1e1378d-4572-4414-bebd-b8872a6d4d1c",
- "source": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceFile": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// list all IoT Hubs that do not have a linked IoT Hub Device Provisioning Service (DPS)\nresources\n| where type =~ \"microsoft.devices/iothubs\"\n| project id, iotHubName=tostring(properties.hostName), tags, resourceGroup\n| join kind=fullouter (\n resources\n | where type == \"microsoft.devices/provisioningservices\"\n | mv-expand iotHubs=properties.iotHubs\n | project iotHubName = tostring(iotHubs.name), dpsName = name, name=iotHubs.name\n) on iotHubName\n| where dpsName == ''\n| project recommendationId=\"b1e1378d-4572-4414-bebd-b8872a6d4d1c\", name=iotHubName, id, tags, param1='DPS:none'\n\n"
},
{
@@ -5064,7 +5394,9 @@
"severity": "High",
"category": "High Availability",
"guid": "02568a5d-335e-4e51-9f7c-fe2ada977300",
- "source": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceFile": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -5093,7 +5425,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e",
- "source": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceFile": "azure-resources/Devices/iotHubs/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// list all IoT Hubs that have the fallback route disabled\nresources\n| where type == \"microsoft.devices/iothubs\"\n| extend fallbackEnabled=properties.routing.fallbackRoute.isEnabled\n| where fallbackEnabled == false\n| project recommendationId=\"e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e\", name, id, tags, param1='FallbackRouteEnabled:false'\n\n"
},
{
@@ -5126,7 +5460,9 @@
"severity": "High",
"category": "High Availability",
"guid": "43663217-a1d3-844b-80ea-571a2ce37c6c",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Query to find Azure Cosmos DB accounts that have less than 2 regions or less than 3 regions with strong consistency level\nResources\n| where type =~ 'Microsoft.DocumentDb/databaseAccounts'\n| where\n array_length(properties.locations) < 2 or\n (array_length(properties.locations) < 3 and properties.consistencyPolicy.defaultConsistencyLevel == 'Strong')\n| project recommendationId='43663217-a1d3-844b-80ea-571a2ce37c6c', name, id, tags\n\n"
},
{
@@ -5155,7 +5491,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "9cabded7-a1fc-6e4a-944b-d7dd98ea31a2",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Query to list all Azure Cosmos DB accounts that do not have multiple write locations or automatic failover enabled\nResources\n| where type =~ 'Microsoft.DocumentDb/databaseAccounts'\n| where\n array_length(properties.locations) > 1 and\n tobool(properties.enableAutomaticFailover) == false and\n tobool(properties.enableMultipleWriteLocations) == false\n| project recommendationId='9cabded7-a1fc-6e4a-944b-d7dd98ea31a2', name, id, tags\n"
},
{
@@ -5188,7 +5526,9 @@
"severity": "High",
"category": "High Availability",
"guid": "9ce78192-74a0-104c-b5bb-9a443f941649",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Query to find Azure Cosmos DB accounts that have multiple read locations but do not have multiple write locations enabled\nResources\n| where type =~ 'Microsoft.DocumentDb/databaseAccounts'\n| where\n array_length(properties.locations) > 1 and\n properties.enableMultipleWriteLocations == false\n| project recommendationId='9ce78192-74a0-104c-b5bb-9a443f941649', name, id, tags\n\n"
},
{
@@ -5217,7 +5557,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "e544520b-8505-7841-9e77-1f1974ee86ec",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Query all Azure Cosmos DB accounts that do not have continuous backup mode configured\nResources\n| where type =~ 'Microsoft.DocumentDb/databaseAccounts'\n| where\n properties.backupPolicy.type == 'Periodic' and\n properties.enableMultipleWriteLocations == false and\n properties.enableAnalyticalStorage == false\n| project recommendationId='e544520b-8505-7841-9e77-1f1974ee86ec', name, id, tags\n"
},
{
@@ -5246,7 +5588,9 @@
"severity": "High",
"category": "Scalability",
"guid": "c006604a-0d29-684c-99f0-9729cb40dac5",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -5275,7 +5619,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "7eb32cf9-9a42-1540-acf8-597cbba8a418",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -5304,7 +5650,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "fa6ac22f-0584-bb4b-80e4-80f4755d1a97",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -5333,7 +5681,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "deaea200-013c-414b-ac9f-bfa7a7fb13f0",
- "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -5362,7 +5712,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "54c3191b-b535-1946-bba9-b754f44060f6",
- "source": "azure-resources/EventGrid/topics/recommendations.yaml",
+ "sourceFile": "azure-resources/EventGrid/topics/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -5391,7 +5743,9 @@
"severity": "Low",
"category": "Personalized",
"guid": "92162eb5-4323-3145-8a6c-525ce2f0700e",
- "source": "azure-resources/EventGrid/topics/recommendations.yaml",
+ "sourceFile": "azure-resources/EventGrid/topics/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -5420,7 +5774,9 @@
"severity": "Medium",
"category": "Security",
"guid": "b2069f64-4741-3d4a-a71d-50c8b03f5ab7",
- "source": "azure-resources/EventGrid/topics/recommendations.yaml",
+ "sourceFile": "azure-resources/EventGrid/topics/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all eventgrid services not protected by private endpoints.\nResources\n| where type contains \"eventgrid\"\n| where properties['publicNetworkAccess'] == \"Enabled\"\n| project recommendationId = \"b2069f64-4741-3d4a-a71d-50c8b03f5ab7\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -5449,7 +5805,9 @@
"severity": "High",
"category": "High Availability",
"guid": "84636c6c-b317-4722-b603-7b1ffc16384b",
- "source": "azure-resources/EventHub/namespaces/recommendations.yaml"
+ "sourceFile": "azure-resources/EventHub/namespaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024"
},
{
"description": "Enable auto-inflate on Event Hub Standard tier namespaces to automatically scale up TUs, meeting usage needs and preventing data ingress or egress throttle scenarios by adjusting to allowed rates.\n",
@@ -5477,7 +5835,9 @@
"severity": "High",
"category": "Scalability",
"guid": "fbfef3df-04a5-41b2-a8fd-b8541eb04956",
- "source": "azure-resources/EventHub/namespaces/recommendations.yaml",
+ "sourceFile": "azure-resources/EventHub/namespaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Event Hub namespace instances that are Standard tier and do not have Auto Inflate enabled\nresources\n| where type == \"microsoft.eventhub/namespaces\"\n| where sku.tier == \"Standard\"\n| where properties.isAutoInflateEnabled == \"false\"\n| project recommendationId = \"fbfef3df-04a5-41b2-a8fd-b8541eb04956\", name, id, tags, param1 = \"AutoInflateEnabled: False\"\n\n"
},
{
@@ -5514,7 +5874,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "be448849-0d7d-49ba-9c94-9573ee533d5d",
- "source": "azure-resources/Insights/activityLogAlerts/recommendations.yaml",
+ "sourceFile": "azure-resources/Insights/activityLogAlerts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -5547,7 +5909,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "9729c89d-8118-41b4-a39b-e12468fa872b",
- "source": "azure-resources/Insights/activityLogAlerts/recommendations.yaml",
+ "sourceFile": "azure-resources/Insights/activityLogAlerts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This resource graph query will return all subscriptions without Service Health alerts configured.\n\nresourcecontainers\n| where type == 'microsoft.resources/subscriptions'\n| project subscriptionAlerts=tostring(id),name,tags\n| join kind=leftouter (\n resources\n | where type == 'microsoft.insights/activitylogalerts' and properties.condition contains \"ServiceHealth\"\n | extend subscriptions = properties.scopes\n | project subscriptions\n | mv-expand subscriptions\n | project subscriptionAlerts = tostring(subscriptions)\n) on subscriptionAlerts\n| where isempty(subscriptionAlerts1)\n| project-away subscriptionAlerts1\n| project recommendationId = \"9729c89d-8118-41b4-a39b-e12468fa872b\",id=subscriptionAlerts,name,tags\n\n"
},
{
@@ -5576,7 +5940,9 @@
"severity": "Medium",
"category": "Service Upgrade and Retirement",
"guid": "dac421ec-2832-4c37-839e-b6dc5a38f2fa",
- "source": "azure-resources/Insights/components/recommendations.yaml",
+ "sourceFile": "azure-resources/Insights/components/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph query\n// Filters Application Insights resources with \u2018Classic\u2019 deployment type\nresources\n| where type =~ \"microsoft.insights/components\"\n| extend IngestionMode = properties.IngestionMode\n| where IngestionMode =~ 'ApplicationInsights'\n| project recommendationId= \"dac421ec-2832-4c37-839e-b6dc5a38f2fa\", name, id, tags, param1=\"ApplicationInsightsDeploymentType: Classic\"\n\n"
},
{
@@ -5605,7 +5971,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "1cca00d2-d9ab-8e42-a788-5d40f49405cb",
- "source": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Key Vaults that do not have soft delete enabled.\nresources\n| where type == \"microsoft.keyvault/vaults\"\n| where isnull(properties.enableSoftDelete) or properties.enableSoftDelete != \"true\"\n| project recommendationId = \"1cca00d2-d9ab-8e42-a788-5d40f49405cb\", name, id, tags, param1 = \"EnableSoftDelete: Disabled\"\n\n"
},
{
@@ -5634,7 +6002,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "70fcfe6d-00e9-5544-a63a-fff42b9f2edb",
- "source": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This resource graph query will return all Key Vaults that do not have Purge Protection enabled.\nresources\n| where type == \"microsoft.keyvault/vaults\"\n| where isnull(properties.enablePurgeProtection) or properties.enablePurgeProtection != \"true\"\n| project recommendationId = \"70fcfe6d-00e9-5544-a63a-fff42b9f2edb\", name, id, tags, param1 = \"EnablePurgeProtection: Disabled\"\n\n"
},
{
@@ -5663,7 +6033,9 @@
"severity": "Medium",
"category": "Security",
"guid": "00c3d2b0-ea6e-4c4b-89be-b78a35caeb51",
- "source": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This resource graph query will return all Key Vaults that does not have a Private Endpoint Connection or where a private endpoint exists but public access is enabled\n\nresources\n| where type == \"microsoft.keyvault/vaults\"\n| where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != (\"Succeeded\") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled')\n| extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint'))\n| extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled')))\n| project recommendationId = \"00c3d2b0-ea6e-4c4b-89be-b78a35caeb51\", name, id, tags, param1, param2\n\n"
},
{
@@ -5692,7 +6064,9 @@
"severity": "High",
"category": "Governance",
"guid": "e7091145-3642-bd41-bb58-66502e64d2cd",
- "source": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -5721,7 +6095,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "1dc0821d-4f14-7644-bab4-ba208ff5f7fa",
- "source": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/KeyVault/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -5750,7 +6126,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "af426a99-62a6-6b4c-9662-42d220b413b8",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -5779,7 +6157,9 @@
"severity": "High",
"category": "Scalability",
"guid": "ab984130-c57b-6c4a-8d04-6723b4e1bdb6",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Azure NetApp Files volumes without standard network features.\nresources\n| where type =~ \"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n| where properties.networkFeatures != \"Standard\"\n| project recommendationId = \"ab984130-c57b-6c4a-8d04-6723b4e1bdb6\", name, id, tags\n\n"
},
{
@@ -5808,7 +6188,9 @@
"severity": "High",
"category": "High Availability",
"guid": "47d100a5-7f85-5742-967a-67eb5081240a",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Azure NetApp Files volumes without an availability zone defined.\nResources\n| where type =~ \"Microsoft.NetApp/netAppAccounts/capacityPools/volumes\"\n| where array_length(zones) == 0 or isnull(zones)\n| project recommendationId = \"47d100a5-7f85-5742-967a-67eb5081240a\", name, id, tags\n\n"
},
{
@@ -5837,7 +6219,9 @@
"severity": "High",
"category": "Other Best Practices",
"guid": "8bb690e8-64d5-4838-8703-9ee3dbac688f",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -5866,7 +6250,9 @@
"severity": "High",
"category": "High Availability",
"guid": "72827434-c773-4345-9493-34848ddf5803",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Azure NetApp Files volumes without a snapshot policy defined.\nresources\n|\u00a0where\u00a0type\u00a0==\u00a0\"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n| where properties.dataProtection.snapshot.snapshotPolicyId == \"\"\n| project recommendationId = \"72827434-c773-4345-9493-34848ddf5803\", name, id, tags\n\n"
},
{
@@ -5895,7 +6281,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "b2fb3e60-97ec-e34d-af29-b16a0d61c2ac",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Azure NetApp Files volumes without a backup policy defined.\nresources\n| where type == \"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n| where properties.dataProtection.backup.backupPolicyId == \"\"\n| project recommendationId = \"b2fb3e60-97ec-e34d-af29-b16a0d61c2ac\", name, id, tags\n"
},
{
@@ -5924,7 +6312,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "e30317d2-c502-4dfe-a2d3-0a737cc79545",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Azure NetApp Files volumes without cross-region replication.\nresources\n|\u00a0where\u00a0type\u00a0==\u00a0\"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n|\u00a0extend\u00a0remoteVolumeRegion\u00a0=\u00a0properties.dataProtection.replication.remoteVolumeRegion\n|\u00a0extend\u00a0volumeType\u00a0=\u00a0properties.volumeType\n|\u00a0extend\u00a0replicationType\u00a0=\u00a0iff((remoteVolumeRegion\u00a0==\u00a0location),\u00a0\"CZR\",\u00a0iff((remoteVolumeRegion\u00a0==\u00a0\"\"),\"n/a\",\"CRR\"))\n| where replicationType != \"CRR\" and volumeType != \"DataProtection\"\n| project recommendationId = \"e30317d2-c502-4dfe-a2d3-0a737cc79545\", name, id, tags\n\n"
},
{
@@ -5953,7 +6343,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "e3d742e1-dacd-9b48-b6b1-510ec9f87c96",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Azure NetApp Files volumes without cross-zone replication.\nresources\n|\u00a0where\u00a0type\u00a0==\u00a0\"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n|\u00a0extend\u00a0remoteVolumeRegion\u00a0=\u00a0properties.dataProtection.replication.remoteVolumeRegion\n|\u00a0extend\u00a0volumeType\u00a0=\u00a0properties.volumeType\n|\u00a0extend\u00a0replicationType\u00a0=\u00a0iff((remoteVolumeRegion\u00a0==\u00a0location),\u00a0\"CZR\",\u00a0iff((remoteVolumeRegion\u00a0==\u00a0\"\"),\"n/a\",\"CRR\"))\n| where replicationType != \"CZR\" and volumeType != \"DataProtection\"\n| project recommendationId = \"e3d742e1-dacd-9b48-b6b1-510ec9f87c96\", name, id, tags\n\n"
},
{
@@ -5982,7 +6374,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "2f579fc9-e599-0d44-8b97-254f50ae04d8",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6015,7 +6409,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "687ae58f-517f-ca43-90fe-922497e61283",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6060,7 +6456,9 @@
"severity": "Medium",
"category": "Security",
"guid": "cfa2244b-5436-47de-8287-b217875d3b0a",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6089,7 +6487,9 @@
"severity": "High",
"category": "High Availability",
"guid": "d1e7ccc3-e6c1-40e9-a36e-fd134711c808",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6118,7 +6518,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "60f36f9b-fac9-4160-bbf5-57af04da4f53",
- "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/NetApp/netAppAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6147,7 +6549,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "823b0cff-05c0-2e4e-a1e7-9965e1cfa16f",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1\nresources\n| where type =~ \"microsoft.network/applicationGateways\"\n| where isnull(properties.autoscaleConfiguration) or properties.autoscaleConfiguration.minCapacity <= 1\n| project recommendationId = \"823b0cff-05c0-2e4e-a1e7-9965e1cfa16f\", name, id, tags, param1 = \"autoScaleConfiguration: isNull or MinCapacity <= 1\"\n| order by id asc\n\n\n"
},
{
@@ -6192,7 +6596,9 @@
"severity": "High",
"category": "Security",
"guid": "233a7008-71e9-e745-923e-1a1c7a0b92f3",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// You can use the following Azure Resource Graph query to check if an HTTP rule is using an SSL certificate or is using Azure Key Vault to store the certificates\nresources\n| where type =~ \"microsoft.network/applicationGateways\"\n| mv-expand frontendPorts = properties.frontendPorts\n| mv-expand httpListeners = properties.httpListeners\n| where isnull(parse_json(httpListeners.properties.sslCertificate))\n| project recommendationId=\"233a7008-71e9-e745-923e-1a1c7a0b92f3\", name, id, tags, param1=strcat(\"frontendPort: \", frontendPorts.properties.port), param2=\"tls: false\"\n\n"
},
{
@@ -6225,7 +6631,9 @@
"severity": "Low",
"category": "Security",
"guid": "8d9223c4-730d-ca47-af88-a9a024c37270",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all Application Gateways that do not have WAF enabled\nResources\n| where type =~ \"microsoft.network/applicationGateways\"\n| where properties.firewallpolicy != \"\"\n| project recommendationId = \"8d9223c4-730d-ca47-af88-a9a024c37270\", name, id, tags, param1 = \"webApplicationFirewallConfiguration: isNull\"\n| order by id asc\n\n\n"
},
{
@@ -6262,7 +6670,9 @@
"severity": "High",
"category": "Scalability",
"guid": "7893f0b3-8622-1d47-beed-4b50a19f7895",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Get all Application Gateways, which are using the deprecated V1 SKU\nresources\n| where type =~ 'microsoft.network/applicationgateways'\n| extend tier = properties.sku.tier\n| where tier == 'Standard' or tier == 'WAF'\n| project recommendationId = \"7893f0b3-8622-1d47-beed-4b50a19f7895\", name, id, tags\n\n"
},
{
@@ -6295,7 +6705,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "5d035919-898d-a047-8d5d-454e199692e5",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6328,7 +6740,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "847a8d88-21c4-bc48-a94e-562206edd767",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Application Gateways are not using health probes to monitor the availability of the backend systems\nresources\n| where type =~ \"microsoft.network/applicationGateways\"\n| where array_length(properties.probes) == 0\n| project recommendationId=\"847a8d88-21c4-bc48-a94e-562206edd767\", name, id, tags, param1=\"customHealthProbeUsed: false\"\n\n"
},
{
@@ -6361,7 +6775,9 @@
"severity": "High",
"category": "High Availability",
"guid": "c9c00f2a-3888-714b-a72b-b4c9e8fcffb2",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// list Application Gateways that are not configured to use at least 2 Availability Zones\nresources\n| where type =~ \"microsoft.network/applicationGateways\"\n| where isnull(zones) or array_length(zones) < 2\n| extend zoneValue = iff((isnull(zones)), \"null\", zones)\n| project recommendationId = \"c9c00f2a-3888-714b-a72b-b4c9e8fcffb2\", name, id, tags, param1=\"Zones: No Zone or Zonal\", param2=strcat(\"Zones value: \", zoneValue )\n\n"
},
{
@@ -6394,7 +6810,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "10f02bc6-e2e7-004d-a2c2-f9bf9f16b915",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will check if connection draining is enabled\nresources\n| where type =~ \"microsoft.network/applicationGateways\"\n| mv-expand backendHttpSettings = properties.backendHttpSettingsCollection\n| extend connectionDrainingEnabled = backendHttpSettings.properties.connectionDraining.enabled\n| where connectionDrainingEnabled != true\n| extend backendPoolName = backendHttpSettings.name\n| project recommendationId = \"10f02bc6-e2e7-004d-a2c2-f9bf9f16b915\", name, id, tags, param1 = \"connectionDraining: Disabled\", param2 = strcat(\"backendSettingsName: \", backendPoolName)\n\n"
},
{
@@ -6423,7 +6841,9 @@
"severity": "High",
"category": "Other Best Practices",
"guid": "8364fd0a-7c0e-e240-9d95-4bf965aec243",
- "source": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/applicationGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will validate the subnet id for an appGW ends with a /24\n\nresources\n| where type =~ 'Microsoft.Network/applicationGateways'\n| extend subnetid = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id)\n| join kind=leftouter(resources\n | where type == \"microsoft.network/virtualnetworks\"\n | mv-expand properties.subnets\n | extend subnetid = tostring(properties_subnets.id)\n | extend addressprefix = tostring(properties_subnets.properties.addressPrefix)\n | project subnetid, addressprefix) on subnetid\n| where addressprefix !endswith '/24'\n| project recommendationId = \"8364fd0a-7c0e-e240-9d95-4bf965aec243\", name, id, tags, param1 = strcat('AppGW subnet prefix: ', addressprefix)\n\n"
},
{
@@ -6456,7 +6876,9 @@
"severity": "High",
"category": "High Availability",
"guid": "c72b7fee-1fa0-5b4b-98e5-54bcae95bb74",
- "source": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// List all Azure Firewalls that are not configured with multiple availability zones or deployed without a zone\nresources\n| where type == 'microsoft.network/azurefirewalls'\n| where array_length(zones) <= 1 or isnull(zones)\n| where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)\n| project recommendationId = \"c72b7fee-1fa0-5b4b-98e5-54bcae95bb74\", name, id, tags, param1=\"multipleZones:false\"\n\n"
},
{
@@ -6489,7 +6911,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "3c8fa7c6-6b78-a24a-a63f-348a7c71acb9",
- "source": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// List all Azure Firewalls resources in-scope, along with any metrics associated to Azure Monitor alert rules, that are not fully configured.\nresources\n| where type == \"microsoft.network/azurefirewalls\"\n| project firewallId = tolower(id), name, tags\n| join kind = leftouter (\n resources\n | where type == \"microsoft.insights/metricalerts\"\n | mv-expand properties.scopes\n | mv-expand properties.criteria.allOf\n | where properties_scopes contains \"azureFirewalls\"\n | project metricId = tolower(properties_scopes), monitoredMetric = properties_criteria_allOf.metricName, tags\n | summarize monitoredMetrics = make_list(monitoredMetric) by tostring(metricId)\n | project\n metricId,\n monitoredMetrics,\n allAlertsConfigured = monitoredMetrics contains(\"FirewallHealth\") and monitoredMetrics contains (\"Throughput\") and monitoredMetrics contains (\"SNATPortUtilization\")\n) on $left.firewallId == $right.metricId\n| extend alertsNotFullyConfigured = isnull(allAlertsConfigured) or not(allAlertsConfigured)\n| where alertsNotFullyConfigured\n| project recommendationId = \"c8fa7c6-6b78-a24a-a63f-348a7c71acb9\", name, id = firewallId, tags, param1 = strcat(\"MetricsAlerts:\", monitoredMetrics)\n\n"
},
{
@@ -6518,7 +6942,9 @@
"severity": "High",
"category": "Security",
"guid": "1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d",
- "source": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// List all in-scope Azure Firewall resources, where the VNet is not associated to a DDoS Protection Plan\nresources\n| where type =~ \"Microsoft.Network/azureFirewalls\"\n| where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)\n| mv-expand ipConfig = properties.ipConfigurations\n| project\n name,\n firewallId = id,\n tags,\n vNetName = split(ipConfig.properties.subnet.id, \"/\", 8)[0],\n vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, \"/subnet\")))\n| join kind=fullouter (\n resources\n | where type =~ \"Microsoft.Network/ddosProtectionPlans\"\n | mv-expand vNet = properties.virtualNetworks\n | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id)\n )\n on vNetId\n| where isempty(ddosProtectionPlanId)\n| project recommendationId = \"1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d\", name, id = firewallId, tags, param1 = strcat(\"vNet: \", vNetName), param2 = \"ddosProtection: Disabled\"\n"
},
{
@@ -6547,7 +6973,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "3a63560a-1ed3-6140-acd1-d1d23f9a2e12",
- "source": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -6576,7 +7004,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "d2e4a38e-2307-4299-a217-4c0cebc9a7f6",
- "source": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under development\n\n"
},
{
@@ -6609,7 +7039,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "8faace2d-a36e-425c-aa58-2ad99e3e0b7a",
- "source": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/azureFirewalls/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under development\n\n"
},
{
@@ -6638,7 +7070,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "f6a14b32-a727-4ace-b5fa-7b1c6bdff402",
- "source": "azure-resources/Network/connections/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/connections/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -6667,7 +7101,9 @@
"severity": "High",
"category": "High Availability",
"guid": "a5f3a4bd-4cf1-4196-a3cb-f5a0876198b2",
- "source": "azure-resources/Network/connections/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/connections/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -6696,7 +7132,9 @@
"severity": "Medium",
"category": "Security",
"guid": "ae054bf2-aefa-cf4a-8282-741194cef8da",
- "source": "azure-resources/Network/ddosProtectionPlans/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/ddosProtectionPlans/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -6725,7 +7163,9 @@
"severity": "High",
"category": "High Availability",
"guid": "4d703025-dafc-f840-a183-5dc440456134",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -6758,7 +7198,9 @@
"severity": "High",
"category": "High Availability",
"guid": "0e19cc41-8274-1342-b0db-0e4146eacef8",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6787,7 +7229,9 @@
"severity": "High",
"category": "High Availability",
"guid": "f06a2bbe-5839-d447-9f39-fc3d20562d88",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6816,7 +7260,9 @@
"severity": "High",
"category": "High Availability",
"guid": "2a5bf650-586d-db4c-a292-d922be7d3e0e",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -6845,7 +7291,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "9771a435-d031-814e-9827-9b5fdafc0f87",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -6874,7 +7322,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "26cb547f-aabc-dc40-be02-d0a9b6b04b1a",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -6903,7 +7353,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "f902cf86-2b53-2942-abc2-781f4fb62be6",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -6932,9 +7384,73 @@
"severity": "Medium",
"category": "Scalability",
"guid": "d40c769d-2f08-4980-8d8f-a386946276e6",
- "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRouteCircuits/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all the ExpressRoute circuits (Direct Based) that have Direct Port Rate Limiting disabled\nresources\n| where type =~ \"microsoft.network/expressroutecircuits\"\n| where properties.expressRoutePort != \"\" or isnotnull(properties.expressRoutePort)\n| where properties.enableDirectPortRateLimit == false\n| project recommendationId = \"d40c769d-2f08-4980-8d8f-a386946276e6\", name, id, tags, param1=strcat(\"enableDirectPortRateLimit: \",properties.enableDirectPortRateLimit)\n"
},
+ {
+ "description": "To increase reliability, it's advised that each v-Hub's ExpressRoute gateway connects to at least two circuits, with each circuit originating from a different peering location than the other, ensuring diverse connectivity paths for enhanced resilience.|",
+ "aprlGuid": "9987c813-d687-4163-a511-95f31bc5e536",
+ "recommendationTypeId": null,
+ "recommendationControl": "High Availability",
+ "recommendationImpact": "High",
+ "recommendationResourceType": "Microsoft.Network/expressRouteGateways",
+ "recommendationMetadataState": "Active",
+ "longDescription": "To increase reliability, it's advised that each v-Hub's ExpressRoute gateway connects to at least two circuits, with each circuit originating from a different peering location than the other, ensuring diverse connectivity paths for enhanced resilience.|",
+ "potentialBenefits": "Enhance resiliency for Azure Service",
+ "pgVerified": false,
+ "publishedToLearn": false,
+ "publishedToAdvisor": false,
+ "automationAvailable": false,
+ "tags": null,
+ "learnMoreLink": [
+ {
+ "name": "Designing for disaster recovery with ExpressRoute private peering",
+ "url": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering"
+ }
+ ],
+ "service": "Microsoft.Network/expressRouteGateways",
+ "text": "Connect v-Hub's ExpressRoute gateway to circuits from diverse peering locations for resilience",
+ "severity": "High",
+ "category": "High Availability",
+ "guid": "9987c813-d687-4163-a511-95f31bc5e536",
+ "sourceFile": "azure-resources/Network/expressRouteGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
+ "graph": "// under-development\n"
+ },
+ {
+ "description": "Set up monitoring and alerts for Virtual WAN Express Route Gateway. Create alert rule for ensuring promptly response to critical events such as exceeding packets per second, exceeding BGP routes prefixes, Gateway overutilization and high frequency in route changes.",
+ "aprlGuid": "17e8d380-e4b4-41a1-9b37-2e4df9fd5125",
+ "recommendationTypeId": null,
+ "recommendationControl": "Monitoring and Alerting",
+ "recommendationImpact": "High",
+ "recommendationResourceType": "Microsoft.Network/expressRouteGateways",
+ "recommendationMetadataState": "Active",
+ "longDescription": "Set up monitoring and alerts for Virtual WAN Express Route Gateway. Create alert rule for ensuring promptly response to critical events such as exceeding packets per second, exceeding BGP routes prefixes, Gateway overutilization and high frequency in route changes.",
+ "potentialBenefits": "Detection and mitigation to avoid disruptions.",
+ "pgVerified": false,
+ "publishedToLearn": false,
+ "publishedToAdvisor": false,
+ "automationAvailable": false,
+ "tags": null,
+ "learnMoreLink": [
+ {
+ "name": "Virtual WAN Monitoring Best Practices",
+ "url": "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#expressroute-gateway"
+ }
+ ],
+ "service": "Microsoft.Network/expressRouteGateways",
+ "text": "Monitor health for v-Hub's ExpressRoute gateway",
+ "severity": "High",
+ "category": "Monitoring and Alerting",
+ "guid": "17e8d380-e4b4-41a1-9b37-2e4df9fd5125",
+ "sourceFile": "azure-resources/Network/expressRouteGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
+ "graph": "// under-development\n"
+ },
{
"description": "In Azure ExpressRoute Direct, the \"Admin State\" indicates the administrative status of layer 1 links, showing if a link is enabled or disabled, effectively turning the physical port on or off.\n",
"aprlGuid": "60077378-7cb1-4b35-89bb-393884d9921d",
@@ -6961,7 +7477,9 @@
"severity": "High",
"category": "High Availability",
"guid": "60077378-7cb1-4b35-89bb-393884d9921d",
- "source": "azure-resources/Network/expressRoutePorts/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRoutePorts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Express Route Directs that do not have Admin State of both Links Enabled\nresources\n| where type == \"microsoft.network/expressrouteports\"\n| where properties['links'][0]['properties']['adminState'] == \"Disabled\" or properties['links'][1]['properties']['adminState'] == \"Disabled\"\n| project recommendationId = \"60077378-7cb1-4b35-89bb-393884d9921d\", name, id, tags, param1 = strcat(\"Link1AdminState: \", properties['links'][0]['properties']['adminState']), param2 = strcat(\"Link2AdminState: \", properties['links'][1]['properties']['adminState'])\n\n"
},
{
@@ -6990,7 +7508,9 @@
"severity": "High",
"category": "Scalability",
"guid": "0bee356b-7348-4799-8cab-0c71ffe13018",
- "source": "azure-resources/Network/expressRoutePorts/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRoutePorts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Express Route Directs that are over subscribed\nresources\n| where type == \"microsoft.network/expressrouteports\"\n| where toint(properties['provisionedBandwidthInGbps']) > toint(properties['bandwidthInGbps'])\n| project recommendationId = \"0bee356b-7348-4799-8cab-0c71ffe13018\", name, id, tags, param1 = strcat(\"provisionedBandwidthInGbps: \", properties['provisionedBandwidthInGbps']), param2 = strcat(\"bandwidthInGbps: \", properties['bandwidthInGbps'])\n\n"
},
{
@@ -7019,7 +7539,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "55815823-d588-4cb7-a5b8-ae581837356e",
- "source": "azure-resources/Network/expressRoutePorts/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/expressRoutePorts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n"
},
{
@@ -7060,7 +7582,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "d0cfe47f-686b-5043-bf83-5a3868acb80a",
- "source": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -7093,7 +7617,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "537b4d94-edd1-4041-b13d-8217dfa485f0",
- "source": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -7126,7 +7652,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "5357ae22-0f52-1a49-9fd4-1f00ace6add0",
- "source": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -7159,7 +7687,9 @@
"severity": "High",
"category": "High Availability",
"guid": "38c3bca1-97a1-eb42-8cd3-838b243f35ba",
- "source": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all LoadBalancers using Basic SKU\nresources\n| where type =~ 'Microsoft.Network/loadBalancers'\n| where sku.name == 'Basic'\n| project recommendationId = \"38c3bca1-97a1-eb42-8cd3-838b243f35ba\", name, id, tags, Param1=strcat(\"sku-tier: basic\")\n\n"
},
{
@@ -7188,7 +7718,9 @@
"severity": "High",
"category": "High Availability",
"guid": "6d82d042-6d61-ad49-86f0-6a5455398081",
- "source": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool\nresources\n| where type =~ 'Microsoft.Network/loadBalancers'\n| extend bep = properties.backendAddressPools\n| extend BackEndPools = array_length(bep)\n| where BackEndPools == 0\n| project recommendationId = \"6d82d042-6d61-ad49-86f0-6a5455398081\", name, id, Param1=\"backendPools\", Param2=toint(0), tags\n| union (resources\n | where type =~ 'Microsoft.Network/loadBalancers'\n | where sku.name == \"Standard\"\n | extend bep = properties.backendAddressPools\n | extend BackEndPools = toint(array_length(bep))\n | mv-expand bip = properties.backendAddressPools\n | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses)\n | where toint(BackendAddresses) <= 1\n | project recommendationId = \"6d82d042-6d61-ad49-86f0-6a5455398081\", name, id, tags, Param1=\"backendAddresses\", Param2=toint(BackendAddresses))\n| union (\n resources\n | where type =~ 'Microsoft.Network/loadBalancers'\n | where sku.name == \"Basic\"\n | mv-expand properties.backendAddressPools\n | extend backendPoolId = properties_backendAddressPools.id\n | project id, name, tags, tostring(backendPoolId), recommendationId = \"6d82d042-6d61-ad49-86f0-6a5455398081\", Param1=\"BackEndPools\"\n | join kind = leftouter (\n resources\n | where type =~ \"Microsoft.Network/networkInterfaces\"\n | mv-expand properties.ipConfigurations\n | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools\n | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id)\n | summarize poolMembers = count() by backendPoolId\n | project tostring(backendPoolId), poolMembers ) on backendPoolId\n | where toint(poolMembers) <= 1\n | extend BackendAddresses = poolMembers\n | project id, name, tags, recommendationId, Param1=\"backendAddresses\", Param2=toint(BackendAddresses))\n"
},
{
@@ -7217,7 +7749,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "8d319a05-677b-944f-b9b4-ca0fb42e883c",
- "source": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all LoadBalancers with Outbound rules configured\nresources\n| where type =~ 'Microsoft.Network/loadBalancers'\n| extend outboundRules = array_length(properties.outboundRules)\n| where outboundRules > 0\n| project recommendationId = \"8d319a05-677b-944f-b9b4-ca0fb42e883c\", name, id, tags, Param1 = \"outboundRules: >=1\"\n\n"
},
{
@@ -7246,7 +7780,9 @@
"severity": "High",
"category": "High Availability",
"guid": "621dbc78-3745-4d32-8eac-9e65b27b7512",
- "source": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all LoadBalancers with with regional or zonal public IP Addresses\nresources\n| where type == \"microsoft.network/loadbalancers\"\n| where tolower(sku.name) != 'basic'\n| mv-expand feIPconfigs = properties.frontendIPConfigurations\n| extend\n feConfigName = (feIPconfigs.name),\n PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id),\n PrivateIPZones = feIPconfigs.zones,\n PIPid = toupper(feIPconfigs.properties.publicIPAddress.id),\n JoinID = toupper(id)\n| where isnotempty(PrivateSubnetId)\n| where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2\n| project name, feConfigName, id\n| union (resources\n | where type == \"microsoft.network/loadbalancers\"\n | where tolower(sku.name) != 'basic'\n | mv-expand feIPconfigs = properties.frontendIPConfigurations\n | extend\n feConfigName = (feIPconfigs.name),\n PIPid = toupper(feIPconfigs.properties.publicIPAddress.id),\n JoinID = toupper(id)\n | where isnotempty(PIPid)\n | join kind=innerunique (\n resources\n | where type == \"microsoft.network/publicipaddresses\"\n | where isnull(zones) or array_length(zones) < 2\n | extend\n LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))),\n InnerID = toupper(id)\n ) on $left.PIPid == $right.InnerID)\n| project recommendationId = \"621dbc78-3745-4d32-8eac-9e65b27b7512\", name, id, tags, param1=\"Zones: No Zone or Zonal\", param2=strcat(\"Frontend IP Configuration:\", \" \", feConfigName)\n\n"
},
{
@@ -7275,7 +7811,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "e5f5fcea-f925-4578-8599-9a391e888a60",
- "source": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/loadBalancers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// List the load balancers which don't have health probe configured\nresources\n| where type =~ \"microsoft.network/loadbalancers\"\n| where array_length(properties.probes) == 0\n| project recommendationId=\"e5f5fcea-f925-4578-8599-9a391e888a60\", name, id, tags, param1=\"customHealthProbeUsed: false\"\n"
},
{
@@ -7308,7 +7846,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "4281631c-3d19-4994-8d96-084c2a51a534",
- "source": "azure-resources/Network/natGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/natGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7341,7 +7881,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "babf75d6-6407-4d90-b01e-5a1768e621f5",
- "source": "azure-resources/Network/natGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/natGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7370,7 +7912,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "419df1ea-336b-460a-b6b2-fefe2588fcef",
- "source": "azure-resources/Network/natGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/natGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7399,7 +7943,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "d2976d3e-294b-4b49-a1f0-c42566a3758f",
- "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7428,7 +7974,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "8bb4a57b-55e4-d24e-9c19-2679d8bc779f",
- "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Network Security Groups without alerts for modification configured.\nresources\n| where type =~ \"Microsoft.Network/networkSecurityGroups\"\n| project name, id, tags, lowerCaseNsgId = tolower(id)\n| join kind = leftouter (\n resources\n | where type =~ \"Microsoft.Insights/activityLogAlerts\" and properties.enabled == true\n | mv-expand scope = properties.scopes\n | where scope has \"Microsoft.Network/networkSecurityGroups\"\n | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope\n | where conditionJson has '\"Administrative\"' and (\n // Create or Update Network Security Group\n (conditionJson has '\"Microsoft.Network/networkSecurityGroups/write\"') or\n // All administrative operations\n (conditionJson !has '\"Microsoft.Network/networkSecurityGroups/write\"' and conditionJson !has '\"Microsoft.Network/networkSecurityGroups/delete\"' and conditionJson !has '\"Microsoft.Network/networkSecurityGroups/join/action\"')\n )\n | project lowerCaseNsgIdOfScope = tolower(scope)\n )\n on $left.lowerCaseNsgId == $right.lowerCaseNsgIdOfScope\n| where isempty(lowerCaseNsgIdOfScope)\n| project recommendationId = \"8bb4a57b-55e4-d24e-9c19-2679d8bc779f\", name, id, tags, param1 = \"ModificationAlert: Not configured/Disabled\"\n\n"
},
{
@@ -7457,7 +8005,9 @@
"severity": "Low",
"category": "Governance",
"guid": "52ac35e8-9c3e-f84d-8ce8-2fab955333d3",
- "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7486,7 +8036,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "da1a3c06-d1d5-a940-9a99-fcc05966fe7c",
- "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Network Security Groups without NSG Flow logs configured or disabled.\nresources\n| where type =~ \"Microsoft.Network/networkSecurityGroups\"\n| project name, id, tags, lowerCaseNsgId = tolower(id)\n| join kind = leftouter (\n resources\n | where type == \"microsoft.network/networkwatchers/flowlogs\" and properties.enabled == true\n | project flowLogName = name, lowerCaseTargetNsgId = tolower(properties.targetResourceId)\n )\n on $left.lowerCaseNsgId == $right.lowerCaseTargetNsgId\n| where isempty(lowerCaseTargetNsgId)\n| project recommendationId = \"da1a3c06-d1d5-a940-9a99-fcc05966fe7c\", name, id, tags, param1 = \"NSGFlowLog: Not configured/Disabled\"\n\n"
},
{
@@ -7515,7 +8067,9 @@
"severity": "Medium",
"category": "Security",
"guid": "8291c1fa-650c-b44b-b008-4deb7465919d",
- "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/networkSecurityGroups/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all NSGs that have NO security rules\nresources\n| where type =~ \"microsoft.network/networksecuritygroups\"\n| extend sr = string_size(properties.securityRules)\n| where sr <=2 or isnull(properties.securityRules)\n| project recommendationId = \"8291c1fa-650c-b44b-b008-4deb7465919d\", name, id\n\n"
},
{
@@ -7544,7 +8098,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "4e133bd0-8762-bc40-a95b-b29142427d73",
- "source": "azure-resources/Network/networkWatchers/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/networkWatchers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all locations that do not have a Network Watcher deployed\nresources\n| where location != \"global\"\n| union (Resources\n | where type =~ \"microsoft.network/networkwatchers\")\n| summarize NetworkWatcherCount = countif(type =~ 'Microsoft.Network/networkWatchers') by location\n| where NetworkWatcherCount == 0\n| project recommendationId = \"4e133bd0-8762-bc40-a95b-b29142427d73\", name=location, id=\"n/a\", param1 = strcat(\"LocationMisingNetworkWatcher:\", location)\n\n"
},
{
@@ -7573,9 +8129,72 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "22a769ed-0ecb-8b49-bafe-8f52e6373d9c",
- "source": "azure-resources/Network/networkWatchers/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/networkWatchers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state\nresources\n| where type =~ \"microsoft.network/networkwatchers/flowlogs\" and isnotnull(properties)\n| extend targetResourceId = tostring(properties.targetResourceId)\n| extend status = iff(properties.enabled =~ 'true', \"Enabled\", \"Disabled\")\n| extend provisioningState = tostring(properties.provisioningState)\n| extend flowLogType = iff(properties.targetResourceId contains \"Microsoft.Network/virtualNetworks\", 'Virtual network', 'Network security group')\n| where provisioningState != \"Succeeded\" or status != \"Enabled\"\n| project recommendationId = \"22a769ed-0ecb-8b49-bafe-8f52e6373d9c\", name, id, tags, param1 = strcat(\"provisioningState:\", provisioningState), param2=strcat(\"Status:\", status), param3=strcat(\"targetResourceId:\",targetResourceId), param4=strcat(\"flowLogType:\",flowLogType)\n\n"
},
+ {
+ "description": "Improves monitoring for Azure and Hybrid connectivity\n",
+ "aprlGuid": "1e28bbc1-1eb7-486f-8d7f-93943f40219c",
+ "recommendationTypeId": null,
+ "recommendationControl": "Monitoring and Alerting",
+ "recommendationImpact": "High",
+ "recommendationResourceType": "Microsoft.Network/networkWatchers",
+ "recommendationMetadataState": "Active",
+ "longDescription": "Improves monitoring for Azure and Hybrid connectivity\n",
+ "potentialBenefits": "Improves monitoring for Azure and Hybrid connectivity",
+ "pgVerified": true,
+ "publishedToLearn": false,
+ "publishedToAdvisor": false,
+ "automationAvailable": "arg",
+ "tags": null,
+ "learnMoreLink": [
+ {
+ "name": "Connection monitor overview",
+ "url": "https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview"
+ }
+ ],
+ "service": "Microsoft.Network/networkWatchers",
+ "text": "Configure Network Watcher Connection monitor",
+ "severity": "High",
+ "category": "Monitoring and Alerting",
+ "guid": "1e28bbc1-1eb7-486f-8d7f-93943f40219c",
+ "sourceFile": "azure-resources/Network/networkWatchers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024"
+ },
+ {
+ "description": "Set up monitoring and alerts for Point-to-Site VPN gateways. Create alert rule for ensuring promptly response to critical events such as Gateway overutilization, connection count limits and User VPN route limits.",
+ "aprlGuid": "fd43ea32-2ccf-49a8-ada4-9a78794e3ff1",
+ "recommendationTypeId": null,
+ "recommendationControl": "Monitoring and Alerting",
+ "recommendationImpact": "High",
+ "recommendationResourceType": "Microsoft.Network/p2sVpnGateways",
+ "recommendationMetadataState": "Active",
+ "longDescription": "Set up monitoring and alerts for Point-to-Site VPN gateways. Create alert rule for ensuring promptly response to critical events such as Gateway overutilization, connection count limits and User VPN route limits.",
+ "potentialBenefits": "Detection and mitigation to avoid disruptions.",
+ "pgVerified": false,
+ "publishedToLearn": false,
+ "publishedToAdvisor": false,
+ "automationAvailable": false,
+ "tags": null,
+ "learnMoreLink": [
+ {
+ "name": "Virtual WAN Monitoring Best Practices",
+ "url": "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#point-to-site-vpn-gateway"
+ }
+ ],
+ "service": "Microsoft.Network/p2sVpnGateways",
+ "text": "Monitor health for v-Hub's Point-to-Site VPN gateways",
+ "severity": "High",
+ "category": "Monitoring and Alerting",
+ "guid": "fd43ea32-2ccf-49a8-ada4-9a78794e3ff1",
+ "sourceFile": "azure-resources/Network/p2sVpnGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
+ "graph": "// under-development\n"
+ },
{
"description": "Private DNS zones and records are critical and their deletion can cause service outages. To protect against unauthorized or accidental changes, the Private DNS Zone Contributor role, a built-in role for managing these resources, should be assigned to specific users or groups.\n",
"aprlGuid": "2820f6d6-a23c-7a40-aec5-506f3bd1aeb6",
@@ -7602,7 +8221,9 @@
"severity": "Medium",
"category": "Security",
"guid": "2820f6d6-a23c-7a40-aec5-506f3bd1aeb6",
- "source": "azure-resources/Network/privateDnsZones/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/privateDnsZones/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7631,7 +8252,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "ab896e8c-49b9-2c44-adec-98339aff7821",
- "source": "azure-resources/Network/privateDnsZones/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/privateDnsZones/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7660,7 +8283,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "1e02335c-1f90-fd4e-a5a5-d359c7b22d70",
- "source": "azure-resources/Network/privateDnsZones/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/privateDnsZones/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7689,7 +8314,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7",
- "source": "azure-resources/Network/privateEndpoints/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/privateEndpoints/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all Private Endpoints that are not in a Succeeded state\nresources\n| where type =~ \"microsoft.network/privateendpoints\"\n| where (properties.provisioningState =~ \"Succeeded\" and (properties.privateLinkServiceConnections[0].properties.provisioningState =~ \"Succeeded\" or properties.manualPrivateLinkServiceConnections[0].properties.provisioningState =~ \"Succeeded\")) == false\n| project recommendationId = \"b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7\", name, id, tags, param1 = strcat(\"provisioningState: \", tostring(properties.provisioningState)), param2 = strcat(\"provisioningState: \", tostring(properties.privateLinkServiceConnections[0].properties.provisioningState)), param3 = strcat(\"manualProvisioningState: \", tostring(properties.manualPrivateLinkServiceConnections[0].properties.provisioningState))\n"
},
{
@@ -7722,7 +8349,9 @@
"severity": "High",
"category": "High Availability",
"guid": "c63b81fb-7afc-894c-a840-91bb8a8dcfaf",
- "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph query\n// List public IP addresses that are not Zone-Redundant\nResources\n| where type =~ \"Microsoft.Network/publicIPAddresses\" and sku.tier =~ \"Regional\"\n| where isempty(zones) or array_length(zones) <= 1\n| extend az = case(isempty(zones), \"Non-zonal\", array_length(zones) <= 1, strcat(\"Zonal (\", strcat_array(zones, \",\"), \")\"), zones)\n| project recommendationId = \"c63b81fb-7afc-894c-a840-91bb8a8dcfaf\", name, id, tags, param1 = strcat(\"sku: \", sku.name), param2 = strcat(\"availabilityZone: \", az)\n\n"
},
{
@@ -7755,7 +8384,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "1adba190-5c4c-e646-8527-dd1b2a6d8b15",
- "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph query\n// Lists VMs with PIPs\nresources\n| where type =~ 'Microsoft.Network/publicIPAddresses'\n| where tostring(properties.ipConfiguration.id) contains \"microsoft.network/networkinterfaces\"\n| project recommendationId=\"1adba190-5c4c-e646-8527-dd1b2a6d8b15\", name, id, tags, param1=strcat(\"Migrate from instance IP to NAT Gateway\")\n\n"
},
{
@@ -7788,7 +8419,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "5cea1501-6fe4-4ec4-ac8f-f72320eb18d3",
- "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph query\n// List Basic SKU public IP addresses\nResources\n| where type =~ \"Microsoft.Network/publicIPAddresses\"\n| where sku.name =~ \"Basic\"\n| project recommendationId = \"5cea1501-6fe4-4ec4-ac8f-f72320eb18d3\", name, id, tags, param1 = strcat(\"sku: \", sku.name)\n\n"
},
{
@@ -7817,7 +8450,9 @@
"severity": "Medium",
"category": "Security",
"guid": "c4254c66-b8a5-47aa-82f6-e7d7fb418f47",
- "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/publicIPAddresses/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph query\n// Public IP addresses should have DDoS protection enabled\nresources\n| where type =~ 'Microsoft.Network/publicIPAddresses'\n| where properties.ddosSettings.protectionMode !in~ (\"Enabled\", \"VirtualNetworkInherited\")\n| project recommendationId=\"c4254c66-b8a5-47aa-82f6-e7d7fb418f47\", name, id, tags, param1=strcat(\"Apply either DDoS Network protection or DDoS IP Protrection to the public IP address.\")\n"
},
{
@@ -7846,7 +8481,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "23b2dfc7-7e5d-9443-9f62-980ca621b561",
- "source": "azure-resources/Network/routeTables/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/routeTables/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Route Tables without alerts for modification configured.\nresources\n| where type =~ \"Microsoft.Network/routeTables\"\n| project name, id, tags, lowerCaseRouteTableId = tolower(id)\n| join kind = leftouter (\n resources\n | where type =~ \"Microsoft.Insights/activityLogAlerts\" and properties.enabled == true\n | mv-expand scope = properties.scopes\n | where scope has \"Microsoft.Network/routeTables\"\n | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope\n | where conditionJson has '\"Administrative\"' and (\n // Create or Update Route Table\n (conditionJson has '\"Microsoft.Network/routeTables/write\"') or\n // All Administrative operations\n (conditionJson !has '\"Microsoft.Network/routeTables/write\"' and conditionJson !has '\"Microsoft.Network/routeTables/delete\"' and conditionJson !has '\"Microsoft.Network/routeTables/join/action\"')\n )\n | project lowerCaseRouteTableIdOfScope = tolower(scope)\n )\n on $left.lowerCaseRouteTableId == $right.lowerCaseRouteTableIdOfScope\n| where isempty(lowerCaseRouteTableIdOfScope)\n| project recommendationId = \"23b2dfc7-7e5d-9443-9f62-980ca621b561\", name, id, tags, param1 = \"ModificationAlert: Not configured/Disabled\"\n\n"
},
{
@@ -7875,7 +8512,9 @@
"severity": "Low",
"category": "Governance",
"guid": "89d1166a-1a20-0f46-acc8-3194387bf127",
- "source": "azure-resources/Network/routeTables/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/routeTables/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -7912,7 +8551,9 @@
"severity": "High",
"category": "High Availability",
"guid": "f05a3e6d-49db-2740-88e2-2b13706c1f67",
- "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find traffic manager profiles that have an endpoint monitor status of not 'Online'\nresources\n| where type == \"microsoft.network/trafficmanagerprofiles\"\n| mv-expand properties.endpoints\n| where properties_endpoints.properties.endpointMonitorStatus != \"Online\"\n| project recommendationId = \"f05a3e6d-49db-2740-88e2-2b13706c1f67\", name, id, tags, param1 = strcat('Profile name: ',properties_endpoints.name), param2 = strcat('endpointMonitorStatus: ', properties_endpoints.properties.endpointMonitorStatus)\n\n"
},
{
@@ -7941,7 +8582,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "5b422a7f-8caa-3d48-becb-511599e5bba9",
- "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find traffic manager profiles that have less than 2 endpoints\nresources\n| where type == \"microsoft.network/trafficmanagerprofiles\"\n| where array_length(properties.endpoints) < 2\n| project recommendationId = \"5b422a7f-8caa-3d48-becb-511599e5bba9\", name, id, tags, param1 = strcat('EndpointCount: ', array_length(properties.endpoints))\n\n"
},
{
@@ -7970,7 +8613,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "1ad9d7b7-9692-1441-a8f4-93792efbe97a",
- "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -8003,9 +8648,41 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "c31f76a0-48cd-9f44-aa43-99ee904db9bc",
- "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Traffic Manager resources that are not confirgured for all-World access\nResources\n| where type == 'microsoft.network/trafficmanagerprofiles'\n| where properties.trafficRoutingMethod =~ \"Geographic\"\n| extend endpoints = properties.endpoints\n| mv-expand endpoint = endpoints\n| where endpoint.properties.geoMapping !contains \"WORLD\"\n| extend endpointName = endpoint.name\n| project recommendationId=\"c31f76a0-48cd-9f44-aa43-99ee904db9bc\", name, id, tags, param1=strcat(\"endpointName:\",endpointName), param2=strcat(\"GeoMapping:\", tostring(endpoint.properties.geoMapping))\n"
},
+ {
+ "description": "Set up monitoring and alerts for v-Hubs. Create alert rule for ensuring promptly response to changes in BGP status and Data processed by v-Hubs.",
+ "aprlGuid": "30ec8a5e-46de-4323-87e9-a7c56b72813b",
+ "recommendationTypeId": null,
+ "recommendationControl": "Monitoring and Alerting",
+ "recommendationImpact": "Medium",
+ "recommendationResourceType": "Microsoft.Network/virtualHubs",
+ "recommendationMetadataState": "Active",
+ "longDescription": "Set up monitoring and alerts for v-Hubs. Create alert rule for ensuring promptly response to changes in BGP status and Data processed by v-Hubs.",
+ "potentialBenefits": "Detection and mitigation to avoid disruptions.",
+ "pgVerified": false,
+ "publishedToLearn": false,
+ "publishedToAdvisor": false,
+ "automationAvailable": false,
+ "tags": null,
+ "learnMoreLink": [
+ {
+ "name": "Virtual WAN Monitoring Best Practices",
+ "url": "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#virtual-hub"
+ }
+ ],
+ "service": "Microsoft.Network/virtualHubs",
+ "text": "Monitor health for v-Hubs",
+ "severity": "Medium",
+ "category": "Monitoring and Alerting",
+ "guid": "30ec8a5e-46de-4323-87e9-a7c56b72813b",
+ "sourceFile": "azure-resources/Network/virtualHubs/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024"
+ },
{
"description": "To increase reliability, it's advised that each ExpressRoute gateway connects to at least two circuits, with each circuit originating from a different peering location than the other, ensuring diverse connectivity paths for enhanced resilience.\n",
"aprlGuid": "d37db635-157f-584d-9bce-4f6fc8c65ce5",
@@ -8032,7 +8709,9 @@
"severity": "High",
"category": "High Availability",
"guid": "d37db635-157f-584d-9bce-4f6fc8c65ce5",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of ExpressRoute Gateways that are not connected to two or more ExpressRoute Circuits. Baremetal circuits are excluded from consideration\n//This query assumes that the running entity has visibilty to the gateway, connection, and circuit scopes.\n//Start with a full list of gateways\n(resources\n| where type == \"microsoft.network/virtualnetworkgateways\"\n| where properties.gatewayType == \"ExpressRoute\"\n| extend exrGatewayId = tolower(tostring(id))\n| join kind=inner(\nresources\n| where type == \"microsoft.network/virtualnetworkgateways\"\n| where properties.gatewayType == \"ExpressRoute\"\n| extend exrGatewayId = tolower(tostring(id))\n| join kind=leftouter(\n//connections joined with circuit peer info\nresources\n| where type == \"microsoft.network/connections\"\n| extend connectionType = properties.connectionType\n| extend exrGatewayId = tolower(tostring(properties.virtualNetworkGateway1.id))\n| extend peerId = tolower(tostring(properties.peer.id))\n| extend connectionId = tolower(tostring(id))\n| where connectionType == \"ExpressRoute\"\n| join kind=leftouter(\n resources\n | where type == \"microsoft.network/expressroutecircuits\"\n //should this be location instead of peeringLocation\n | extend circuitId = tolower(tostring(id))\n | extend peeringLocation = tostring(properties.serviceProviderProperties.peeringLocation)\n | extend peerId = tolower(id)\n) on peerId ) on exrGatewayId\n//remove bare metal services connections/circuits\n| where not(isnotnull(connectionId) and isnull(sku1))\n//group by gateway ID's and peering locations\n| summarize by exrGatewayId, peeringLocation\n//summarize to connections with fewer than two unique connections\n| summarize connCount = count() by exrGatewayId\n| where connCount < 2) on exrGatewayId\n| project recommendationId = \"d37db635-157f-584d-9bce-4f6fc8c65ce5\", name, id, tags, param1 = \"twoOrMoreCircuitsConnectedFromDifferentPeeringLocations: false\")\n| union\n(\nresources\n| where type == \"microsoft.network/virtualnetworkgateways\"\n| where properties.gatewayType == \"ExpressRoute\"\n| extend exrGatewayId = tolower(tostring(id))\n| join kind=leftouter(\n//connections joined with circuit peer info\nresources\n| where type == \"microsoft.network/connections\"\n| extend connectionType = properties.connectionType\n| extend exrGatewayId = tolower(tostring(properties.virtualNetworkGateway1.id))\n| extend peerId = tolower(tostring(properties.peer.id))\n| extend connectionId = tolower(tostring(id))\n| where connectionType == \"ExpressRoute\") on exrGatewayId\n| where isnull(connectionType)\n| project recommendationId = \"d37db635-157f-584d-9bce-4f6fc8c65ce5\", name, id, tags, param1 = \"twoOrMoreCircuitsConnectedFromDifferentPeeringLocations: false\", param2 = \"noConnectionsOnGateway: true\"\n)\n\n"
},
{
@@ -8069,7 +8748,9 @@
"severity": "High",
"category": "High Availability",
"guid": "bbe668b7-eb5c-c746-8b82-70afdedf0cae",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// For all VNGs of type ExpressRoute, show any that do not have AZ in the SKU tier\nresources\n| where type =~ \"Microsoft.Network/virtualNetworkGateways\"\n| where properties.gatewayType == \"ExpressRoute\"\n| where properties.sku.tier !contains 'AZ'\n| project recommendationId = \"bbe668b7-eb5c-c746-8b82-70afdedf0cae\", name, id, tags, param1= strcat(\"sku-tier: \" , properties.sku.tier), param2=location\n| order by id asc\n\n"
},
{
@@ -8098,7 +8779,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "c0f23a92-d322-4d4d-97e9-a238b5e3bbb8",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -8131,7 +8814,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "1c34faa8-8b99-974c-adbf-71922eae943c",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n\n"
},
{
@@ -8160,7 +8845,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "194c14ac-0d7a-5a48-ae32-75fa450ee564",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -8189,7 +8876,9 @@
"severity": "High",
"category": "High Availability",
"guid": "3e115044-a3aa-433e-be01-ce17d67e50da",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Virtual Network Gateways without Maintenance Configurations\n\nresources\n| where type =~ \"Microsoft.Network/virtualNetworkGateways\"\n| extend resourceId = tolower(id)\n| join kind=leftouter (\n maintenanceresources\n | where type =~ \"Microsoft.Maintenance/configurationAssignments\"\n | project JsonData = parse_json(properties)\n | extend maintenanceConfigurationId = tolower(tostring(JsonData.maintenanceConfigurationId))\n | join kind=inner (\n resources\n | where type =~ \"Microsoft.Maintenance/maintenanceConfigurations\"\n | project maintenanceConfigurationId=tolower(id)\n ) on maintenanceConfigurationId\n | project maintenanceConfigurationId, resourceId=tolower(tostring(JsonData.resourceId))\n) on resourceId\n| where isempty(maintenanceConfigurationId)\n| project recommendationId = \"3e115044-a3aa-433e-be01-ce17d67e50da\", name, id, tags, param1= strcat(\"sku-tier: \" , properties.sku.tier), param2=location\n\n"
},
{
@@ -8226,7 +8915,9 @@
"severity": "High",
"category": "High Availability",
"guid": "5b1933a6-90e4-f642-a01f-e58594e5aab2",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// For all VNGs of type Vpn, show any that do not have AZ in the SKU tier\nresources\n| where type =~ \"Microsoft.Network/virtualNetworkGateways\"\n| where properties.gatewayType == \"Vpn\"\n| where properties.sku.tier !contains 'AZ'\n| project recommendationId = \"5b1933a6-90e4-f642-a01f-e58594e5aab2\", name, id, tags, param1= strcat(\"sku-tier: \" , properties.sku.tier), param2=location\n| order by id asc\n\n"
},
{
@@ -8259,7 +8950,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "281a2713-c0e0-3c48-b596-19f590c46671",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Identifies non-active-active VPN type virtual network gateways\nresources\n| where type =~ 'Microsoft.Network/virtualNetworkGateways'\n| where properties.gatewayType =~ \"vpn\"\n| extend gatewayType = properties.gatewayType, vpnType = properties.vpnType, connections = properties.connections, activeactive=properties.activeActive\n| where activeactive == false\n| project recommendationId = \"281a2713-c0e0-3c48-b596-19f590c46671\", name, id, tags\n\n\n"
},
{
@@ -8288,7 +8981,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "af11fc4c-c06c-4f4c-b98d-6eee6d5c4c70",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n\n"
},
{
@@ -8317,7 +9012,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "9eab120e-f6d3-ee49-ba0d-766562ce7df1",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -8350,7 +9047,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "9186dae0-7ddc-8f4b-bea5-55538cea4893",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n\n"
},
{
@@ -8379,7 +9078,9 @@
"severity": "High",
"category": "High Availability",
"guid": "4bae5a28-5cf4-40d9-bcf1-623d28f6d917",
- "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs\nresources\n| where type =~ \"Microsoft.Network/virtualNetworkGateways\"\n| where properties.gatewayType == \"Vpn\"\n| where properties.sku.tier contains 'AZ'\n| mv-expand ipconfig = properties.ipConfigurations\n| extend pipId = tostring(ipconfig.properties.publicIPAddress.id)\n| join kind=inner (\n resources\n | where type == \"microsoft.network/publicipaddresses\"\n | where isnull(zones) or array_length(zones) < 3 )\n on $left.pipId == $right.id\n| project recommendationId = \"4bae5a28-5cf4-40d9-bcf1-623d28f6d917\", name, id, tags, param1 = strcat(\"PublicIpAddressName: \", name1), param2 = strcat (\"PublicIpAddressId: \",id1), param3 = strcat (\"PublicIpAddressTags: \",tags1)\n\n"
},
{
@@ -8420,7 +9121,9 @@
"severity": "Low",
"category": "Security",
"guid": "f0bf9ae6-25a5-974d-87d5-025abec73539",
- "source": "azure-resources/Network/virtualNetworks/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworks/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Subnets without NSG associated\nresources\n| where type =~ 'Microsoft.Network/virtualnetworks'\n| mv-expand subnets = properties.subnets\n| extend sn = string_size(subnets.properties.networkSecurityGroup)\n| where sn == 0 and subnets.name !in (\"GatewaySubnet\", \"AzureFirewallSubnet\", \"AzureFirewallManagementSubnet\", \"RouteServerSubnet\")\n| project recommendationId = \"f0bf9ae6-25a5-974d-87d5-025abec73539\", name, id, tags, param1 = strcat(\"SubnetName: \", subnets.name), param2 = \"NSG: False\"\n\n"
},
{
@@ -8449,7 +9152,9 @@
"severity": "High",
"category": "Security",
"guid": "69ea1185-19b7-de40-9da1-9e8493547a5c",
- "source": "azure-resources/Network/virtualNetworks/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworks/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find virtual networks without DDoS Protection\nresources\n| where type =~ 'Microsoft.Network/virtualNetworks'\n| where isnull(properties.enableDdosProtection) or properties.enableDdosProtection contains \"false\"\n| project recommendationId = \"69ea1185-19b7-de40-9da1-9e8493547a5c\", name, id, tags, param1 = strcat(\"EnableDdosProtection: \", properties.enableDdosProtection)\n\n"
},
{
@@ -8486,18 +9191,51 @@
"severity": "Medium",
"category": "Security",
"guid": "24ae3773-cc2c-3649-88de-c9788e25b463",
- "source": "azure-resources/Network/virtualNetworks/recommendations.yaml",
+ "sourceFile": "azure-resources/Network/virtualNetworks/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find Subnets with Service Endpoint enabled for services that offer Private Link\nresources\n| where type =~ 'Microsoft.Network/virtualnetworks'\n| mv-expand subnets = properties.subnets\n| extend se = array_length(subnets.properties.serviceEndpoints)\n| where se >= 1\n| project name, id, tags, subnets, serviceEndpoints=todynamic(subnets.properties.serviceEndpoints)\n| mv-expand serviceEndpoints\n| project name, id, tags, subnetName=subnets.name, serviceName=tostring(serviceEndpoints.service)\n| where serviceName in (parse_json('[\"Microsoft.CognitiveServices\",\"Microsoft.AzureCosmosDB\",\"Microsoft.DBforMariaDB\",\"Microsoft.DBforMySQL\",\"Microsoft.DBforPostgreSQL\",\"Microsoft.EventHub\",\"Microsoft.KeyVault\",\"Microsoft.ServiceBus\",\"Microsoft.Sql\", \"Microsoft.Storage\",\"Microsoft.StorageSync\",\"Microsoft.Synapse\",\"Microsoft.Web\"]'))\n| project recommendationId = \"24ae3773-cc2c-3649-88de-c9788e25b463\", name, id, tags, param1 = strcat(\"subnet=\", subnetName), param2=strcat(\"serviceName=\",serviceName), param3=\"ServiceEndpoints=true\"\n\n"
},
{
- "description": "ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.\n",
+ "description": "Set up monitoring and alerts for v-Hub's VPN Gateway. Create alert rule for ensuring promptly response to critical events such as packet drop counts, BGP status, Gateway overutilization.",
+ "aprlGuid": "f0d4f766-ac19-48c4-b228-4601cc038baa",
+ "recommendationTypeId": null,
+ "recommendationControl": "Monitoring and Alerting",
+ "recommendationImpact": "High",
+ "recommendationResourceType": "Microsoft.Network/vpnGateways",
+ "recommendationMetadataState": "Active",
+ "longDescription": "Set up monitoring and alerts for v-Hub's VPN Gateway. Create alert rule for ensuring promptly response to critical events such as packet drop counts, BGP status, Gateway overutilization.",
+ "potentialBenefits": "Detection and mitigation to avoid disruptions.",
+ "pgVerified": false,
+ "publishedToLearn": false,
+ "publishedToAdvisor": false,
+ "automationAvailable": false,
+ "tags": null,
+ "learnMoreLink": [
+ {
+ "name": "Virtual WAN Monitoring Best Practices",
+ "url": "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#virtual-wan-gateways"
+ }
+ ],
+ "service": "Microsoft.Network/vpnGateways",
+ "text": "Monitor gateway for Site-to-site v-Hub's VPN gateway",
+ "severity": "High",
+ "category": "Monitoring and Alerting",
+ "guid": "f0d4f766-ac19-48c4-b228-4601cc038baa",
+ "sourceFile": "azure-resources/Network/vpnGateways/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
+ "graph": "// under-development\n"
+ },
+ {
+ "description": "ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct or Service-Provider based circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.\n",
"aprlGuid": "1ceea4b5-1d8b-4be0-9bbe-9594557be51a",
"recommendationTypeId": null,
"recommendationControl": "Monitoring and Alerting",
"recommendationImpact": "Medium",
"recommendationResourceType": "Microsoft.NetworkFunction/azureTrafficCollectors",
"recommendationMetadataState": "Active",
- "longDescription": "ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.\n",
+ "longDescription": "ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct or Service-Provider based circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.\n",
"potentialBenefits": "Enhanced network flow analysis and DR readiness",
"pgVerified": true,
"publishedToLearn": false,
@@ -8511,11 +9249,13 @@
}
],
"service": "Microsoft.NetworkFunction/azureTrafficCollectors",
- "text": "Ensure ExpressRoute Traffic Collector is enabled and configured for ExpressRoute Direct circuits",
+ "text": "Ensure ExpressRoute Traffic Collector is enabled and configured for Direct or Provider circuits",
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "1ceea4b5-1d8b-4be0-9bbe-9594557be51a",
- "source": "azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml",
+ "sourceFile": "azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -8548,7 +9288,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "b36fd2ac-dd83-664a-ab48-ff7b8d3b189d",
- "source": "azure-resources/OperationalInsights/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/OperationalInsights/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -8581,7 +9323,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "4b77191c-cc3c-8c4e-844b-0f56d0927890",
- "source": "azure-resources/OperationalInsights/workspaces/recommendations.yaml",
+ "sourceFile": "azure-resources/OperationalInsights/workspaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -8610,7 +9354,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "e93bb813-b356-48f3-9bdf-a06a0a6ba039",
- "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -8639,7 +9385,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "17e877f7-3a89-4205-8a24-0670de54ddcd",
- "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all VMs where replication has been enabled but Test Failover was never performed\nrecoveryservicesresources\n| where type == \"microsoft.recoveryservices/vaults/replicationfabrics/replicationprotectioncontainers/replicationprotecteditems\"\n| where properties.providerSpecificDetails.dataSourceInfo.datasourceType == 'AzureVm' and isnull(properties.lastSuccessfulTestFailoverTime)\n| project recommendationId=\"17e877f7-3a89-4205-8a24-0670de54ddcd\" , name = properties.providerSpecificDetails.recoveryAzureVMName, id=properties.providerSpecificDetails.dataSourceInfo.resourceId\n\n"
},
{
@@ -8672,7 +9420,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "2912472d-0198-4bdc-aa90-37f145790edc",
- "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This Resource Graph query will return all Recovery services vault with Classic alerts enabled.\nresources\n| where type in~ ('microsoft.recoveryservices/vaults')\n| extend monitoringSettings = parse_json(properties).monitoringSettings\n| extend isUsingClassicAlerts = case(isnull(monitoringSettings),'Enabled',monitoringSettings.classicAlertSettings.alertsForCriticalOperations)\n| extend isUsingJobsAlerts = case(isnull(monitoringSettings), 'Enabled', monitoringSettings.azureMonitorAlertSettings.alertsForAllJobFailures)\n| where isUsingClassicAlerts == 'Enabled'\n| project recommendationId = \"2912472d-0198-4bdc-aa90-37f145790edc\", name, id, tags, param1=strcat(\"isUsingClassicAlerts: \", isUsingClassicAlerts), param2=strcat(\"isUsingJobsAlerts: \", isUsingJobsAlerts)\n\n"
},
{
@@ -8713,7 +9463,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "1549b91f-2ea0-4d4f-ba2a-4596becbe3de",
- "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Displays all recovery services vaults that do not have cross region restore enabled\nresources\n| where type =~ \"Microsoft.RecoveryServices/vaults\" and\n properties.redundancySettings.standardTierStorageRedundancy =~ \"GeoRedundant\" and\n properties.redundancySettings.crossRegionRestore !~ \"Enabled\"\n| extend\n param1 = strcat(\"CrossRegionRestore: \", properties.redundancySettings.crossRegionRestore),\n param2 = strcat(\"StorageReplicationType: \", properties.redundancySettings.standardTierStorageRedundancy)\n| project recommendationId = \"1549b91f-2ea0-4d4f-ba2a-4596becbe3de\", name, id, tags, param1, param2\n"
},
{
@@ -8742,7 +9494,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "9e39919b-78af-4a0b-b70f-c548dae97c25",
- "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceFile": "azure-resources/RecoveryServices/vaults/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Azure Recovery Services vaults that do not have soft delete enabled\nresources\n| where type == \"microsoft.recoveryservices/vaults\"\n| mv-expand issoftDelete=properties.securitySettings.softDeleteSettings.softDeleteState\n| where issoftDelete == 'Disabled'\n| project recommendationId = \"9e39919b-78af-4a0b-b70f-c548dae97c25\", name, id, tags, param1=strcat(\"Soft Delete: \",issoftDelete)\n"
},
{
@@ -8771,7 +9525,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "98bd7098-49d6-491b-86f1-b143d6b1a0ff",
- "source": "azure-resources/Resources/resourceGroups/recommendations.yaml",
+ "sourceFile": "azure-resources/Resources/resourceGroups/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure Resource Groups that have resources deployed in a region different than the Resource Group region\nresources\n| project id, name, tags, resourceGroup, location\n| where location != \"global\" // exclude global resources\n| where resourceGroup != \"networkwatcherrg\" // exclude networkwatcherrg\n| where split(id, \"/\", 3)[0] =~ \"resourceGroups\" // resource is in a resource group\n| extend resourceGroupId = strcat_array(array_slice(split(id, \"/\"),0,4), \"/\") // create resource group resource id\n| join (resourcecontainers | project containerid=id, containerlocation=location ) on $left.resourceGroupId == $right.['containerid'] // join to resourcecontainers table\n| where location != containerlocation\n| project recommendationId=\"98bd7098-49d6-491b-86f1-b143d6b1a0ff\", name, id, tags\n| order by id asc\n\n"
},
{
@@ -8808,7 +9564,9 @@
"severity": "High",
"category": "High Availability",
"guid": "20057905-262c-49fe-a9be-49f423afb359",
- "source": "azure-resources/ServiceBus/namespaces/recommendations.yaml",
+ "sourceFile": "azure-resources/ServiceBus/namespaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Returns Service Bus namespaces that do not have any availability zones enabled\nresources\n| where type =~ 'Microsoft.ServiceBus/namespaces'\n| where properties.zoneRedundant == 'false'\n| project recommendationId = \"20057905-262c-49fe-a9be-49f423afb359\", name, id, tags, param1=strcat(\"zoneRedundant: \", properties.zoneRedundant), param2=strcat(\"SKU: \", sku.name), param3=iff(tolower(sku.name) == 'premium', 'Move Service Bus namespace to a region that supports Availability Zones', 'Migrate to Premium SKU in a region that supports Availability Zones')\n\n"
},
{
@@ -8837,7 +9595,9 @@
"severity": "High",
"category": "High Availability",
"guid": "d810e3a8-600f-4be1-895b-1a93e61d37fd",
- "source": "azure-resources/ServiceBus/namespaces/recommendations.yaml",
+ "sourceFile": "azure-resources/ServiceBus/namespaces/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -8866,7 +9626,9 @@
"severity": "High",
"category": "High Availability",
"guid": "6a8b3db9-5773-413a-a127-4f7032f34bbd",
- "source": "azure-resources/SignalRService/signalR/recommendations.yaml",
+ "sourceFile": "azure-resources/SignalRService/signalR/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find SignalR instances that are not configured with the Premium tier\nresources\n| where type == \"microsoft.signalrservice/signalr\"\n| where sku.tier != \"Premium\"\n| project recommendationId = \"6a8b3db9-5773-413a-a127-4f7032f34bbd\", name, id, tags, param1 = \"AvailabilityZones: Single Zone\"\n| order by id asc\n\n"
},
{
@@ -8895,7 +9657,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "74c2491d-048b-0041-a140-935960220e20",
- "source": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceFile": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of SQL databases that are not part of Geo Replication.\nresources\n| where type == \"microsoft.sql/servers/databases\"\n| summarize secondaryTypeCount = countif(isnotempty(properties.secondaryType)) by name\n| where secondaryTypeCount == 0\n| join kind=inner (\n Resources\n | where type == \"microsoft.sql/servers/databases\"\n) on name\n| extend param1 = \"Not part of Geo Replication\"\n| project recommendationId = \"74c2491d-048b-0041-a140-935960220e20\", name, id, tags, param1\n"
},
{
@@ -8928,7 +9692,9 @@
"severity": "High",
"category": "Disaster Recovery",
"guid": "943c168a-2ec2-a94c-8015-85732a1b4859",
- "source": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceFile": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of SQL databases that are not configured to use a failover-group.\nresources\n| where type =~'microsoft.sql/servers/databases'\n| where isnull(properties['failoverGroupId'])\n| project recommendationId = \"943c168a-2ec2-a94c-8015-85732a1b4859\", name, id, tags, param1= strcat(\"databaseId=\", properties['databaseId'])\n"
},
{
@@ -8957,7 +9723,9 @@
"severity": "Medium",
"category": "High Availability",
"guid": "c0085c32-84c0-c247-bfa9-e70977cbf108",
- "source": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceFile": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Finds non-zone redundant SQL databases and lists them\nResources\n| where type =~ 'microsoft.sql/servers/databases'\n| where tolower(tostring(properties.zoneRedundant))=~'false'\n|project recommendationId = \"c0085c32-84c0-c247-bfa9-e70977cbf108\", name, id, tags\n\n\n"
},
{
@@ -8986,7 +9754,9 @@
"severity": "High",
"category": "High Availability",
"guid": "cbb17a29-64fb-c943-95d0-8df814a37c40",
- "source": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceFile": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -9023,7 +9793,9 @@
"severity": "High",
"category": "Monitoring and Alerting",
"guid": "7e7daec9-6a81-3546-a4cc-9aef72fec1f7",
- "source": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceFile": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of SQL databases that are not configured for monitoring.\nresources\n| where type == \"microsoft.insights/metricalerts\"\n| mv-expand properties.scopes\n| mv-expand properties.criteria.allOf\n| project databaseid = properties_scopes, monitoredMetric = properties_criteria_allOf.metricName\n| where databaseid contains 'databases'\n| summarize monitoredMetrics=make_list(monitoredMetric) by databaseid=tolower(tostring(databaseid))\n| join kind=fullouter (\n resources\n | where type =~ 'microsoft.sql/servers/databases'\n | project databaseid = tolower(id), name, tags\n) on databaseid\n| where isnull(monitoredMetrics)\n| project recommendationId = \"7e7daec9-6a81-3546-a4cc-9aef72fec1f7\", name, id=databaseid1, tags, param1=strcat(\"MonitoringMetrics=false\" )\n\n"
},
{
@@ -9056,7 +9828,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "d6ef87aa-574e-584e-a955-3e6bb8b5425b",
- "source": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceFile": "azure-resources/Sql/servers/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -9089,7 +9863,9 @@
"severity": "High",
"category": "High Availability",
"guid": "e6c7e1cc-2f47-264d-aa50-1da421314472",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This query will return all storage accounts that are not using Zone or Region replication\nResources\n| where type =~ \"Microsoft.Storage/storageAccounts\"\n| where sku.name in~ (\"Standard_LRS\", \"Premium_LRS\")\n| project recommendationId = \"e6c7e1cc-2f47-264d-aa50-1da421314472\", name, id, tags, param1 = strcat(\"sku: \", sku.name)\n\n"
},
{
@@ -9122,7 +9898,9 @@
"severity": "High",
"category": "Service Upgrade and Retirement",
"guid": "63ad027e-611c-294b-acc5-8e3234db9a40",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Azure classic Storage Account\nresources\n| where type =~ 'microsoft.classicstorage/storageaccounts'\n| project recommendationId = '63ad027e-611c-294b-acc5-8e3234db9a40', name, id, tags, param1=type\n\n"
},
{
@@ -9167,7 +9945,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "5587ef77-7a05-a74d-9c6e-449547a12f27",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -9196,7 +9976,9 @@
"severity": "Medium",
"category": "Disaster Recovery",
"guid": "03263c57-c869-3841-9e0a-3dbb9ef3e28d",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -9225,7 +10007,9 @@
"severity": "Low",
"category": "Disaster Recovery",
"guid": "8ebda7c0-e0e1-ed45-af59-2d7ea9a1c05d",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -9258,7 +10042,9 @@
"severity": "Low",
"category": "Disaster Recovery",
"guid": "1b965cb9-7629-214e-b682-6bf6e450a100",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -9291,7 +10077,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "96cb8331-6b06-8242-8ce8-4e2f665dc679",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -9324,7 +10112,9 @@
"severity": "Low",
"category": "Scalability",
"guid": "2ad78dec-5a4d-4a30-8fd1-8584335ad781",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Find all Azure Storage Accounts, that upgradeable to General purpose v2.\nResources\n| where type =~ \"Microsoft.Storage/storageAccounts\" and kind in~ (\"Storage\", \"BlobStorage\")\n| extend\n param1 = strcat(\"AccountKind: \", case(kind =~ \"Storage\", \"Storage (general purpose v1)\", kind =~ \"BlobStorage\", \"BlobStorage\", kind)),\n param2 = strcat(\"Performance: \", sku.tier),\n param3 = strcat(\"Replication: \", sku.name)\n| project recommendationId = \"2ad78dec-5a4d-4a30-8fd1-8584335ad781\", name, id, tags, param1, param2, param3\n\n"
},
{
@@ -9357,7 +10147,9 @@
"severity": "Medium",
"category": "Security",
"guid": "dc55be60-6f8c-461e-a9d5-a3c7686ed94e",
- "source": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceFile": "azure-resources/Storage/storageAccounts/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// This resource graph query will return all storage accounts that does not have a Private Endpoint Connection or where a private endpoint exists but public access is enabled\nresources\n| where type =~ \"Microsoft.Storage/StorageAccounts\"\n| where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != (\"Succeeded\") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled')\n| extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint'))\n| extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled')))\n| project recommendationId = \"dc55be60-6f8c-461e-a9d5-a3c7686ed94e\", name, id, tags, param1, param2\n"
},
{
@@ -9386,7 +10178,9 @@
"severity": "High",
"category": "Governance",
"guid": "c041d596-6c97-4c5f-b4b3-9cd37628f2e2",
- "source": "azure-resources/Subscription/subscriptions/recommendations.yaml",
+ "sourceFile": "azure-resources/Subscription/subscriptions/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Count VM instances with a tag that contains \"Citrix VDA\" and create output if that count is >2000 for each subscription.\n// The Citrix published limit is 2500. This query runs an 80% check.\n\nresources\n| where type == 'microsoft.compute/virtualmachines'\n| where tags contains 'Citrix VDA'\n| summarize VMs=count() by subscriptionId\n| where VMs > 2000\n| join (resourcecontainers| where type =='microsoft.resources/subscriptions' | project subname=name, subscriptionId) on subscriptionId\n| project recommendationId='c041d596-6c97-4c5f-b4b3-9cd37628f2e2', name= subname, id = subscriptionId, param1='Too many instances.', param2= VMs\n\n"
},
{
@@ -9419,7 +10213,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "5ada5ffa-7149-4e49-9fbf-e67be7c2594c",
- "source": "azure-resources/Subscription/subscriptions/recommendations.yaml",
+ "sourceFile": "azure-resources/Subscription/subscriptions/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure Subscriptions that are placed under the Tenant Root Management Group\nresourcecontainers\n| where type == 'microsoft.resources/subscriptions'\n| extend mgParentSize = array_length(properties.managementGroupAncestorsChain)\n| where mgParentSize == 1\n| project recommendationId=\"5ada5ffa-7149-4e49-9fbf-e67be7c2594c\", name, id, tags\n\n"
},
{
@@ -9448,7 +10244,9 @@
"severity": "Low",
"category": "High Availability",
"guid": "19b6df57-f6b5-3e4f-843a-273daa087cb0",
- "source": "azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml",
+ "sourceFile": "azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -9481,7 +10279,9 @@
"severity": "Low",
"category": "Disaster Recovery",
"guid": "21fb841b-ba70-1f4e-a460-1f72fb41aa51",
- "source": "azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml",
+ "sourceFile": "azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// List all Image Templates that are not replicated to another region\nresources\n| where type =~ \"microsoft.virtualmachineimages/imagetemplates\"\n| mv-expand distribution=properties.distribute\n| where array_length(parse_json(distribution).replicationRegions) == 1\n| project recommendationId = \"21fb841b-ba70-1f4e-a460-1f72fb41aa51\", name, id, param1=strcat(\"replicationRegions:\",parse_json(distribution).replicationRegions)\n\n"
},
{
@@ -9514,7 +10314,9 @@
"severity": "High",
"category": "High Availability",
"guid": "88cb90c2-3b99-814b-9820-821a63f600dd",
- "source": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// The query filters the qualified App Service Plans that do not have Zone Redundancy enabled.\n// Its important to check regions that support availability zones for Azure App Services running on multi-tenant and App Service Environments https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service?tabs=graph%2Ccli#:~:text=The%20following%20regions%20support%20Azure%20App%20Services%20running%20on%20multi%2Dtenant%20environments%3A\n\nresources\n| where type =~ 'microsoft.web/serverfarms'\n| extend zoneRedundant = tobool(properties.zoneRedundant)\n| extend sku_tier = tostring(sku.tier)\n| where (tolower(sku_tier) contains \"isolated\" or tolower(sku_tier) contains \"premium\") and zoneRedundant == false\n| project recommendationId=\"88cb90c2-3b99-814b-9820-821a63f600dd\", name, id, tags, param1=sku_tier, param2=\"Not Zone Redundant\"\n\n"
},
{
@@ -9543,7 +10345,9 @@
"severity": "High",
"category": "High Availability",
"guid": "b2113023-a553-2e41-9789-597e2fb54c31",
- "source": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure App Service Plans that are not in the \"Standard\", \"Premium\", or \"IsolatedV2\" SKU tiers.\n\nresources\n| where type =~ 'microsoft.web/serverfarms'\n| extend sku_tier = tostring(sku.tier)\n| where tolower(sku_tier) !contains \"standard\" and\n tolower(sku_tier) !contains \"premium\" and\n tolower(sku_tier) !contains \"isolatedv2\"\n| project recommendationId=\"b2113023-a553-2e41-9789-597e2fb54c31\", name, id, tags, param1= strcat(\"SKU=\",sku_tier)\n\n"
},
{
@@ -9572,7 +10376,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "07243659-4643-d44c-a1c6-07ac21635072",
- "source": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure App Service Plans and the number of changes that was made to the pricing tier, if the count is higher that 3 it means you need to avoid scaling up and down that often\n\nresourcechanges\n| extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),\nchangeType = tostring(properties.changeType), correlationId = properties.changeAttributes.correlationId,\nchangedProperties = properties.changes, changeCount = properties.changeAttributes.changesCount\n| where changeTime > ago(14d)\n| join kind=inner (resources | project resources_Name = name, resources_Type = type, resources_Subscription= subscriptionId, resources_ResourceGroup= resourceGroup, id) on $left.targetResourceId == $right.id\n| where resources_Type contains \"microsoft.web/serverfarms\"\n| where changedProperties['sku.name'].propertyChangeType == 'Update' or changedProperties['sku.tier'].propertyChangeType == 'Update'\n| summarize count() by targetResourceId, resources_Name ,tostring(changedProperties['sku.name'].previousValue), tostring(changedProperties['sku.tier'].newValue)\n| project recommendationId=\"07243659-4643-d44c-a1c6-07ac21635072\", name=resources_Name, id=targetResourceId, tags=\"\", param1=['changedProperties_sku.name_previousValue'], param2=['changedProperties_sku.tier_newValue'], param3=count_\n\n"
},
{
@@ -9601,7 +10407,9 @@
"severity": "High",
"category": "Governance",
"guid": "dbe3fd66-fb2a-9d46-b162-1791e21da236",
- "source": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -9634,7 +10442,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "6320abf6-f917-1843-b2ae-4779c35985ae",
- "source": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/serverFarms/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// under-development\n\n"
},
{
@@ -9663,7 +10473,9 @@
"severity": "Low",
"category": "Monitoring and Alerting",
"guid": "493f6079-3bb6-4a56-96ba-ab3248474cb1",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n\n"
},
{
@@ -9696,7 +10508,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "a7e8bb3d-8ceb-442d-b26f-007cd63f9ffc",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n\n"
},
{
@@ -9725,7 +10539,9 @@
"severity": "Low",
"category": "Scalability",
"guid": "78a5c033-ff51-4332-8a71-83464c34494b",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -9754,7 +10570,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "3f9ddb59-0bb3-4acb-9c9b-99aa1776f0ab",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n\n"
},
{
@@ -9783,7 +10601,9 @@
"severity": "Low",
"category": "Governance",
"guid": "a1d91661-32d4-430b-b3b6-5adeb0975df7",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Display App Service with the count of deployment slots for Apps under eligible App service plans and it shows if deployment slot is enabled or not\n\nresources\n| where type =~ 'microsoft.web/sites' or type =~ 'microsoft.web/sites/slots'\n| extend isSlot = iff(type =~ 'microsoft.web/sites/slots', 1, 0)\n| extend AspName = iff(isSlot == 1, split(name, '/')[0], name)\n| extend Sku = tostring(properties.sku)\n| where tolower(Sku) contains \"standard\" or tolower(Sku) contains \"premium\" or tolower(Sku) contains \"isolatedv2\"\n| project id, name, AspName, isSlot, Sku\n| summarize Slots = countif(isSlot == 1) by id, name, AspName, Sku\n| extend DeploymentSlotEnabled = iff(Slots > 1, true, false)\n| where DeploymentSlotEnabled = false\n| project recommendationId=\"a1d91661-32d4-430b-b3b6-5adeb0975df7\", name, id, tags=\"\", param1=Sku, param2=Slots, param3=\"DeploymentSlotEnabled=false\"\n\n"
},
{
@@ -9812,7 +10632,9 @@
"severity": "Medium",
"category": "Other Best Practices",
"guid": "0b80b67c-afbe-4988-ad58-a85a146b681e",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure App Service resources that don't have App Settings configured\n\nappserviceresources\n| where type == \"microsoft.web/sites/config\"\n| extend AppSettings = iif(isempty(properties.AppSettings), true, false)\n| where AppSettings == false\n| project recommendationId=\"0b80b67c-afbe-4988-ad58-a85a146b681e\", id, name, tags=\"\", param1=\"AppSettings is not configured\"\n\n"
},
{
@@ -9841,7 +10663,9 @@
"severity": "Medium",
"category": "Other Best Practices",
"guid": "fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Check if Health Check is enabled for App Service\n\nresources\n| where type =~ 'microsoft.web/sites'\n| where properties.kind has 'app'\n| join kind = inner\n (\n appserviceresources\n | where isnull(properties.HealthCheckPath) == true\n | project name\n ) on name\n| project recommendationId = \"fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d\", name, id, tags, param1 = \"Healthcheckpath = not set\"\n"
},
{
@@ -9870,7 +10694,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "aab6b4a4-9981-43a4-8728-35c7ecbb746d",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Check if Network access restrictions defined for App service\n\nresources\n| where type =~ 'microsoft.web/sites'\n| where properties.kind has 'app'\n| join kind = inner\n (\n appserviceresources\n | mv-expand IpSecurityRestrictions = properties.IpSecurityRestrictions\n | where isnotnull(IpSecurityRestrictions) == true\n | project name\n ) on name\n| project recommendationId = \"aab6b4a4-9981-43a4-8728-35c7ecbb746d\", name, id, tags, param1 = \"No network restrictions set\"\n"
},
{
@@ -9899,7 +10725,9 @@
"severity": "Medium",
"category": "Scalability",
"guid": "9e6682ac-31bc-4635-9959-ab74b52454e6",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of App services that do not have minimum instance count of 2\n\nresources\n| where type =~ 'microsoft.web/sites'\n| where properties.kind has 'app'\n| join kind = inner\n (\n appserviceresources\n | where properties.PreWarmedInstanceCount < 2\n | project name\n ) on name\n| project recommendationId = \"9e6682ac-31bc-4635-9959-ab74b52454e6\", name, id, tags, param1 = \"PreWarmedInstanceCount is less than 2\"\n"
},
{
@@ -9928,7 +10756,9 @@
"severity": "Low",
"category": "High Availability",
"guid": "c6c4b962-5af4-447a-9d74-7b9c53a5dff5",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// Azure Resource Graph Query\n// Provides a list of Azure Function App resources that do not have auto heal enabled\n\nResources\n| where type =~ 'microsoft.web/sites'\n| where properties.kind contains 'functionapp'\n| join kind=inner\n (appserviceresources\n | where type == \"microsoft.web/sites/config\"\n | where properties.AutoHealEnabled == 'false'\n | project id, name, tenantId, location, resourceGroup, properties.AutoHealEnabled\n ) on name\n| project recommendationID = \"c6c4b962-5af4-447a-9d74-7b9c53a5dff5\", name, id, type, kind, param1=\"AutoHealEnabled =false\"\n"
},
{
@@ -9957,7 +10787,9 @@
"severity": "Medium",
"category": "Monitoring and Alerting",
"guid": "52f368ee-1d77-4b34-92db-64be269642d0",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -9986,7 +10818,9 @@
"severity": "Low",
"category": "Governance",
"guid": "0b06a688-0dd6-4d73-9f72-6666ff853ca9",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -10015,7 +10849,9 @@
"severity": "Medium",
"category": "Governance",
"guid": "c9a278b7-024b-454b-bd54-41587c512b74",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
},
{
@@ -10044,51 +10880,53 @@
"severity": "Medium",
"category": "Governance",
"guid": "7c608f46-46b2-4cc0-bbd6-1d457c16671c",
- "source": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceFile": "azure-resources/Web/sites/recommendations.yaml",
+ "sourceType": "aprl",
+ "timestamp": "July 24, 2024",
"graph": "// cannot-be-validated-with-arg\n"
}
],
"categories": [
{
- "name": "Disaster Recovery"
+ "name": "Service Upgrade and Retirement"
},
{
- "name": "Scalability"
+ "name": "Disaster Recovery"
},
{
- "name": "Monitoring and Alerting"
+ "name": "Other Best Practices"
},
{
- "name": "High Availability"
+ "name": "Business Continuity"
},
{
- "name": "Other Best Practices"
+ "name": "Personalized"
},
{
- "name": "Business Continuity"
+ "name": "Monitoring and Alerting"
},
{
- "name": "Personalized"
+ "name": "Security"
},
{
"name": "Governance"
},
{
- "name": "Service Upgrade and Retirement"
+ "name": "High Availability"
},
{
- "name": "Security"
+ "name": "Scalability"
}
],
"severities": [
- {
- "name": "Low"
- },
{
"name": "High"
},
{
"name": "Medium"
+ },
+ {
+ "name": "Low"
}
],
"waf": [
@@ -10142,6 +10980,6 @@
"name": "APRL Checklist",
"waf": "none",
"state": "preview",
- "timestamp": "July 14, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureapplicationgateway_sg_checklist.en.json b/checklists-ext/azureapplicationgateway_sg_checklist.en.json
index d2c3f09f4..bde5684ce 100644
--- a/checklists-ext/azureapplicationgateway_sg_checklist.en.json
+++ b/checklists-ext/azureapplicationgateway_sg_checklist.en.json
@@ -6,236 +6,265 @@
"service": "Azure Application Gateway",
"text": "Plan for rule updates",
"description": "Plan enough time for updates before accessing Application Gateway or making further changes. For example, removing servers from backend pool might take some time because they have to drain existing connections.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "aa2f47b2-36a3-4277-a7f9-530ebe697d26"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "Use health probes to detect backend unavailability",
"description": "If Application Gateway is used to load balance incoming traffic over multiple backend instances, we recommend the use of health probes. These will ensure that traffic is not routed to backends that are unable to handle the traffic.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "26730c7f-aa79-4887-bef2-3c6fa3c796b4"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "Review the impact of the interval and threshold settings on health probes",
"description": "The health probe sends requests to the configured endpoint at a set interval. Also, there's a threshold of failed requests that will be tolerated before the backend is marked unhealthy. These numbers present a trade-off.- Setting a higher interval puts a higher load on your service. Each Application Gateway instance sends its own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.- Setting a lower interval leaves more time before an outage is detected.- Setting a low unhealthy threshold might mean that short, transient failures might take down a backend. - Setting a high threshold it can take longer to take a backend out of rotation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dc370d3b-180d-474b-ad33-3e3adc684768"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "Verify downstream dependencies through health endpoints",
"description": "Suppose each backend has its own dependencies to ensure failures are isolated. For example, an application hosted behind Application Gateway might have multiple backends, each connected to a different database (replica). When such a dependency fails, the application might be working but won't return valid results. For that reason, the health endpoint should ideally validate all dependencies. Keep in mind that if each call to the health endpoint has a direct dependency call, that database would receive 100 queries every 30 seconds instead of 1. To avoid this, the health endpoint should cache the state of the dependencies for a short period of time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ff13f531-ebf7-4051-a2f9-6f6688200bd8"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "When using Azure Front Door and Application Gateway to protect `HTTP/S` applications, use WAF policies in Front Door and lock down Application Gateway to receive traffic only from Azure Front Door.",
"description": "Certain scenarios can force you to implement rules specifically on Application Gateway. For example, if ModSec CRS 2.2.9, CRS 3.0 or CRS 3.1 rules are required, these rules can be only implemented on Application Gateway. Conversely, rate-limiting and geo-filtering are available only on Azure Front Door, not on AppGateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1cacf8b7-2158-4fbf-8a2a-8021a0b7e54d"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Set up a TLS policy for enhanced security",
"description": "Set up a TLS policy for extra security. Ensure you're always using the latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6f66822e-e720-4449-9109-d536e95e9aca"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Use AppGateway for TLS termination",
"description": "There are advantages of using Application Gateway for TLS termination:- Performance improves because requests going to different backends to have to re-authenticate to each backend.- Better utilization of backend servers because they don't have to perform TLS processing- Intelligent routing by accessing the request content.- Easier certificate management because the certificate only needs to be installed on Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2e78b1af-30aa-48fb-a8c3-852e109871a6"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Use Azure Key Vault to store TLS certificates",
"description": "Application Gateway can be integrated with Key Vault. This provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2d18cf76-75ec-4b98-b76c-a4d6fb44e043"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)",
"description": "A TLS certificate of the backend server must be issued by a well-known CA. If the certificate was not issued by a trusted CA, the Application Gateway checks if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate is found. Only then a secure connection is established. Otherwise, Application Gateway marks the backend as unhealthy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8bc7c922-c69c-4280-9b9a-c9beecead835"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Use an appropriate DNS server for backend pool resources",
"description": "When the backend pool contains a resolvable FQDN, the DNS resolution is based on a private DNS zone or custom DNS server (if configured on the VNet), or it uses the default Azure-provided DNS.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "99518dfb-4e20-4868-8991-1c75f297a55d"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Comply with all NSG restrictions for Application Gateway",
"description": "NSGs are supported on Application Gateway subnet, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions. For details, see Network security groups.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1437298d-0abb-484b-9152-5400d6b4d258"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Refrain from using UDRs on the Application gateway subnet",
"description": "Using User Defined Routes (UDR) on the Application Gateway subnet can cause some issues. Health status in the back-end might be unknown. Application Gateway logs and metrics might not get generated. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics. If your organizations require to use UDR in the Application Gateway subnet, please ensure you review the supported scenarios. For more information, see Supported user-defined routes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "aad6f93d-60b5-44e2-a166-a85d4fe7f6e9"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Be aware of Application Gateway capacity changes when enabling WAF",
"description": "When WAF is enabled, every request must be buffered by the Application Gateway until it fully arrives, checks if the request matches with any rule violation in its core rule set, and then forwards the packet to the backend instances. When there are large file uploads (30MB+ in size), it can result in a significant latency. Because Application Gateway capacity requirements are different with WAF, we do not recommend enabling WAF on Application Gateway without proper testing and validation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "32b914b9-a439-42ab-ac1b-e131333896d3"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Familiarize yourself with Application Gateway pricing",
"description": "For information about Application Gateway pricing, see Understanding Pricing for Azure Application Gateway and Web Application Firewall. You can also leverage the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0edcbe2d-deaf-4319-ad1e-80a9393fa444"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Review underutilized resources",
"description": "Identify and delete Application Gateway instances with empty backend pools to avoid unnecessary costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4b19fe95-feb3-4d0f-87b4-b06897703775"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Stop Application Gateway instances when not in use",
"description": "You aren't billed when Application Gateway is in the stopped state. Continuously running Application Gateway instances can incur extraneous costs. Evaluate usage patterns and stop instances when you don't need them. For example, usage after business hours in Dev/Test environments is expected to be low.See these articles for information about how to stop and start instances.- Stop-AzApplicationGateway- Start-AzApplicationGateway",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4574f29b-5ff1-4acb-9914-dc5c912f31df"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Have a scale-in and scale-out policy",
"description": "A scale-out policy ensures that there will be enough instances to handle incoming traffic and spikes. Also, have a scale-in policy that makes sure the number of instances are reduced when demand drops. Consider the choice of instance size. The size can significantly impact the cost. Some considerations are described in the Estimate the Application Gateway instance count.For more information, see What is Azure Application Gateway v2?",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4cf0112c-e271-4802-ae11-4a95e14e1564"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Review consumption metrics across different parameters",
"description": "You're billed based on metered instances of Application Gateway based on the metrics tracked by Azure. Evaluate the various metrics and capacity units and determine the cost drivers. For more information, see Microsoft Cost Management and Billing. The following metrics are key for Application Gateway. This information can be used to validate that the provisioned instance count matches the amount of incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units- Current Capacity UnitsFor more information, see Application Gateway metrics.Make sure you account for bandwidth costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "98244878-55bd-49b1-ac07-ca6e96d5ba83"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Monitor capacity metrics",
"description": "Use these metrics as indicators of utilization of the provisioned Application Gateway capacity. We strongly recommend setting up alerts on capacity. For details, see Application Gateway high traffic support.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6a41de7f-c4c6-48c6-b997-1dcff0c8ac25"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Troubleshoot using metrics",
"description": "There are other metrics that can indicate issues either at Application Gateway or the backend. We recommend evaluating the following alerts:- Unhealthy Host Count- Response Status (dimension 4xx and 5xx)- Backend Response Status (dimension 4xx and 5xx)- Backend Last Byte Response Time- Application Gateway Total TimeFor more information, see Metrics for Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "886af6e8-8d4e-4963-bffc-ec91cfeac600"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)",
"description": "Diagnostic logs allow you to view firewall logs, performance logs, and access logs. Use these logs to manage and troubleshoot issues with Application Gateway instances. For more information, see Back-end health and diagnostic logs for Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1d2ea6e3-cf4a-4342-94d0-05204da3e0f4"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Use Azure Monitor Network Insights",
"description": "Azure Monitor Network Insights provides a comprehensive view of health and metrics for network resources, including Application Gateway. For additional details and supported capabilities for Application Gateway, see Azure Monitor Network insights.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2273b46e-b8f5-43ae-842c-54b042a9d984"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Match timeout settings with the backend application",
"description": "Ensure you have configured the IdleTimeout settings to match the listener and traffic characteristics of the backend application. The default value is set to four minutes and can be configured to a maximum of 30. For more information, see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring application health for reliability.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "41027b9b-d6e6-43b4-9827-48d59abf1cbd"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Monitor Key Vault configuration issues using Azure Advisor",
"description": "Application Gateway checks for the renewed certificate version in the linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation. You must configure the Advisor alerts to stay updated and fix such issues immediately to avoid any Control or Data plane related problems. For more information, see Investigating and resolving key vault errors. To set an alert for this specific case, use the Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5d5a0e24-e4e8-4454-83d0-313bce959d0f"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Consider SNAT port limitations in your design",
"description": "SNAT port limitations are important for backend connections on the Application Gateway. There are separate factors that affect how Application Gateway reaches the SNAT port limit. For example, if the backend is a public IP address, it will require its own SNAT port. In order to avoid SNAT port limitations, you can increase the number of instances per Application Gateway, scale out the backends to have more IP addresses, or move your backends into the same virtual network and use private IP addresses for the backends.Requests per second (RPS) on the Application Gateway will be affected if the SNAT port limit is reached. For example, if an Application Gateway reaches the SNAT port limit, then it won't be able to open a new connection to the backend, and the request will fail.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5acb5642-e3d0-4aa4-98cc-3bd36b826713"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Define the minimum instance count",
"description": "For Application Gateway v2 SKU, autoscaling takes some time (approximately six to seven minutes) before the additional set of instances is ready to serve traffic. During that time, if there are short spikes in traffic, expect transient latency or loss of traffic.We recommend that you set your minimum instance count to an optimal level. After you estimate the average instance count and determine your Application Gateway autoscaling trends, define the minimum instance count based on your application patterns. For information, see Application Gateway high traffic support.Check the Current Compute Units for the past one month. This metric represents the gateway's CPU utilization. To define the minimum instance count, divide the peak usage by 10. For example, if your average Current Compute Units in the past month is 50, set the minimum instance count to five.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e7f3c963-e70a-48dd-954b-27619837daab"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Define the maximum instance count",
"description": "We recommend 125 as the maximum autoscale instance count. Make sure the subnet that has the Application Gateway has sufficient available IP addresses to support the scale-up set of instances.Setting the maximum instance count to 125 has no cost implications because you're billed only for the consumed capacity.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3539073c-2694-4459-bcb4-a943a628101b"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Define Application Gateway subnet size",
"description": "Application Gateway needs a dedicated subnet within a virtual network. The subnet can have multiple instances of the deployed Application Gateway resource. You can also deploy other Application Gateway resources in that subnet, v1 or v2 SKU.Here are some considerations for defining the subnet size:- Application Gateway uses one private IP address per instance and another private IP address if a private front-end IP is configured.- Azure reserves five IP addresses in each subnet for internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support up to 125 instances, using the same calculation, a subnet size of /24 is recommended.- If you want to deploy additional Application Gateway resources in the same subnet, consider the additional IP addresses that will be required for their maximum instance count for both, Standard and Standard v2.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "75c2360c-8a5d-46ae-8471-7636e7e16313"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Take advantage of features for autoscaling and performance benefits",
"description": "The v2 SKU offers autoscaling to ensure that your Application Gateway can scale up as traffic increases. When compared to v1 SKU, v2 has capabilities that enhance the performance of the workload. For example, better TLS offload performance, quicker deployment and update times, zone redundancy, and more. For more information about autoscaling features, see Scaling Application Gateway v2 and WAF v2.If you are running v1 SKU Application gateway, consider migrating to the Application gateway v2 SKU. For more information, see Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a8924ef1-8a49-4cf6-9858-b475d9618d9d"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -272,6 +301,6 @@
"name": "Azure Application Gateway Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureblobstorage_sg_checklist.en.json b/checklists-ext/azureblobstorage_sg_checklist.en.json
index 89aa998ce..735f3463d 100644
--- a/checklists-ext/azureblobstorage_sg_checklist.en.json
+++ b/checklists-ext/azureblobstorage_sg_checklist.en.json
@@ -6,215 +6,241 @@
"service": "Azure Blob Storage",
"text": "Configure your account for redundancy. For maximum availability and durability, configure your account by using zone-redundant storage (ZRS) or GZRS.",
"description": "Redundancy protects your data against unexpected failures. The ZRS and GZRS configuration options replicate across different availability zones and enable applications to continue reading data during an outage. For more information, see Durability and availability by outage scenario and Durability and availability parameters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6e3a0d4c-f59e-4049-a15d-30ca8ac3bc5e"
},
{
"waf": "Reliability",
"service": "Azure Blob Storage",
"text": "Before initiating a failover or failback, evaluate the potential for data loss by checking the value of the last synchronization time property. This recommendation applies only to GRS and GZRS configurations.",
"description": "This property helps you estimate how much data you might lose by initiating an account failover. All data and metadata written before the last synchronization time is available on the secondary region, but data and metadata written after the last synchronization time might be lost because it's not written to the secondary region.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b9413c5c-1467-4f04-aa56-66756174bfe4"
},
{
"waf": "Reliability",
"service": "Azure Blob Storage",
"text": "As a part of your backup and recovery strategy, enable the container soft delete, blob soft delete, versioning, and point-in-time restore options.",
"description": "The soft delete option enables a storage account to recover deleted containers and blobs. The versioning option automatically tracks changes made to blobs. This option lets you restore a blob to a previous state.The point-in-time restore option protects against accidental blob deletion or corruption and lets you restore block blob data to an earlier state. For more information, see Data protection overview.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7900bd00-c4b2-4e8d-b006-0efdf966daa7"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Disable anonymous read access to containers and blob.",
"description": "When anonymous access is allowed for a storage account, a user that has the appropriate permissions can modify a container's anonymous access setting to enable anonymous access to the data in that container.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5d7648fc-6e65-46da-beb4-b7da768cd856"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Apply an Azure Resource Manager lock on the storage account.",
"description": "Locking an account prevents it from being deleted and causing data loss.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a279d1d6-4a74-4533-aef0-6d658c196084"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Disable traffic to the public endpoints of your storage account. Create private endpoints for clients that run in Azure. Enable the public endpoint only if clients and services external to Azure require direct access to your storage account. Enable firewall rules that limit access to specific virtual networks.",
"description": "Start with zero access and then incrementally authorize the lowest levels of access required for clients and services to minimize the risk of creating unnecessary openings for attackers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a3a5d6f5-b15b-4b9f-83a4-590d9f826f11"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Authorize access by using Azure role-based access control (RBAC).",
"description": "With RBAC, there are no passwords or keys that can be compromised. The security principal (user, group, managed identity, or service principal) is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token is used to authorize a request against the Blob Storage service.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "945c0935-f1fd-4b22-a24e-5b767202d86e"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Disallow shared key authorization. This disables not only account key access but also service and account shared access signature tokens because they're based on account keys.",
"description": "Only secured requests that are authorized with Microsoft Entra ID are permitted.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "20c571b0-d4cf-4641-bd1d-1310f8cd6eb2"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "We recommend that you don't use an account key. If you must use account keys, then store them in Key Vault, and make sure that you regenerate them periodically.",
"description": "Key Vault lets you retrieve keys at runtime, instead of saving them by using your application. Key Vault also makes it easy to rotate your keys without interruption to your applications. Rotating the account keys periodically reduces the risk of exposing your data to malicious attacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "49899213-759d-4cac-b34a-446526b56f4b"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "We recommend that you don't use shared access signature tokens. Evaluate whether you need shared access signature tokens to secure access to Blob Storage resources. If you must create one, then review this list of shared access signature best practices before you create and distribute it.",
"description": "Best practices can help you prevent a shared access signature token from being leaked and quickly recover if a leak does occur.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "cb1a2ad8-7833-45be-97e5-4afc4a38cfc4"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Configure your storage account so clients can send and receive data by using the minimum version of TLS 1.2.",
"description": "TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support modern cryptographic algorithms and cipher suites.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9bf21313-427b-4208-8815-9e6323d55f4c"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Consider using your own encryption key to protect the data in your storage account. For more information, see Customer-managed keys for Azure Storage encryption.",
"description": "Customer-managed keys provide greater flexibility and control. For example, you can store encryption keys in Key Vault and automatically rotate them.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "76f6e285-5bed-46c0-a50d-b8024c4fd512"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Pack small files into larger files before moving them to cooler tiers. You can use file formats such as TAR or ZIP.",
"description": "Cooler tiers have higher data transfer costs. By having fewer large files, you can reduce the number of operations required to transfer data.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "68a2d8f2-ccf3-4cde-9466-61444d55d7d3"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Use standard-priority rehydration when rehydrating blobs from archive storage. Use high-priority rehydration only for emergency data restoration situations. For more information, see Rehydrate an archived blob to an online tier",
"description": "High-priority rehydration from the archive tier can lead to higher-than-normal bills.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b3b25570-9501-4ccf-a42f-bf1ab7a1796d"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Reduce the cost of using resource logs by choosing the appropriate log storage location and by managing log-retention periods. If you only plan to query logs occasionally (for example, querying logs for compliance auditing), consider sending resource logs to a storage account instead of sending them to an Azure Monitor Logs workspace. You can use a serverless query solution such as Azure Synapse Analytics to analyze logs. For more information, see Optimize cost for infrequent queries. Use lifecycle management policies to delete or archive logs.",
"description": "Storing resource logs in a storage account for later analysis can be a cheaper option. Using lifecycle management policies to manage log retention in a storage account prevents large numbers of logs files building up over time, which can lead to unnecessary capacity charges.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9c10778d-ed29-4ac4-b310-38987b3ba76b"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "If you enable versioning, use a lifecycle management policy to automatically delete old blob versions.",
"description": "Every write operation to a blob creates a new version. This increases capacity costs. You can keep costs in check by removing versions that you no longer need.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "05ba2481-3ecf-4808-a6fd-211f0a7db6ce"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "If you enable versioning, then place blobs that are frequently overwritten into an account that doesn't have versioning enabled.",
"description": "Every time a blob is overwritten, a new version is added which leads to increased storage capacity charges. To reduce capacity charges, store frequently overwritten data in a separate storage account with versioning disabled.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2b3cf36b-31a3-48c2-8624-9c8bdbf15a07"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "If you enable soft delete, then place blobs that are frequently overwritten into an account that doesn't have soft delete enabled. Set retention periods. Consider starting with a short retention period to better understand how the feature affects your bill. The minimum recommended retention period is seven days.",
"description": "Every time a blob is overwritten, a new snapshot is created. The cause of increased capacity charges might be difficult to access because the creation of these snapshots doesn't appear in logs. To reduce capacity charges, store frequently overwritten data in a separate storage account with soft delete disabled. A retention period keeps soft-deleted blobs from piling up and adding to the cost of capacity.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ea98ff0a-e389-4eb1-9f55-98d638152d68"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Enable SFTP support only when it's used to transfer data.",
"description": "Enabling the SFTP endpoint incurs an hourly cost. By thoughtfully disabling SFTP support, and then enabling it as needed, you can avoid passive charges from accruing in your account.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "918a9943-7dd2-47be-9d8f-d7088e08247d"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Disable any encryption scopes that aren't needed to avoid unnecessary charges.",
"description": "Encryptions scopes incur a per month charge.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dda91f7c-dd40-485d-af07-7ef14c90de03"
},
{
"waf": "Operations",
"service": "Azure Blob Storage",
"text": "Use infrastructure as code (IaC) to define the details of your storage accounts in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.",
"description": "You can use your existing DevOps processes to deploy new storage accounts, and use Azure Policy to enforce their configuration.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fab63e96-cd06-4c4d-b92c-3b32a554e2d5"
},
{
"waf": "Operations",
"service": "Azure Blob Storage",
"text": "Use Storage insights to track the health and performance of your storage accounts. Storage insights provides a unified view of the failures, performance, availability, and capacity for all your storage accounts.",
"description": "You can track the health and operation of each of your accounts. Easily create dashboards and reports that stakeholders can use to track the health of your storage accounts.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fe67dbff-1ce7-4ac5-8b12-b0c3e23e66f3"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "Provision storage accounts in the same region where dependent resources are placed. For applications that aren't hosted on Azure, such as mobile device apps or on-premises enterprise services, locate the storage account in a region nearer to those clients. For more information, see Azure geographies.If clients from a different region don't require the same data, then create a separate account in each region.If clients from a different region require only some data, consider using an object-replication policy to asynchronously copy relevant objects to a storage account in the other region.",
"description": "Reducing the physical distance between the storage account and VMs, services, and on-premises clients can improve performance and reduce network latency. Reducing the physical distance also reduces cost for applications hosted in Azure because bandwidth usage within a single region is free.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f8126892-8d54-4a95-8e93-cc34bd50443d"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "For broad consumption by web clients (streaming video, audio, or static website content), consider using a content delivery network through Azure Front Door.",
"description": "Content is delivered to clients faster because it uses the Microsoft global edge network with hundreds of global and local points of presence around the world.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9a8a245d-71e9-45a8-b143-de66b3b87fd1"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "Add a hash character sequence (such as three digits) as early as possible in the partition key of a blob. The partition key is the account name, container name, virtual directory name, and blob name. If you plan to use timestamps in names, then consider adding a seconds value to the beginning of that stamp. For more information, see Partitioning.",
"description": "Using a hash code or seconds value nearest the beginning of a partition key reduces the time required to list query and read blobs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "215dace2-6d30-430f-9ab0-90ada951e981"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "When uploading blobs or blocks, use a blob or block size that's greater than 256 KiB.",
"description": "Blob or block sizes above 256 KiB takes advantage of performance enhancements in the platform made specifically for larger blobs and block sizes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7c748c26-7894-46d4-811b-3f792790b567"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -251,6 +277,6 @@
"name": "Azure Blob Storage Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureexpressroute_sg_checklist.en.json b/checklists-ext/azureexpressroute_sg_checklist.en.json
index 210d6f749..d608a37bb 100644
--- a/checklists-ext/azureexpressroute_sg_checklist.en.json
+++ b/checklists-ext/azureexpressroute_sg_checklist.en.json
@@ -6,215 +6,241 @@
"service": "Azure Expressroute",
"text": "Plan for ExpressRoute circuit or ExpressRoute Direct",
"description": "During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection. An ExpressRoute circuit allows a private dedicated connection into Azure with the help of a connectivity provider. ExpressRoute Direct allows you to extend on-premises network directly into the Microsoft network at a peering location. You also need to identify the bandwidth requirement and the SKU type requirement for your business needs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1fd730ba-d5b5-450b-9444-3daff21bc4b9"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Physical layer diversity",
"description": "For better resiliency, plan to have multiple paths between the on-premises edge and the peering locations (provider/Microsoft edge locations). This configuration can be achieved by going through different service provider or through a different location from the on-premises network.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ecab565f-2cbe-4bb9-81e9-d1a4c3771e57"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Plan for geo-redundant circuits",
"description": "To plan for disaster recovery, set up ExpressRoute circuits in more than one peering locations. You can create circuits in peering locations in the same metro or different metro and choose to work with different service providers for diverse paths through each circuit. For more information, see Designing for disaster recovery and Designing for high availability.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c7a9ccf7-7daf-4f2d-871e-1f7c4dfdba33"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Plan for Active-Active connectivity",
"description": "ExpressRoute dedicated circuits guarantee `99.95%` availability when an active-active connectivity is configured between on-premises and Azure. This mode provides higher availability of your Expressroute connection. It's also recommended to configure BFD for faster failover if there's a link failure on a connection.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3206bf94-9a6e-436b-a9c2-785a79d3bdf7"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Planning for Virtual Network Gateways",
"description": "Create availability zone aware Virtual Network Gateway for higher resiliency and plan for Virtual Network Gateways in different region for disaster recovery and high availability.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1cbe905b-cc57-4571-9415-cd13c4320fec"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Monitor circuits and gateway health",
"description": "Set up monitoring and alerts for ExpressRoute circuits and Virtual Network Gateway health based on various metrics available.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8f4eb27d-3de4-4265-a35b-d5243506b1b3"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Enable service health",
"description": "ExpressRoute uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your ExpressRoute circuits.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ee6ce588-143a-4ab4-acb1-0c7487484015"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Configure Activity log to send logs to archive",
"description": "Activity logs provide insights into operations that were performed at the subscription level for ExpressRoute resources. With Activity logs, you can determine who and when an operation was performed at the control plane. Data retention is only 90 days and required to be stored in Log Analytics, Event Hubs or a storage account for archive.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0c9fcbb1-5c1c-47ec-a5a8-413c7ef6d9c0"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Maintain inventory of administrative accounts",
"description": "Use Azure RBAC to configure roles to limit user accounts that can add, update, or delete peering configuration on an ExpressRoute circuit.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5a43370c-8625-4a7a-a86a-8482baa5e27d"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Configure MD5 hash on ExpressRoute circuit",
"description": "During configuration of private peering or Microsoft peering, apply an MD5 hash to secure messages between the on-premises route and the MSEE routers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8a9dc0cc-86a6-45c1-8441-a0d77757a8e2"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Configure MACSec for ExpressRoute Direct resources",
"description": "Media Access Control security is a point-to-point security at the data link layer. ExpressRoute Direct supports configuring MACSec to prevent security threats to protocols such as ARP, DHCP, LACP not normally secured on the Ethernet link. For more information on how to configure MACSec, see MACSec for ExpressRoute Direct ports.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "500c8980-c0ef-43a0-b9a8-2d3d14980e97"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Encrypt traffic using IPsec",
"description": "Configure a Site-to-site VPN tunnel over your ExpressRoute circuit to encrypt data transferring between your on-premises network and Azure virtual network. You can configure a tunnel using private peering or using Microsoft peering.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "91c50223-7778-4996-99c6-4dd5be8a7634"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Familiarize yourself with ExpressRoute pricing",
"description": "For information about ExpressRoute pricing, see Understand pricing for Azure ExpressRoute. You can also use the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "cee32b00-067e-4548-b020-f187b4a8c31c"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Determine SKU and bandwidth required",
"description": "The way you're charged for your ExpressRoute usage varies between the three different SKU types. With Local SKU, you're automatically charged with an Unlimited data plan. With Standard and Premium SKU, you can select between a Metered or an Unlimited data plan. All ingress data are free of charge except when using the Global Reach add-on. It's important to understand which SKU types and data plan works best for your workload to best optimize cost and budget. For more information resizing ExpressRoute circuit, see upgrading ExpressRoute circuit bandwidth.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bbd469cf-f785-414a-81b5-8b32b458d36b"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Determine the ExpressRoute virtual network gateway size",
"description": "ExpressRoute virtual network gateways are used to pass traffic into a virtual network over private peering. Review the performance and scale needs of your preferred Virtual Network Gateway SKU. Select the appropriate gateway SKU on your on-premises to Azure workload.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f1a986d4-44ab-4f57-8e90-7d543b1f69ef"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Monitor cost and create budget alerts",
"description": "Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks. For more information, see Monitoring ExpressRoute costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a99b7390-8fcd-4982-874d-716d0e33a556"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Deprovision and delete ExpressRoute circuits no longer in use.",
"description": "ExpressRoute circuits are charged from the moment they're created. To reduce unnecessary cost, deprovision the circuit with the service provider and delete the ExpressRoute circuit from your subscription. For steps on how to remove an ExpressRoute circuit, see Deprovisioning an ExpressRoute circuit.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "af36cdef-2fb3-40c2-9aad-9737a0923106"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Configure connection monitoring",
"description": "Connection monitoring allows you to monitor connectivity between your on-premises resources and Azure over the ExpressRoute private peering and Microsoft peering connection. Connection monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ed434cb2-77d8-42de-b470-bc4badecb570"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Configure Service Health",
"description": "Set up Service Health notifications to alert when planned and upcoming maintenance is happening to all ExpressRoute circuits in your subscription. Service Health also displays past maintenance along with RCA if an unplanned maintenance were to occur.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c840ed18-2c79-4052-981f-db4fe43778f7"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Review metrics with Network Insights",
"description": "ExpressRoute Insights with Network Insights allow you to review and analyze ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute Insights also provide a topology view of your ExpressRoute connections where you can view details of your peering components all in a single place.Metrics available:- Availability- Throughput- Gateway metrics",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "750d3e90-ad08-4bf0-b5d0-615ae4989959"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Review ExpressRoute resource metrics",
"description": "ExpressRoute uses Azure Monitor to collect metrics and create alerts base on your configuration. Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "786e08d7-92ce-4431-92d4-0e562e040ec5"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Test ExpressRoute gateway performance to meet work load requirements.",
"description": "Use Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f3ae82d5-c234-45f3-aa60-fda19953882b"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Increase the size of the ExpressRoute gateway.",
"description": "Upgrade to a higher gateway SKU for improved throughput performance between on-premises and Azure environment.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7bb82173-fbe7-4006-8748-8563ced2099c"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Upgrade ExpressRoute circuit bandwidth",
"description": "Upgrade your circuit bandwidth to meet your work load requirements. Circuit bandwidth is shared between all virtual networks connected to the ExpressRoute circuit. Depending on your work load, one or more virtual networks can use up all the bandwidth on the circuit.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c971e654-a452-41cd-a068-2ce7b847e70b"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Enable ExpressRoute FastPath for higher throughput",
"description": "If you're using an Ultra performance or an ErGW3AZ virtual network gateway, you can enable FastPath to improve the data path performance between your on-premises network and Azure virtual network.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "afb1b0d7-d12f-41e2-83da-9f34a421fab2"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Monitor ExpressRoute circuit and gateway metrics",
"description": "Set up alerts base on ExpressRoute metrics to proactively notify you when a certain threshold is met. These metrics are useful to understand anomalies that can happen with your ExpressRoute connection such as outages and maintenance happening to your ExpressRoute circuits.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "36957ecf-2ad2-41d3-9c53-f0ba27050799"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -251,6 +277,6 @@
"name": "Azure Expressroute Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurefiles_sg_checklist.en.json b/checklists-ext/azurefiles_sg_checklist.en.json
index 6d83dc655..638be19b5 100644
--- a/checklists-ext/azurefiles_sg_checklist.en.json
+++ b/checklists-ext/azurefiles_sg_checklist.en.json
@@ -6,236 +6,265 @@
"service": "Azure Files",
"text": "Configure your storage account for redundancy. For maximum availability and durability, configure your account with\u202fzone-redundant storage (ZRS), GRS, or\u202fGZRS. Limited Azure regions support ZRS for standard and premium file shares. Only standard SMB accounts support GRS and GZRS. Premium SMB shares and NFS shares don't support GRS and GZRS. Azure Files doesn't support read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS). If you configure a storage account to use RA-GRS or RA-GZRS, the file shares are configured and billed as GRS or GZRS.",
"description": "Redundancy protects your data against unexpected failures. The ZRS and GZRS configuration options replicate across various availability zones and enable applications to continue reading data during an outage. For more information, see Durability and availability by outage scenario and Durability and availability parameters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "782065a8-04b9-4cf6-adec-da6ba3e6e42b"
},
{
"waf": "Reliability",
"service": "Azure Files",
"text": "Before you initiate a failover or failback, check the value of the last synchronization time property to evaluate the potential for data loss. This recommendation applies only to GRS and GZRS configurations.",
"description": "This property helps you estimate how much data you might lose if you initiate an account failover. All data and metadata that's written before the last synchronization time is available on the secondary region, but you might lose data and metadata that's written after the last synchronization time because it's not written to the secondary region.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "16e559b4-0842-4a5f-83bf-16dc3e3cbfe8"
},
{
"waf": "Reliability",
"service": "Azure Files",
"text": "As a part of your backup and recovery strategy, enable\u202fsoft delete\u202fand\u202fuse snapshots for point-in-time restore. You can use Azure Backup to back up your SMB file shares. You can also use Azure File Sync to back up on-premises SMB file shares to an Azure file share. Azure Backup also allows you to do a vaulted backup (preview) of Azure Files to protect your data from ransomware attacks or source data loss due to a malicious actor or rogue admin. By using vaulted backup, Azure Backup copies and stores data in the Recovery Services vault. This creates an offsite copy of data that you can retain for up to 99 years. Azure Backup creates and manages the recovery points as per the schedule and retention defined in the backup policy. Learn more.",
"description": "Soft delete works on a file share level to protect Azure file shares against accidental deletion. Point-in-time restore protects against accidental deletion or corruption because you can restore file shares to an earlier state. For more information, see Data protection overview.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7011d46a-99b8-49ff-944e-26f5cc2b817c"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Apply an Azure Resource Manager lock on the storage account.",
"description": "Lock the account to prevent accidental or malicious deletion of the storage account, which can cause data loss.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "750b7241-5ddc-4a6a-9e06-0019d5d3dd99"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Open TCP port 445 outbound or set up a VPN gateway or Azure ExpressRoute connection for clients outside of Azure to access the file share.",
"description": "SMB 3.x is an internet-safe protocol, but you might not have the ability to change organizational or ISP policies. You can use a VPN gateway or an ExpressRoute connection as an alternative option.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "544aa9b7-1339-462b-b05d-423bfa23f160"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "If you open port 445, be sure to disable SMBv1 on Windows and Linux clients. Azure Files doesn't support SMB 1, but you should still disable it on your clients.",
"description": "SMB 1 is an outdated, inefficient, and insecure protocol. Disable it on clients to improve your security posture.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "68e6b6ec-0d1a-4b5b-b864-0a84684d9dd2"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Consider disabling public network access to your storage account. Enable public network access only if SMB clients and services that are external to Azure require access to your storage account. If you disable public network access,create a private endpoint for your storage account. Standard data processing rates for private endpoints apply. A private endpoint doesn't block connections to the public endpoint. You should still disable public network access as previously described. If you don't require a static IP address for your file share and want to avoid the cost of private endpoints, you can instead restrict public endpoint access to specific virtual networks and IP addresses.",
"description": "Network traffic travels over the Microsoft backbone network instead of the public internet, which eliminates risk exposure from the public internet.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "aa4bcf28-fe1b-487d-8aca-57a4ca53e481"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Enable firewall rules that limit access to specific virtual networks. Start with zero access, and then methodically and incrementally provide the least amount of access required for clients and services.",
"description": "Minimize the risk of creating openings for attackers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2c486988-91fe-46d6-bb1b-695f9c3f32bd"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "When possible, use identity-based authentication with AES-256 Kerberos ticket encryption to authorize access to SMB Azure file shares.",
"description": "Use identity-based authentication to decrease the possibility of an attacker using a storage account key to access file shares.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "66352a0c-5c71-46d4-85c5-b5097fe941a6"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "If you use storage account keys, store them in Key Vault, and make sure to regenerate them periodically. You can completely disallow storage account key access to the file share by removing NTLMv2 from the share's SMB security settings. But you generally shouldn't remove NTLMv2 from the share's SMB security settings because administrators still need to use the account key for some tasks.",
"description": "Use Key Vault to retrieve keys at runtime instead of saving them with your application. Key Vault also makes it easy to rotate your keys without interruption to your applications. Periodically rotate the account keys to reduce the risk of exposing your data to malicious attacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d39ad222-964f-4404-b8c4-bad919fca4ae"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "In most cases, you should enable the Secure transfer required option on all your storage accounts to enable encryption in transit for SMB file shares. Don't enable this option if you need to allow very old clients to access the share. If you disable secure transfer, be sure to use network controls to restrict traffic.",
"description": "This setting ensures that all requests that are made against the storage account take place over secure connections (HTTPS). Any requests made over HTTP will fail.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "536e86a5-e2ea-47a2-8853-82651ced1265"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Configure your storage account so that TLS 1.2 is the minimum version for clients to send and receive data.",
"description": "TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support modern cryptographic algorithms and cipher suites.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "80854b65-9017-498a-9b12-9e5aa5d6b93b"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Use only the most recent supported SMB protocol version (currently 3.1.1.), and use only AES-256-GCM for SMB channel encryption. Azure Files exposes settings that you can use to toggle the SMB protocol and make it more compatible or more secure, depending on your organization's requirements. By default, all SMB versions are allowed. However, SMB 2.1 is disallowed if you enable Require secure transfer because SMB 2.1 doesn't support encryption of data in transit. If you restrict these settings to a high level of security, some clients might not be able to connect to the file share.",
"description": "SMB 3.1.1, released with Windows 10, contains important security and performance updates. AES-256-GCM offers more secure channel encryption.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "41a8d523-2cb4-499b-9a7f-e9cdc708e28e"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Apply a Resource Manager lock on the storage account.",
"description": "Lock the account to prevent accidental or malicious deletion of the storage account, which might cause data loss.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ca0d9179-144c-4ef2-a617-046f3983000e"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "You must open port 2049 on the clients that you want to mount your NFS share to.",
"description": "Open port 2049 to let clients communicate with the NFS Azure file share.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e6ee6652-c7bf-474b-b47e-e0d739e94901"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "NFS Azure file shares are only accessible through restricted networks. So you must create a private endpoint for your storage account or restrict public endpoint access to selected virtual networks and IP addresses. We recommend that you create a private endpoint. You must configure network-level security for NFS shares because Azure Files doesn't support encryption in transit with the NFS protocol. You need to disable the Require secure transfer setting on the storage account to use NFS Azure file shares. Standard data processing rates apply for private endpoints. If you don't require a static IP address for your file share and want to avoid the cost of private endpoints, you can restrict public endpoint access instead.",
"description": "Network traffic travels over the Microsoft backbone network instead of the public internet, which eliminates risk exposure from the public internet.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e79615fa-f453-43f7-b9db-e4564a08fa6e"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Consider disallowing storage account key access at the storage account level. You don't need this access to mount NFS file shares. But keep in mind that full administrative control of a file share, including the ability to take ownership of a file, requires use of a storage account key.",
"description": "Disallow the use of storage account keys to make your storage account more secure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5d1ca94b-ac1b-482c-922e-8ee47b9c7ba6"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "When you migrate to standard Azure file shares, we recommend that you start in the transaction-optimized tier during the initial migration. Transaction usage during migration isn't typically indicative of normal transaction usage. This consideration doesn't apply for premium file shares because the provisioned billing model doesn't charge for transactions.",
"description": "Migrating to Azure Files is a temporary, transaction-heavy workload. Optimize the price for high-transaction workloads to help reduce migration costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e9863488-d023-4763-a169-161d1dba4b02"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "After you migrate your workload, if you use standard file shares, carefully choose the most cost effective access tier for your file share: hot, cool, or transaction optimized. After you operate for a few days or weeks with regular usage, you can insert your transaction counts in the pricing calculator to figure out which tier best suits your workload. Most customers should choose cool even if they actively use the share. But you should examine each share and compare the balance of storage capacity to transactions to determine your tier. If transaction costs make up a significant percentage of your bill, the savings from using the cool access tier often offsets this cost and minimizes the total overall cost. We recommend that you move standard file shares between access tiers only when necessary to optimize for changes in your workload pattern. Each move incurs transactions. For more information, see Switching between standard tiers.",
"description": "Select the appropriate access tier for standard file shares to considerably reduce your costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "51b872e9-5fcd-44eb-931f-9a249e459e65"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "If you use premium shares, ensure that you provision more than enough capacity and performance for your workload but not so much that you incur unnecessary costs. We recommend overprovisioning by two to three times. You can dynamically scale premium file shares up or down depending on your storage and input/output (IO) performance characteristics.",
"description": "Overprovision premium file shares by a reasonable amount to help maintain performance and account for future growth and performance requirements.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "534d8587-584b-4b2c-b671-3effdcbd01be"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "Use Azure Files reservations, also referred to as reserved instances, to precommit to storage usage and get a discount. Use reservations for production workloads or dev/test workloads with consistent footprints. For more information, see Optimize costs with storage reservations. Reservations don't include transaction, bandwidth, data transfer, and metadata storage charges.",
"description": "Three-year reservations can provide a discount up to 36% on the total cost of file storage. Reservations don't affect performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e2101858-bba3-4f27-b2b6-aa5c34bce700"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "Monitor snapshot usage. Snapshots incur charges, but they're billed based on the differential storage usage of each snapshot. You pay only for the difference in each snapshot. For more information, see Snapshots. Azure File Sync takes share-level and file-level snapshots as part of regular usage, which can increase your total Azure Files bill.",
"description": "Differential snapshots ensure that you're not billed multiple times for storing the same data. However, you should still monitor snapshot usage to help reduce your Azure Files bill.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "92ac1897-48f1-4f92-8305-462072504522"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "Set retention periods for the soft-delete feature, especially when you first start using it. Consider starting with a short retention period to better understand how the feature affects your bill. The minimum recommended retention period is seven days. When you soft delete standard and premium file shares, they're billed as used capacity rather than provisioned capacity. And premium file shares are billed at the snapshot rate while in the soft-delete state. Standard file shares are billed at the regular rate while in the soft-delete state.",
"description": "Set a retention period so that soft-deleted files don't pile up and increase the cost of capacity. After the configured retention period, permanently deleted data doesn't incur cost.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "06ba65dd-f706-428a-9e28-f25b2239e603"
},
{
"waf": "Operations",
"service": "Azure Files",
"text": "Use infrastructure as code (IaC) to define the details of your storage accounts in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.",
"description": "You can use your existing DevOps processes to deploy new storage accounts, and use Azure Policy to enforce their configuration.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a40b648a-7c87-45d0-815b-47495a2b0e01"
},
{
"waf": "Operations",
"service": "Azure Files",
"text": "Use Storage insights to track the health and performance of your storage accounts. Storage insights provides a unified view of the failures, performance, availability, and capacity for all your storage accounts.",
"description": "You can track the health and operation of each of your accounts. Easily create dashboards and reports that stakeholders can use to track the health of your storage accounts.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f63aa6ba-25c6-49be-bda2-0c51c1d571b5"
},
{
"waf": "Operations",
"service": "Azure Files",
"text": "Use Monitor to analyze metrics, such as availability, latency, and usage, and to create alerts.",
"description": "Monitor provides a view of availability, performance, and resiliency for your file shares.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "15160eee-b0c3-48cd-ba6d-0f8577ffcd61"
},
{
"waf": "Performance",
"service": "Azure Files",
"text": "Enable SMB Multichannel for premium SMB file shares. SMB Multichannel allows an SMB 3.1.1 client to establish multiple network connections to an SMB Azure file share. SMB Multichannel only works when the feature is enabled on both client-side (your client) and service-side (Azure). On Windows clients, SMB Multichannel is enabled by default, but you need to enable it on your storage account.",
"description": "Increase throughput and IOPS while reducing the total cost of ownership. Performance benefits increase with the number of files that distribute load.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "daf30eda-f801-45ee-be0e-03d46dc88f79"
},
{
"waf": "Performance",
"service": "Azure Files",
"text": "Use the nconnect client-side mount option with NFS Azure file shares on Linux clients. Nconnect enables you to use more TCP connections between the client and the Azure Files premium service for NFSv4.1.",
"description": "Increase performance at scale, and reduce the total cost of ownership for NFS file shares.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9efba372-db55-473f-a8bb-26f0c718612f"
},
{
"waf": "Performance",
"service": "Azure Files",
"text": "Make sure your file share or storage account isn't being throttled, which can result in high latency, low throughput, or low IOPS. Requests are throttled when the IOPS, ingress, or egress limits are reached. For standard storage accounts, throttling occurs at the account level. For premium file shares, throttling usually occurs at the share level.",
"description": "Avoid throttling to provide the best possible client experience.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6da39eb6-e932-4c5a-a2f2-6b728108cd7b"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -272,6 +301,6 @@
"name": "Azure Files Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurefirewall_sg_checklist.en.json b/checklists-ext/azurefirewall_sg_checklist.en.json
index 102737ef9..9e2710dc2 100644
--- a/checklists-ext/azurefirewall_sg_checklist.en.json
+++ b/checklists-ext/azurefirewall_sg_checklist.en.json
@@ -6,355 +6,401 @@
"service": "Azure Firewall",
"text": "Use Azure Firewall Manager with traditional Hub & Spokes or Azure Virtual WAN network topologies to deploy and manage instances of Azure Firewall.",
"description": "Easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection. For more information on network topologies, see the Azure Cloud Adoption Framework documentation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "906a66c0-f3fc-4766-bcc9-f483a13302d0"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Create Azure Firewall Policies to govern the security posture across global network environments. Assign policies to all instances of Azure Firewall.",
"description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Delegate incremental firewall policies to local security teams through role-based access control (RBAC). Some settings are specific per instance, for example DNAT Rules and DNS configuration, then multiple specialized policies might be required.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "02b98555-573c-44ff-b81b-8cf4d6c246c3"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Migrate Azure Firewall Classic Rules to Azure Firewall Manager Policies for existing deployments.",
"description": "For existing deployments, migrate Azure Firewall rules to Azure Firewall Manager policies. Use Azure Firewall Manager to centrally manage your firewalls and policies. For more information, see Migrate to Azure Firewall Premium.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d122223e-4634-4b87-8736-1fe446f2dc4b"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Review the list of Azure Firewall Known Issues.",
"description": "Azure Firewall Product Group maintains an updated list of known-issues at this location. This list contains important information related to by-design behavior, fixes under construction, platform limitations, along with possible workarounds or mitigation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7aa2c745-40cd-494b-a465-e3f57aa5db89"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Ensure your Azure Firewall Policy adheres to Azure Firewall limits and recommendations.",
"description": "There are limits on the policy structure, including numbers of Rules and Rule Collection Groups, total policy size, source/target destinations. Be sure to compose your policy and stay behind the documented thresholds.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a5d749c4-2d8f-4503-89d8-d09590d0cb75"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Deploy Azure Firewall across multiple availability zones for higher service-level agreement (SLA).",
"description": "Azure Firewall provides different SLAs when it's deployed in a single availability zone and when it's deployed in multiple zones. For more information, see SLA for Azure Firewall. For information about all Azure SLAs, see SLA summary for Azure services.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2abbe12f-832c-4c12-9ef2-7b5941de0d1c"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "In multi-region environments, deploy an Azure Firewall instance per region.",
"description": "For traditional Hub & Spokes architectures, multi-region details are explained in this article. For secured virtual hubs (Azure Virtual WAN), Routing Intent and Policies must be configured to secure inter-hub and branch-to-branch communications. For workloads designed to be resistant to failures and fault tolerant, remember to consider that instances of Azure Firewall and Azure Virtual Network as regional resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a5a128ef-71f4-4001-8cd8-01afdf78ed87"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Monitor Azure Firewall Metrics and Resource Health state.",
"description": "Closely monitor key metrics indicator of Azure Firewall health state such as Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics. Additionally, Azure Firewall now integrates with Azure Resource Health. With the Azure Firewall Resource Health check, you can now view the health status of your Azure Firewall and address service problems that might affect your Azure Firewall resource.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b2e9619a-7495-4f85-8baf-1cf06575a966"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "If required to route all internet-bound traffic to a designated next hop instead of going directly to the internet, configure Azure Firewall in forced tunneling mode (does not apply to Azure Virtual WAN).",
"description": "Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in the forced tunneling mode. Using the forced tunneling feature, you'll need another /26 address space for the Azure Firewall Management subnet. You're required to name it AzureFirewallManagementSubnet.If this is an existing Azure Firewall instance that can't be reconfigured in the forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. Associate it with AzureFirewallSubnet to maintain internet connectivity.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "77e598e8-9cf8-43d0-931f-4ad1cedfee4a"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in the forced tunneling mode (does not apply to Azure Virtual WAN).",
"description": "When you deploy a new Azure Firewall instance, if you enable the forced tunneling mode, you can set the public IP address to None to deploy a fully private data plane. However, the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks won't use that public IP. For more about forced tunneling, see Azure Firewall forced tunneling.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dbc69891-14e6-428c-adca-cd11b01d9226"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Create rules for Firewall Policies based on least privilege access criteria.",
"description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Each policy can contains different sets of DNAT, Network and Application rules with specific priority, action and processing order. Create your rules based on least privilege access Zero Trust principle . How rules are processed is explained in this article.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a25be6b5-03c3-4bee-a348-ba338419ee17"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Enable IDPS in Alert or Alert and deny mode.",
"description": "IDPS is one of the most powerful Azure Firewall (Premium) security features and should be enabled. Based on security and application requirements, and considering the performance impact (see the Cost section below), Alert or Alert and deny modes can be selected.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5c7fbe3b-1d6d-49c4-bed1-2ac02ec15444"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Enable Azure Firewall (DNS) proxy configuration.",
"description": "Enabling this feature points clients in the VNets to Azure Firewall as a DNS server. It will protect internal DNS infrastructure that will not be directly accessed and exposed. Azure Firewall must be also configured to use custom DNS that will be used to forward DNS queries.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1ed3e1a5-0748-4ae3-92c4-61cdc805a881"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Configure user-defined routes (UDR) to force traffic through Azure Firewall.",
"description": "In a traditional Hub & Spokes architecture, configure UDRs to force traffic through Azure Firewall for `SpoketoSpoke`, `SpoketoInternet`, and `SpoketoHybrid` connectivity. In Azure Virtual WAN, instead, configure Routing Intent and Policies to redirect private and/or Internet traffic through the Azure Firewall instance integrated into the hub.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "219a0f29-198c-43ff-86b6-dd5887856c9f"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "If not possible to apply UDR, and only web traffic redirection is required, consider using Azure Firewall as an Explicit Proxy",
"description": "With explicit proxy feature enabled on the outbound path, you can configure a proxy setting on the sending web application (such as a web browser) with Azure Firewall configured as the proxy. As a result, web traffic will reach the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the usage of multiple firewalls without modifying existing network routes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4ba66379-9878-42b4-bc50-d6495cf000b4"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Configure supported third-party software as a service (SaaS) security providers within Firewall Manager if you want to use these solutions to protect outbound connections.",
"description": "You can use your familiar, best-in-breed, third-party SECaaS offerings to protect internet access for your users. This scenario does require Azure Virtual WAN with a S2S VPN Gateway in the Hub, as it uses an IPSec tunnel to connect to the provider's infrastructure. SECaaS providers might charge additional license fees and limit throughput on IPSec connections. Alternative solutions such as ZScaler Cloud Connector exist and might be more suitable.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0e0c6a0a-0627-47cc-8581-34280d7d4cba"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Fully Qualified Domain Name (FQDN) filtering in network rules.",
"description": "You can use FQDN based on DNS resolution in Azure Firewall and firewall policies. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable the Azure Firewall DNS Proxy configuration to use FQDNs in your network rules. To learn how it works, see Azure Firewall FQDN filtering in network rules.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f6b95447-f9b8-46e0-b068-f9116791466d"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Service Tags in Network Rules to enable selective access to specific Microsoft services.",
"description": "A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. Using Service Tags in Network Rules, it is possible to enable outbound access to specific services in Azure, Dynamics and Office 365 without opening wide ranges of IP addresses. Azure will maintain automatically the mapping between these tags and underlying IP addresses used by each service. The list of Service Tags available to Azure Firewall are listed here: Az Firewall Service Tags.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "101e4c48-234c-48fb-84a2-f23915ecbf15"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use FQDN Tags in Application Rules to enable selective access to specific Microsoft services.",
"description": "An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for some specific Azure services, Office 365, Windows 365 and Intune.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "88d9e6f8-4f96-4c83-9268-b3f7cfbd0559"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Azure Firewall Manager to create and associate a DDoS protection plan with your hub virtual network (does not apply to Azure Virtual WAN).",
"description": "A DDoS protection plan provides enhanced mitigation features to defend your firewall from DDoS attacks. Azure Firewall Manager is an integrated tool to create your firewall infrastructure and DDoS protection plans. For more information, see Configure an Azure DDoS Protection Plan using Azure Firewall Manager.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6681988b-11df-4ea7-aee0-f7d5a1335ae0"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use an Enterprise PKI to generate certificates for TLS Inspection.",
"description": "With Azure Firewall Premium, if TLS Inspection feature is used, it is recommended to leverage an internal Enterprise Certification Authority (CA) for production environment. Self-signed certificates should be used for testing/PoC purposes only.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d6f023f6-dd16-4f48-9da7-18d0e0b0ef5b"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Review Zero-Trust configuration guide for Azure Firewall and Application Gateway",
"description": "If your security requirements necessitate implementing a Zero-Trust approach for web applications (inspection and encryption), it is recommended to follow this guide. In this document, how to integrate together Azure Firewall and Application Gateway will be explained, in both traditional Hub & Spoke and Virtual WAN scenarios.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "72a05358-270e-4985-878d-3f638d2bfbf2"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Deploy the proper Azure Firewall SKU.",
"description": "Azure Firewall can be deployed in three different SKUs: Basic, Standard and Premium. Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). Azure Firewall Standard is recommended for customers looking for Layer 3\u2013Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. Azure Firewall Basic is recommended for SMB customers with throughput needs of 250 Mbps. If required, downgrade or upgrade is possible between Standard and Premium as documented here. For more information, see Choose the right Azure Firewall SKU to meet your needs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "32d1cc86-0c04-4c38-be59-14e6bbe3d020"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Stop Azure Firewall deployments that don't need to run for 24x7.",
"description": "You might have development or testing environments that are used only during business hours. For more information, see Deallocate and allocate Azure Firewall.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "27745055-45fb-4108-89af-a63b1170f7d6"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Share the same instance of Azure Firewall across multiple workloads and Azure Virtual Networks.",
"description": "You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same firewall across many spoke virtual networks that are connected to the same hub from the same region. Ensure there's no unexpected cross-region traffic as part of the hub-spoke topology.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "90ed4bf4-2371-4a63-bea1-c5c5005e4f08"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Regularly review traffic processed by Azure Firewall and look for originating workload optimizations",
"description": "Top Flows log (known in the industry as Fat Flows), shows the top connections that are contributing to the highest throughput through the firewall. It is recommended to regularly review traffic processed by the Azure Firewall and search for possible optimizations to reduce the amount of traffic traversing the firewall.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1020c3ff-e072-4de9-98d8-7c38bce266b9"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Review under-utilized Azure Firewall instances. Identify and delete unused Azure Firewall deployments.",
"description": "To identify unused Azure Firewall deployments, start by analyzing the monitoring metrics and UDRs associated with subnets pointing to the firewall's private IP. Combine that information with other validations, such as if your instance of Azure Firewall has any rules (classic) for NAT, Network and Application, or even if the DNS Proxy setting is configured to Disabled, and with internal documentation about your environment and deployments. You can detect deployments that are cost-effective over time. For more information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b4581201-7d7a-41b0-ab7d-cacdb77d6cfa"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Use Azure Firewall Manager and its Policies to reduce operational costs, increase efficiency, and reduce management overhead.",
"description": "Review your Firewall Manager policies, associations, and inheritance carefully. Policies are billed based on firewall associations. A policy with zero or one firewall association is free of charge. A policy with multiple firewall associations is billed at a fixed rate.For more information, see Pricing - Azure Firewall Manager.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4f9685b1-7f7e-413b-a5c8-03b734e9eade"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Delete unused public IP addresses.",
"description": "Validate whether all the associated public IP addresses are in use. If they aren't in use, disassociate and delete them. Evaluate SNAT port utilization before removing any IP addresses.You'll only use the number of public IPs your firewall needs. For more information, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7f7ce673-1cff-42f8-8deb-7f018d7ceb20"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Review logging requirements.",
"description": "Azure Firewall has the ability to comprehensively log metadata of all traffic it sees, to Log Analytics Workspaces, Storage or third party solutions through Event Hubs. However, all logging solutions incur costs for data processing and storage. At very large volumes these costs can be significant, a cost effective approach and alternative to Log Analytics should be considered and cost estimated. Consider whether it is required to log traffic metadata for all logging categories and modify in Diagnostic Settings if needed.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e0e0d21e-8a8c-4a88-b714-b7eff11570c7"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Do not use Azure Firewall for intra-VNet traffic control.",
"description": "Azure Firewall should be used to control traffic across VNets, between VNets and on-premises networks, outbound traffic to the Internet and incoming non-HTTP/s traffic. For intra-VNet traffic control, it is recommended to use Network Security Groups.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e94d1a6f-cfb1-4fd9-8f48-ad6cb7065081"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Maintain regular backups of Azure Policy artifacts.",
"description": "If Infrastructure-as-Code (IaC) approach is used to maintain Azure Firewall and all dependencies then backup and versioning of Azure Firewall Policies should be already in place. If not, a companion mechanism based on external Logic App can be deployed to automate and provide an effective solution.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b0219e9d-82f0-4760-bc2a-4d8909636794"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Enable Diagnostic Logs for Azure Firewall.",
"description": "Diagnostic Logs is a key component for many monitoring tools and strategies for Azure Firewall and should be enabled. You can monitor Azure Firewall by using firewall logs or workbooks. You can also use activity logs for auditing operations on Azure Firewall resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3cffb79e-0a6b-4dad-b781-d17d1e270127"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Use Structured Firewall Logs format.",
"description": "Structured Firewall Logs are a type of log data that are organized in a specific new format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze. The latest monitoring tools are based on this type of logs hence it is often a pre-requisite. Use the previous Diagnostic Logs format only if there is an existing tool with a pre-requisite on that. Do not enable both logging formats at the same time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a66b781d-3445-4076-8c69-4b9dcd2bded5"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Use the built-in Azure Firewall Monitoring Workbook.",
"description": "Azure Firewall portal experience now includes a new workbook under the Monitoring section UI, a separate installation is no more required. With the Azure Firewall Workbook, you can extract valuable insights from Azure Firewall events, delve into your application and network rules, and examine statistics regarding firewall activities across URLs, ports, and addresses.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "60a9b0b2-a45c-4012-a059-18430a4c7ad3"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Monitor key metrics and create alerts for indicators of the utilization of Azure Firewall capacity.",
"description": "Alerts should be created to monitor at least Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics.For information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4c65a0f6-ea2d-46e8-bba3-9b8dea771bb8"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Configure Azure Firewall integration with Microsoft Defender for Cloud and Microsoft Sentinel.",
"description": "If these tools are available in the environment, it is recommended to leverage integration with Microsoft Defender for Cloud and Microsoft Sentinel solutions. With Microsoft Defender for Cloud integration, you can visualize the all-up status of network infrastructure and network security in one place, including Azure Network Security across all VNets and Virtual Hubs spread across different regions in Azure. Integration with Microsoft Sentinel provides threat detection and prevention capabilities.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bba04e81-c422-427b-b203-350c1d3a724a"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Regularly review Policy Analytics dashboard to identify potential issues.",
"description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b171bd4a-f474-4249-b450-0f09e8fd9ded"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Become familiar with KQL (Kusto Query Language) queries to allow quick analysis and troubleshooting using Azure Firewall logs.",
"description": "Sample queries are provided for Azure Firewall. Those will enable you to quickly identify what's happening inside your firewall and check to see which rule was triggered, or which rule is allowing/blocking a request.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "acfff57b-8cbb-4643-bb47-c8ada4c360cd"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Use Policy Analytics dashboard to identify potential optimizations for Firewall Policies.",
"description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5997898f-94eb-41bf-831c-64768c577d59"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Consider Web Categories to allow or deny outbound access in bulk.",
"description": "Instead of explicitly building and maintaining a long list of public Internet sites, consider the usage of Azure Firewall Web Categories. This feature will dynamically categorize web content and will permit the creation of compact Application Rules.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a413ad7f-d747-401c-8b4d-f670e1a500fd"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Evaluate the performance impact of IDPS in Alert and deny mode.",
"description": "If Azure Firewall is required to operate in IDPS mode Alert and deny, carefully consider the performance impact as documented in this page.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b3794bbc-ca9f-46c2-b857-e3c369b2a2ee"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Assess potential SNAT port exhaustion problem.",
"description": "Azure Firewall currently supports 2496 ports per Public IP address per backend Virtual Machine Scale Set instance. By default, there are two Virtual Machine Scale Set instances. So, there are 4992 ports per flow destination IP, destination port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances. You can work around the limits by configuring Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8ebc6c2c-afad-475f-bf6f-87fb04a32cbb"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Properly warm up Azure Firewall before any performance test.",
"description": "Create initial traffic that isn't part of your load tests 20 minutes before the test. Use diagnostics settings to capture scale-up and scale-down events. You can use the Azure Load Testing service to generate the initial traffic. Allows the Azure Firewall instance to scale up its instances to the maximum.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d4359622-ee34-46fe-84bd-c123458b7ddb"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Configure an Azure Firewall subnet (AzureFirewallSubnet) with a /26 address space.",
"description": "Azure Firewall is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the instance of Azure Firewall. Azure Firewall provisions more capacity as it scales.A /26 address space for its subnets ensures that the firewall has enough IP addresses available to accommodate the scaling. Azure Firewall doesn't need a subnet bigger than /26. The Azure Firewall subnet name must be AzureFirewallSubnet.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "853d3967-f7e9-4019-bb9b-07957fb885b3"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Do not enable advanced logging if not required",
"description": "Azure Firewall provides some advanced logging capabilities that can be expensive to maintain always active. Instead, they should be used for troubleshooting purposes only, and limited in duration, then disabled when no more necessary. For example, Top flows and Flow trace logs are expensive can cause excessive CPU and storage usage on the Azure Firewall infrastructure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "62b90b2f-195d-4897-9537-e1164449b0d6"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -391,6 +437,6 @@
"name": "Azure Firewall Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurefrontdoor_sg_checklist.en.json b/checklists-ext/azurefrontdoor_sg_checklist.en.json
index 32f6d81d0..b4a83f638 100644
--- a/checklists-ext/azurefrontdoor_sg_checklist.en.json
+++ b/checklists-ext/azurefrontdoor_sg_checklist.en.json
@@ -6,187 +6,209 @@
"service": "Azure Front Door",
"text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.",
"description": "You can select the best origin resource by using a series of decision steps and your design. The selected origin serves traffic within the allowable latency range in the specified ratio of weights.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "12a2b704-aab5-49b9-b49f-d7b56d80611c"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.",
"description": "Multiple origins support redundancy by distributing traffic across multiple instances of the application. If one instance is unavailable, then other back-end origins can still receive traffic.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dbcc6d21-7f71-42d8-b10b-00ba5c152bd6"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Set up health probes on the origin. Configure Azure Front Door to conduct health checks to determine if the back-end instance is available and ready to continue receiving requests.",
"description": "Enabled health probes are part of the health monitoring pattern implementation. Health probes make sure that Azure Front Door only routes traffic to instances that are healthy enough to handle requests. For more information, see Best practices on health probes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f08c4574-a85c-4d77-adbc-6c85fc0aad9f"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout. For more information, see Troubleshooting unresponsive requests.",
"description": "Timeouts help prevent performance issues and availability issues by terminating requests that take longer than expected to complete.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a5ab698c-0a9f-4f84-b3db-513067920964"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Use the same host name on Azure Front Door and your origin. Azure Front Door can rewrite the host header of incoming requests, which is useful when you have multiple custom domain names that route to one origin. However, rewriting the host header might cause issues with request cookies and URL redirection.",
"description": "Set the same host name to prevent malfunction with session affinity, authentication, and authorization. For more information, see Preserve the original HTTP host name between a reverse proxy and its back-end web application.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5efdb592-6276-45eb-a9d4-1cf161cb5c42"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.",
"description": "With session affinity, user connections stay on the same origin during the user session. If that origin becomes unavailable, the user experience might be disrupted.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d494b3a0-08a0-4127-8376-1f5b6c37ecd2"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Take advantage of the rate-limiting rules that are included with a web application firewall (WAF).",
"description": "Limit requests to prevent clients from sending too much traffic to your application. Rate limiting can help you avoid problems like a retry storm.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "02733e65-a72a-4757-b58e-b9f1b3dbd900"
},
{
"waf": "Security",
"service": "Azure Front Door",
"text": "Enable WAF rule sets that detect and block potentially malicious traffic. This feature is available on the Premium tier. We recommend these rule sets: - Default- Bot protection- IP restriction- Geo-filtering- Rate limiting",
"description": "Default rule sets are updated frequently based on OWASP top-10 attack types and information from Microsoft Threat Intelligence. The specialized rule sets detect certain use cases. For example, bot rules classify bots as good, bad, or unknown based on the client IP addresses. They also block bad bots and known IP addresses and restrict traffic based on geographical location of the callers. By using a combination of rule sets, you can detect and block attacks with various intents.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "35b03d1d-e28e-4b7f-803b-6afb23c6133d"
},
{
"waf": "Security",
"service": "Azure Front Door",
"text": "Create exclusions for managed rule sets. Test a WAF policy in detection mode for a few weeks and adjust any false positives before you deploy it.",
"description": "Reduce false positives and allow legitimate requests for your application.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e1cecbea-d7ab-4d0f-92e1-921716dac3ae"
},
{
"waf": "Security",
"service": "Azure Front Door",
"text": "Enable end-to-end TLS, HTTP to HTTPS redirection, and managed TLS certificates when applicable. Review the TLS best practices for Azure Front Door. Use TLS version 1.2 as the minimum allowed version with ciphers that are relevant for your application. Azure Front Door managed certificates should be your default choice for ease of operations. However, if you want to manage the lifecycle of the certificates, use your own certificates in Azure Front Door custom domain endpoints and store them in Key Vault.",
"description": "TLS ensures that data exchanges between the browser, Azure Front Door, and the back-end origins are encrypted to prevent tampering. Key Vault offers managed certificate support and simple certificate renewal and rotation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "57b20099-1ae5-49de-8fe6-94af34380e64"
},
{
"waf": "Cost",
"service": "Azure Front Door",
"text": "Use caching for endpoints that support it.",
"description": "Caching optimizes data transfer costs because it reduces the number of calls from your Azure Front Door instance to the origin.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8c52f54e-5d37-4213-aa1c-aaefbaeac682"
},
{
"waf": "Cost",
"service": "Azure Front Door",
"text": "Consider enabling file compression. For this configuration, the application must support compression and caching must be enabled.",
"description": "Compression reduces bandwidth consumption and improves performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d040a66a-36ee-4dc5-b016-375e71dc937f"
},
{
"waf": "Cost",
"service": "Azure Front Door",
"text": "Disable health checks in single back-end pools.If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary.",
"description": "You can save on bandwidth costs by disabling requests that aren't required to make routing decisions.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8a9a1107-82b2-4fad-b914-ef3348b41b29"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Use HTTP to HTTPS redirection to support forward compatibility.",
"description": "When redirection is enabled, Azure Front Door automatically redirects clients that are using older protocol to use HTTPS for a secure experience.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "65b1c346-16af-4e5a-b465-f51094135758"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Capture logs and metrics. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.",
"description": "Monitoring ingress flow is a crucial part of monitoring an application. You want to track requests and make performance and security improvements. You need data to debug your Azure Front Door configuration. With alerts in place, you can get instant notifications of any critical operational issues.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7d54b85e-638e-4a4b-b59e-e570a7cbf6bc"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Review the built-in analytics reports.",
"description": "A holistic view of your Azure Front Door profile helps drive improvements based on traffic and security reports through WAF metrics.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "095f1b55-569d-4964-b9e3-81d8cadedf94"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Use managed TLS certificates when possible.",
"description": "Azure Front Door can issue and manage certificates for you. This feature eliminates the need for certificate renewals and minimizes the risk of an outage due to an invalid or expired TLS certificate.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e0f192c1-fd21-407f-a3c8-16bd275dabfe"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Use wildcard TLS certificates.",
"description": "You don't need to modify the configuration to add or specify each subdomain separately.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e54684f1-f16b-4ed4-bc10-e9a0e411939e"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "Enable caching. You can optimize query strings for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.",
"description": "Azure Front Door offers a robust content delivery network solution that caches content at the edge of the network. Caching reduces the load on the back-end servers and reduces data movement across the network, which helps offload bandwidth usage.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "aebbe719-6eac-4192-90d5-2b5de6e28861"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "Use file compression when you're accessing downloadable content.",
"description": "Compression in Azure Front Door helps deliver content in the optimal format, has a smaller payload, and delivers content to the users faster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "eabc1f38-71e5-4af6-b31b-5b60508460f6"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "When you configure health probes in Azure Front Door, consider using `HEAD` requests instead of `GET` requests. The health probe reads only the status code, not the content.",
"description": "`HEAD` requests let you query a state change without fetching its entire content.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e1b9b5a3-569c-4dc2-a2dc-a453879eeadf"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "Evaluate whether you should enable session affinity when requests from the same user should be directed to the same back-end server. From a reliability perspective, we don't recommend this approach. If you use this option, the application should gracefully recover without disrupting user sessions. There's also a tradeoff on load balancing because it restricts the flexibility of distributing traffic across multiple back ends evenly.",
"description": "Optimize performance and maintain continuity for user sessions, especially when applications rely on maintaining state information locally.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "908b9efc-df91-432a-ad42-0babc1316896"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -223,6 +245,6 @@
"name": "Azure Front Door Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurekubernetesservice_sg_checklist.en.json b/checklists-ext/azurekubernetesservice_sg_checklist.en.json
index 568262eb5..7aba70a60 100644
--- a/checklists-ext/azurekubernetesservice_sg_checklist.en.json
+++ b/checklists-ext/azurekubernetesservice_sg_checklist.en.json
@@ -6,390 +6,441 @@
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Control pod scheduling using node selectors and affinity.",
"description": "Allows the Kubernetes scheduler to logically isolate workloads by hardware in the node. Unlike tolerations, pods without a matching node selector can be scheduled on labeled nodes, which allows unused resources on the nodes to consume, but gives priority to pods that define the matching node selector. Use node affinity for more flexibility, which allows you to define what happens if the pod can't be matched with a node.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "97e853ae-0f0c-4af9-9efd-bd97419c00e0"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Ensure proper selection of network plugin based on network requirements and cluster sizing.",
"description": "Azure CNI is required for specific scenarios, for example, Windows-based node pools, specific networking requirements and Kubernetes Network Policies. Reference Kubenet versus Azure CNI for more information.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5c5d171c-e58a-430d-a2cc-38b46f773646"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Use the AKS Uptime SLA for production grade clusters.",
"description": "The AKS Uptime SLA guarantees: - `99.95%` availability of the Kubernetes API server endpoint for AKS Clusters that use Azure Availability Zones, or - `99.9%` availability for AKS Clusters that don't use Azure Availability Zones.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5a34db1f-70ba-41df-89ff-8dcac4e78fd9"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.",
"description": "Container insights help monitor the health and performance of controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Integration with Prometheus enables collection of application and workload metrics.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "685d2330-e8f1-4201-bc45-fd74617cc28b"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use availability zones to maximize resilience within an Azure region by distributing AKS agent nodes across physically separate data centers.",
"description": "By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down. If colocality requirements exist, either a regular VMSS-based AKS deployment into a single zone or proximity placement groups can be used to minimize internode latency.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0d5115bc-7fbb-4fdb-a645-fee3c75d91a4"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.",
"description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "006656dc-4514-447f-8472-40590ba7d6ad"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Define Pod resource requests and limits in application deployment manifests, and enforce with Azure Policy.",
"description": "Container CPU and memory resource limits are necessary to prevent resource exhaustion in your Kubernetes cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "daae16b3-339a-4f9c-a2e1-16437f2b39b0"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Keep the System node pool isolated from application workloads.",
"description": "System node pools require a VM SKU of at least 2 vCPUs and 4 GB memory, but 4 vCPU or more is recommended. Reference System and user node pools for detailed requirements.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8482ef12-2aa4-41ac-a90f-a41988abef7e"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Separate applications to dedicated node pools based on specific requirements.",
"description": "Applications may share the same configuration and need GPU-enabled VMs, CPU or memory optimized VMs, or the ability to scale-to-zero. Avoid large number of node pools to reduce extra management overhead.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d7fe91f7-0a16-43cc-9306-dc3c8f435698"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use a NAT gateway for clusters that run workloads that make many concurrent outbound connections.",
"description": "To avoid reliability issues with Azure Load Balancer limitations with high concurrent outbound traffic, us a NAT Gateway instead to support reliable egress traffic at scale.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "39c79408-332f-449d-8c22-308c4eee21d2"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Microsoft Entra integration.",
"description": "Using Microsoft Entra ID centralizes the identity management component. Any change in user account or group status is automatically updated in access to the AKS cluster. The developers and application owners of your Kubernetes cluster need access to different resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "50fb3fc8-14f2-4856-bb4e-4af6cadfeabe"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Authenticate with Microsoft Entra ID to Azure Container Registry.",
"description": "AKS and Microsoft Entra ID enables authentication with Azure Container Registry without the use of `imagePullSecrets` secrets. Review Authenticate with Azure Container Registry from Azure Kubernetes Service for more information.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "743a94f9-3a7e-4b04-9766-f4895e826914"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Secure network traffic to your API server with private AKS cluster.",
"description": "By default, network traffic between your node pools and the API server travels the Microsoft backbone network; by using a private cluster, you can ensure network traffic to your API server remains on the private network only.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4ba645c2-e73c-4d64-b122-afdf0b45243a"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: For non-private AKS clusters, use API server authorized IP ranges.",
"description": "When using public clusters, you can still limit the traffic that can reach your clusters API server by using the authorized IP range feature. Include sources like the public IPs of your deployment build agents, operations management, and node pools' egress point (such as Azure Firewall).",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "46d7f245-f07f-4e88-bb2d-faca191bd7f6"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Protect the API server with Microsoft Entra RBAC.",
"description": "Securing access to the Kubernetes API Server is one of the most important things you can do to secure your cluster. Integrate Kubernetes role-based access control (RBAC) with Microsoft Entra ID to control access to the API server. Disable local accounts to enforce all cluster access using Microsoft Entra ID-based identities.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "70a1f14b-2493-467a-baaa-0082ad3e6e66"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Azure network policies or Calico.",
"description": "Secure and control network traffic between pods in a cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9c861a46-6ed6-46c4-a407-d3a540731c4f"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Secure clusters and pods with Azure Policy.",
"description": "Azure Policy can help to apply at-scale enforcement and safeguards on your clusters in a centralized, consistent manner. It can also control what functions pods are granted and if anything is running against company policy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4aca3024-722c-4aa0-b727-d38adfcc2a46"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Secure container access to resources.",
"description": "Limit access to actions that containers can perform. Provide the least number of permissions, and avoid the use of root or privileged escalation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "37e193d8-d9b1-4444-8f2f-4186242f88cb"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.",
"description": "To scan incoming traffic for potential attacks, use a web application firewall such as Azure Web Application Firewall (WAF) on Azure Application Gateway or Azure Front Door.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ecb6538c-45f3-46a8-ac7d-ef09e28905d9"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Control cluster egress traffic.",
"description": "Ensure your cluster's outbound traffic is passing through a network security point such as Azure Firewall or an HTTP proxy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8b978cf0-6f57-4b16-8ff4-c21cb24f9fda"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use the open-source Microsoft Entra Workload ID and Secrets Store CSI Driver with Azure Key Vault.",
"description": "Protect and rotate secrets, certificates, and connection strings in Azure Key Vault with strong encryption. Provides an access audit log, and keeps core secrets out of the deployment pipeline.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1287d8a6-3b9b-4cad-af36-efb95fb960ec"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Microsoft Defender for Containers.",
"description": "Monitor and maintain the security of your clusters, containers, and their applications.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ca24b98e-95aa-4250-9020-35f835aa8141"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Align SKU selection and managed disk size with workload requirements.",
"description": "Matching your selection to your workload demands ensures you don't pay for unneeded resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c318e6a0-4795-49ec-9911-6f0ecb79d7a6"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select the right virtual machine instance type.",
"description": "Selecting the right virtual machine instance type is critical as it directly impacts the cost of running applications on AKS. Choosing a high-performance instance without proper utilization can lead to wasteful spending, while choosing a powerful instance can lead to performance issues and increased downtime. To determine the right virtual machine instance type, consider workload characteristics, resource requirements, and availability needs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "87bb48b7-2f60-40f8-b5d5-a97e06baafc4"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select virtual machines based on the Arm architecture.",
"description": "AKS supports creating ARM64 Ubuntu agent nodes, as well as a of mix Intel and ARM architecture nodes within a cluster that can bring better performance at a lower cost.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "761503f3-f91b-47dc-b732-ed2079836237"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select Azure Spot Virtual Machines.",
"description": "Spot VMs allow you to take advantage of unutilized Azure capacity with significant discounts (up to 90% as compared to pay-as-you-go prices). If Azure needs capacity back, the Azure infrastructure evicts the Spot nodes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "54565ad7-0937-4126-bdd9-d242dcde1dc7"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select the appropriate region.",
"description": "Due to many factors, cost of resources varies per region in Azure. Evaluate the cost, latency, and compliance requirements to ensure you are running your workload cost-effectively and it doesn't affect your end-users or create extra networking charges.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "850c4199-ce25-4f8b-be6a-dbcb2009cf4a"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Maintain small and optimized images.",
"description": "Streamlining your images helps reduce costs since new nodes need to download these images. Build images in a way that allows the container start as soon as possible to help avoid user request failures or timeouts while the application is starting up, potentially leading to overprovisioning.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b17c40ac-02c7-4fbb-b804-7e246c89d073"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable Cluster Autoscaler to automatically reduce the number of agent nodes in response to excess resource capacity.",
"description": "Automatically scaling down the number of nodes in your AKS cluster lets you run an efficient cluster when demand is low and scale up when demand returns.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "35c3f143-8af5-4064-bff7-5cfee9b3de2b"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable Node Autoprovision to automate VM SKU selection.",
"description": "Node Autoprovision simplifies the SKU selection process and decides, based on pending pod resource requirements, the optimal VM configuration to run workloads in the most efficient and cost effective manner.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b671b868-82a9-4e67-b695-2a231daa98a9"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use the Horizontal Pod Autoscaler.",
"description": "Adjust the number of pods in a deployment depending on CPU utilization or other select metrics, which support cluster scale-in operations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "67bba4f2-32da-4816-adba-26cdd8416310"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use Vertical Pod Autoscaler (preview).",
"description": "Rightsize your pods and dynamically set requests and limits based on historic usage.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4727a766-8d04-4609-b397-dd7ae2e1a6eb"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use Kubernetes Event Driven Autoscaling (KEDA).",
"description": "Scale based on the number of events being processed. Choose from a rich catalogue of 50+ KEDA scalers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "47d91c51-224c-4d38-877a-f54d8c8b513c"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Adopt a cloud financial discipline and cultural practice to drive ownership of cloud usage.",
"description": "The foundation of enabling cost optimization is the spread of a cost saving cluster. A financial operations approach (FinOps) is often used to help organizations reduce cloud costs. It is a practice involving collaboration between finance, operations, and engineering teams to drive alignment on cost saving goals and bring transparency to cloud costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "519b4bb1-9a1a-41a6-b445-498f858c700f"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Sign up for Azure Reservations or Azure Savings Plan.",
"description": "If you properly planned for capacity, your workload is predictable and exists for an extended period of time, sign up for an Azure Reservation or a savings plan to further reduce your resource costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "268e3171-4a88-4ee1-9096-7956cf6a7009"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Configure monitoring of cluster with Container insights.",
"description": "Container insights help provides actionable insights into your clusters idle and unallocated resources. Container insights also supports collecting Prometheus metrics and integrates with Azure Managed Grafana to get a holistic view of your application and infrastructure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b0c6d2ab-4cee-4e81-be4e-b26b466c049d"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Configure the AKS Cost Analysis add-on.",
"description": "The cost analysis cluster extension enables you to obtain granular insight into costs associated with various Kubernetes resources in your clusters or namespaces.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f783ed2e-e0b7-494e-8b6c-03a7c7f0a521"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Review AKS best practices documentation.",
"description": "To build and run applications successfully in AKS, there are key considerations to understand and implement. These areas include multi-tenancy and scheduler features, cluster, and pod security, or business continuity and disaster recovery.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "34538d1b-a5ff-4ec6-9312-eaeb1dcbacf1"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Review Azure Chaos Studio.",
"description": "Azure Chaos Studio can help simulate faults and trigger disaster recovery situations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "73ed49fe-4b44-4bbc-b8ee-59bb6e602187"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.",
"description": "Container insights help monitor the performance of containers by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API and container logs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2760ddd2-3f7b-4a74-a742-602c4b2b1ee0"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Monitor application performance with Azure Monitor.",
"description": "Configure Application Insights for code-based monitoring of applications running in an AKS cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "41a1cac4-ce0f-44c8-b0b6-d7e36aeace4d"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Configure scraping of Prometheus metrics with Container insights.",
"description": "Container insights, which are part of Azure Monitor, provide a seamless onboarding experience to collect Prometheus metrics. Reference Configure scraping of Prometheus metrics for more information.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "95e28189-fdd7-4679-aeea-2070436acbd4"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.",
"description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fbac9fd5-6811-4c97-8664-a598a206679c"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Operationalize clusters and pods configuration standards with Azure Policy.",
"description": "Azure Policy can help to apply at-scale enforcement and safeguards on your clusters in a centralized, consistent manner. It can also control what functions pods are granted and if anything is running against company policy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3531bc0d-e5ef-4513-bec0-4fe92182f3f0"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use platform capabilities in your release engineering process.",
"description": "Kubernetes and ingress controllers support many advanced deployment patterns for inclusion in your release engineering process. Consider patterns like blue-green deployments or canary releases.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6c472ee9-9c78-482a-bb39-bfd85de6e7a9"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: For mission-critical workloads, use stamp-level blue/green deployments.",
"description": "Automate your mission-critical design areas, including deployment and testing.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "be17bb53-96e5-4295-96fb-ba078126befe"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Develop a detailed capacity plan and continually review and revise.",
"description": "After formalizing your capacity plan, it should be frequently updated by continuously observing the resource utilization of the cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c45e82d7-78ac-4dac-af7d-6b9fa46201ce"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable cluster autoscaler to automatically adjust the number of agent nodes in response to resource constraints.",
"description": "The ability to automatically scale up or down the number of nodes in your AKS cluster lets you run an efficient, cost-effective cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2bc67a06-669d-4576-9ff7-467d440cd601"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Separate workloads into different node pools and consider scaling user node pools.",
"description": "Unlike System node pools that always require running nodes, user node pools allow you to scale up or down.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "14d66ba7-8381-4a2e-99f9-b52d42877bb7"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use AKS advanced scheduler features.",
"description": "Helps control balancing of resources for workloads that require them.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "69aadc69-d7f2-49a7-a8c0-948d950104d2"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use meaningful workload scaling metrics.",
"description": "Not all scale decisions can be derived from CPU or memory metrics. Often scale considerations will come from more complex or even external data points. Use KEDA to build a meaningful auto scale ruleset based on signals that are specific to your workload.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e5abfe2f-c669-42a3-9a0a-bdf9570208bc"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -426,6 +477,6 @@
"name": "Azure Kubernetes Service Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azuremachinelearning_sg_checklist.en.json b/checklists-ext/azuremachinelearning_sg_checklist.en.json
index e4c863d85..873179e6c 100644
--- a/checklists-ext/azuremachinelearning_sg_checklist.en.json
+++ b/checklists-ext/azuremachinelearning_sg_checklist.en.json
@@ -6,264 +6,297 @@
"service": "Azure Machine Learning",
"text": "Multi-region model deployment: For enhanced reliability and availability, consider a multi-region deployment environment when possible.",
"description": "A multi-region deployment ensures that your Machine Learning workloads continue to run even if one region experiences an outage. Multi-region deployment improves load distribution across regions, potentially enhancing performance for users located in different geographical areas. For more information, see Failover for business continuity and disaster recovery.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9fc5b64b-1e1a-4078-8d89-ee58f1c4e711"
},
{
"waf": "Reliability",
"service": "Azure Machine Learning",
"text": "Model training resiliency: Use checkpointing features supported by Machine Learning including Azure Container for PyTorch, the TensorFlow Estimator class, or the Run object and the FileDataset class that support model checkpointing.",
"description": "Model checkpointing periodically saves the state of your machine learning model during training, so that it can be restored in case of interruption, failure, or termination. For more information, see Boost checkpoint speed and reduce cost with Nebula.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4b5f3574-97aa-4f5e-beb5-1fae3c9f8b95"
},
{
"waf": "Reliability",
"service": "Azure Machine Learning",
"text": "Use the Dedicated virtual machine tier for compute clusters: Use the Dedicated virtual machine tier for compute clusters for batch inferencing to ensure your batch job isn't preempted.",
"description": "Low-priority virtual machines come at a reduced price but are preemptible. Clusters that use the Dedicated virtual machine tier aren't preempted.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d66e2a26-ae5f-4991-bbde-4b0760677b7d"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Security baseline: To enhance the security and compliance of your Machine Learning Service, apply the Azure security baseline for Machine Learning.",
"description": "The security baseline provides tailored guidance on crucial security aspects such as network security, identity management, data protection, and privileged access. For optimal security, use Microsoft Defender for Cloud to monitor these aspects.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4815b47d-64a5-4010-9a17-89f91790e23d"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Managed virtual network isolation: Configure managed virtual network isolation for Machine Learning. When you enable managed virtual network isolation, a managed virtual network is created for the workspace. Managed compute resources you create for the workspace automatically use this managed virtual network. If you can't implement managed virtual network isolation, then you must follow the network topology recommendations to separate compute into a dedicated subnet away from the rest of the resources in the solution, including the private endpoints for workspace resources.",
"description": "Managed virtual network isolation enhances security by isolating your workspace from other networks, reducing the risk of unauthorized access. In a scenario in which a breach occurs in another network within your organization, the isolated network of your Machine Learning workspace remains unaffected, protecting your machine learning workloads.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "eb4000ea-0aa2-4dc8-918e-0ea9dad778c3"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Machine Learning network isolation: Configure a private endpoint for your Machine Learning workspace and connect to the workspace over that private endpoint.",
"description": "Machine Learning network isolation enhances security by ensuring that access to your workspace is secure and controlled. With a private endpoint configured for your workspace, you can then limit access to your workspace to only occur over the private IP addresses.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dde6ce0a-6734-4e47-9860-47305641f3c8"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Allow only approved outbound access: Configure the outbound mode on the Machine Learning workspace managed outbound access to `Allow only approved outbound` to minimize the risk of data exfiltration. Configure private endpoints, service tags, or fully qualified domain names (FQDNs) for resources that you need to access.",
"description": "This configuration minimizes the risk of data exfiltration, improving data security. With this configuration enabled, a malicious actor who gains access to your system can\u2019t send your data to an unapproved external destination.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e7dc0d3b-de94-4d51-9deb-283c90ac955e"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Virtual network isolation for dependent services: Configure dependent services, such as Storage, Key Vault, and Container Registry with private endpoints and disable public access.",
"description": "Network isolation bolsters security by restricting access to Azure platform as a service (PaaS) solutions to private IP addresses only.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d5299777-93bb-4233-8420-f617c700e51a"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Managed identity: Use managed identities for authentication between Machine Learning and other services.",
"description": "Managed identities improve security by eliminating the need to store credentials and manually manage and rotate service principals.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1320acc1-2453-4af7-a484-232c7f487672"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Disable local authentication: Disable local authentication for Machine Learning compute clusters and instances.",
"description": "Disabling local authentication increases the security of your Machine Learning compute and provides centralized control and management of identities and resource credentials.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5163e567-cf02-4db1-aa8c-13335d5913e3"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Disable the public SSH port: Ensure the public Secure Shell (SSH) port is closed on the Machine Learning compute cluster by setting `remoteLoginPortPublicAccess` to `Disabled`. Apply a similar configuration if you use a different compute.",
"description": "Disabling SSH access helps prevent unauthorized individuals from gaining access and potentially causing harm to your system and protects you against brute force attacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5d0b43bc-7588-43cd-9a34-11d779cce318"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Don't provision public IP addresses for Machine Learning compute: Set enableNodePublicIp to `false` when provisioning Machine Learning compute clusters or compute instances. Apply a similar configuration if you use a different compute.",
"description": "Refrain from provisioning public IP addresses to enhance security by limiting the potential for unauthorized access to your compute instance or clusters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e70322de-d5c9-409d-9524-f495fd04071b"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Get the latest operating system image: Recreate compute instances to get the latest operating system image.",
"description": "Using the latest images ensures you're maintaining a consistent, stable, and secure environment, including ensuring you have the latest security patches.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b93a0e63-6d54-4065-9b94-4ffea5a81cc3"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Strict Machine Learning workspace access controls: Use Microsoft Entra ID groups to manage workspace access and adhere to the principle of least privilege for RBAC.",
"description": "Strict workspace access controls enhance security by ensuring that individuals have only the necessary permissions for their role. A data scientist, for instance, might have access to run experiments but not to modify security settings, minimizing potential security risks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7c1de0a4-ae28-464e-aaf2-1d8e162d1194"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Restrict model catalog deployments: Restrict model deployments to specific registries.",
"description": "Restricting the deployments from the model catalog to specific registries ensures you only deploy models to approved registries. This approach helps regulate access to the open-source foundational models.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fc675a42-35e6-4db4-a881-bcb68485993b"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Encrypt data at rest: Consider using customer-managed keys with Machine Learning.",
"description": "Encrypting data at rest enhances data security by ensuring that sensitive data is encrypted by using keys directly managed by you. If you have a regulatory requirement to manage your own encryption keys, use this feature to comply with that requirement.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0fd5a8dc-c8aa-4203-b60a-c4c3b29cdded"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Minimize the risk of data exfiltration: Implement data exfiltration prevention. For example, create a service endpoint policy to filter egress virtual network traffic and permit data exfiltration only to specific Azure Storage accounts.",
"description": "Minimize the risk of data exfiltration by limiting inbound and outbound requirements.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "140eeaf5-b8e9-4f38-ac81-23709d3505a4"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Optimize compute resources: Optimize your compute resources based on the requirements of your workload. Choose the SKU that best suits your workload:
- General Purpose \u2013 Balanced CPU to memory ratio, good for all purposes.
- Compute Optimized \u2013 High CPU to memory ratio, good for math-heavy computations.
- Memory Optimized \u2013 High memory to CPU, good for in-memory computations or database applications.
- M Series \u2013 Very large machines that have huge amounts of memory and CPU.
- GPU \u2013 Better for models with a high number of variables that can benefit from higher parallelism and specialized core instructions. Typical applications are deep learning, image or video processing, scientific simulations, data mining, and taking advantage of GPU development frameworks. Test with multiple families and document the results as your baseline. As your model and data evolve, the most adequate compute resource might change. Monitor execution times and reevaluate as needed.",
"description": "Selecting the right compute is critical as it directly impacts the cost of running your workload. Choosing a GPU or a high-performance SKU without proper usage can lead to wasteful spending, while choosing undersized compute can lead to prohibitively long training times and performance problems.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "865074f9-6695-439b-8afe-767f89e8236b"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Optimize compute scaling: Configure your compute clusters for autoscaling to ensure you only use what you need.For training clusters, set the minimum number of nodes to 0 and configure the amount of time the node is idle to an appropriate time. For less iterative experimentation, reduce the time to save costs. For more iterative experimentation, use a higher time to prevent paying for scaling up or down after each change.",
"description": "Configure autoscaling for compute clusters to scale down when their usage is low. Set the minimum number of nodes to 0 for training clusters to scale down to 0 when not in use.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "103217a3-a207-4d43-8053-79f48de00c95"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Set training termination policies: Set early termination policies to limit the duration of training runs or terminate them early.",
"description": "Setting termination policies can help you save costs by stopping nonperforming runs early.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fe491c00-6304-4aa2-a0f5-e7da262c2a35"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Use low-priority virtual machines for batch workloads: Consider using low-priority virtual machines for batch workloads that aren't time-sensitive and in which interruptions are recoverable.",
"description": "Low-priority virtual machines enable a large amount of compute power to be used for a low cost. They take advantage of surplus capacity in Azure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "10ed7b79-f99c-450e-9883-467ec8e7478a"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Enable idle shutdown for compute instances: Enable idle shutdown for compute instances or schedule a start and stop time if usage time is known.",
"description": "By default, compute instances are available to you, accruing cost. Configuring compute instances to shut down when idle or configuring a schedule for them saves cost when they aren't in use.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4662f51b-ae18-4b06-820a-1c2c224fc18b"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Parallelize training workloads: Consider parallelizing training workloads. Test running them with the help of the parallel components in Machine Learning.",
"description": "Parallel workloads can be run on multiple smaller instances, potentially yielding cost savings.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3b2133f2-181e-4501-a919-4460eebc5785"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Azure Reserved VM Instances: Purchase Azure Reserved VM Instances if you have a good estimate of usage over the next one to three years. Take advantage of reserved capacity options for services when you have good estimates of usage.",
"description": "Purchase Azure Reserved VM Instances to prepay for virtual machine usage and provide discounts with pay-as-you-go pricing. The discount is automatically applied for virtual machine usage that matches the reservation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ebed234e-9666-45ef-ac83-fe9cbf728d4c"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Minimize Machine Learning workspace instances: Minimize the number of workspaces, when possible, to reduce maintenance.",
"description": "Limiting the number of workspaces reduces the maintenance effort and cost of operation. For requirements, such as security, you might need multiple separate workspaces. Minimize the number of workspaces when possible.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c42c5cbb-269a-43c3-8c5c-b936cb55ac23"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Take advantage of model catalogs and registries: Take advantage of Machine Learning model catalogs and registries to store, version, and share machine learning assets.Use Machine Learning model catalogs to help you implement A/B testing and deployment of models.",
"description": "Use Machine Learning model registries to store and version your machine learning models to track changes and maintain lineage with the job and datasets used for training. With Machine Learning model catalogs, your data science teams can discover, evaluate, and fine tune pretrained foundational machine learning models. Storing versioned models in Machine Learning model registries supports deployment strategies such as A/B releases, canary releases, and rollbacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1126b7cc-4c6e-4131-9b60-6193c9d683cd"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Monitor model performance: Monitor the performance of your deployed models, and detect data drift on datasets.",
"description": "Monitoring deployed models ensures your models meet the performance requirements.Monitoring data drift helps you detect changes in the input data that can lead to a decline in your model\u2019s performance. Managing data drift helps you ensure that your model provides accurate results over time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d04648ab-beca-4fc0-bf66-ee2fdb30a15f"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Monitor infrastructure: If your models are deployed to online endpoints, enable Application Insights to monitor online endpoints and deployments.Monitor training infrastructure to ensure you're meeting your baseline requirements.Ensure you're collecting resource logs for Machine Learning.",
"description": "Monitoring endpoints gives you visibility into metrics such as request latency and requests per minute. You can compare your performance versus your baseline and use this information to make changes to compute resources accordingly. Monitoring metrics such as network bytes can alert you if you're approaching quota limits and prevent throttling.Likewise, monitoring your training environment provides you with the information to make changes to your training environment. Use that information to decide to scale in or out, scale up or down with different performant SKUs, or choose between CPUs or GPUs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1b331b25-29b6-48a1-83cd-66fe20f6019a"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Curate model training environments: Use curated environments optimized for Machine Learning, when available.",
"description": "Curated environments are pre-created environments provided by Machine Learning that speed up deployment time and reduce deployment and training latency. Using curated environments improves training and deployment success rates and avoids unnecessary image builds. Curated environments, such as Azure Container for PyTorch, can also be optimized for training large models on Machine Learning.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8546e6b3-0652-4f04-9412-ec3c58e67399"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Select appropriate compute services for model training: Consider Machine Learning compute clusters over compute instances for model training if you require autoscaling.Optimize your compute resources based on the training requirements. First choose between CPUs and GPUs. Default to CPUs, but consider GPUs for workloads such as deep learning, image or video processing, or large amounts of data. Next, choose the image SKU that best suits your workload.Use testing to choose the compute option that optimizes cost against training time when determining your baseline.",
"description": "Selecting the right compute is critical as it directly impacts the training time. Choosing the right SKU and CPU versus GPU ensures your model training can meet your requirements and performance targets. Choosing a low-performance SKU that's overused can lead to prohibitively long training times and performance problems. Compute clusters provide the ability to improve performance by scaling out workloads that support horizontal scaling. This method provides flexibility for handling workloads with different demands and lets you add or remove machines as needed.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "93e5a2e4-1c1a-4aef-ab50-d16a78f89d88"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Model deployment environment scaling: Use the deployment environment\u2019s autoscale capabilities. For AKS deployment environments, use the cluster autoscaler to scale to meet demand. For online endpoints, automatically scale via integration with the Azure Monitor autoscale feature.",
"description": "Autoscaling adjusts the number of instances of the deployed model to match demand.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e4fd3187-1d6a-4b19-ac21-500065d43640"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Monitor model performance: Monitor the performance of your deployed models.",
"description": "Tracking the performance of models in production alerts you to potential problems such as data drift, prediction drift, data quality, and feature attribution drift.Monitoring data drift helps you detect changes in the input data that can lead to a decline in your model\u2019s performance. Managing data drift helps you ensure that your model provides accurate results over time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8ac9a94b-d4fb-49d4-a820-9119f2941625"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Monitor infrastructure: Monitor online endpoints and integrate with Monitor to track and monitor the appropriate metrics and logs. Enable Application Insights when creating online deployments.Monitor training infrastructure and review resource usage such as memory and CPU or GPU usage when training models to ensure you're meeting your baseline requirements.",
"description": "Monitoring endpoints gives you visibility into metrics such as request latency and requests per minute. You can compare your performance versus your baseline and use this information to make changes to compute resources accordingly. Monitoring metrics such as network bytes can alert you if you're approaching quota limits and prevent throttling.Likewise, monitoring your training environment provides you with the information to make changes to your training environment. Use that information to decide to scale in or out, scale up or down with different performant SKUs, or choose between CPUs or GPUs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3625f61e-ac2b-4197-a345-7b8c4aa5de1a"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -300,6 +333,6 @@
"name": "Azure Machine Learning Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureopenai_sg_checklist.en.json b/checklists-ext/azureopenai_sg_checklist.en.json
index 278464dd3..04ee7f6c4 100644
--- a/checklists-ext/azureopenai_sg_checklist.en.json
+++ b/checklists-ext/azureopenai_sg_checklist.en.json
@@ -6,124 +6,137 @@
"service": "Azure Openai",
"text": "Monitor rate limits for pay-as-you-go: If you're using the pay-as-you-go approach, manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM).",
"description": "This important throughput information provides information required to ensure that you assign enough TPM from your quota to meet the demand for your deployments.Assigning enough quota prevents throttling of calls to your deployed models.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b6dcf0b3-8127-4e92-b4f7-0aae28e620f9"
},
{
"waf": "Reliability",
"service": "Azure Openai",
"text": "Monitor provision-managed utilization for provisioned throughput: If you're using the provisioned throughput payment model, monitor provision-managed utilization.",
"description": "It's important to monitor provision-managed utilization to ensure it doesn't exceed 100%, to prevent throttling of calls to your deployed models.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "25f3bd77-90be-4e7b-8857-96908638e111"
},
{
"waf": "Reliability",
"service": "Azure Openai",
"text": "Tune content filters: Tune content filters to minimize false positives from overly aggressive filters.",
"description": "Content filters block prompts or completions based on an opaque risk analysis. Ensure content filters are tuned to allow expected usage for your workload.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "643a72fc-8705-4146-84bf-72cb38e293b6"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Secure keys: If your architecture requires Azure OpenAI key-based authentication, store those keys in Azure Key Vault, not in application code.",
"description": "Separating secrets from code by storing them in Key Vault reduces the chance of leaking secrets. Separation also facilitates central management of secrets, easing responsibilities like key rotation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b10d9c77-58fc-4775-b218-0c295ebc32e6"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Restrict access: Disable public access to Azure OpenAI unless your workload requires it. Create private endpoints if you're connecting from consumers in an Azure virtual network.",
"description": "Controlling access to Azure OpenAI helps prevent attacks from unauthorized users. Using private endpoints ensures network traffic remains private between the application and the platform.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c9dfe61d-73ca-4761-8078-746eba6130b5"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Microsoft Entra ID: Use Microsoft Entra ID for authentication and to authorize access to Azure OpenAI by using role-based access control (RBAC). Disable local authentication in Azure AI Services and set `disableLocalAuth` to `true`. Grant identities that perform completions or image generation the Cognitive Services OpenAI User role. Grant model automation pipelines and ad-hoc data-science access a role like Cognitive Services OpenAI Contributor.",
"description": "Using Microsoft Entra ID centralizes the identity-management component and eliminates the use of API keys. Using RBAC with Microsoft Entra ID ensures that users or groups have exactly the permissions they need to do their job. This kind of fine-grained access control isn't possible with Azure OpenAI API keys.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5059e94f-cdff-4e02-8c32-aff6fd822de4"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Use customer-managed keys: Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI.",
"description": "Using customer-managed keys gives you greater flexibility to create, rotate, disable, and revoke access controls.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "46ba1b6c-9749-4496-8004-0243958ff025"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Protect against jailbreak attacks: Use Azure AI Content Safety Studio to detect jailbreak risks.",
"description": "Detect jailbreak attempts to identify and block prompts that try to bypass the safety mechanisms of your Azure OpenAI deployments.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0b2a72f5-5403-4fd5-a28d-6dc59c7bb452"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Design client code to set limits: Your custom clients should use the limit features of the Azure OpenAI completions API, such as maximum limit on the number of tokens per model (`max_tokens`) or number of completions to generation (`n`). Setting limits ensures that the server doesn't produce more than the client needs.",
"description": "Using API features to restrict usage aligns service consumption with client needs. This saves money by ensuring the model doesn't generate an overly long response that consumes more tokens than necessary.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "64e82ff7-9005-4f2d-8b98-7e7d3d91c97d"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Monitor pay-as-you-go usage: If you use the pay-as-you-go approach, monitor usage of TPM and RPM. Use that information to inform architectural design decisions such as what models to use, and to optimize prompt sizes.",
"description": "Continuously monitoring TPM and RPM gives you relevant metrics to optimize the cost of Azure OpenAI models. You can couple this monitoring with model features and model pricing to optimize model usage. You can also use this monitoring to optimize prompt sizes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c05fe060-791d-4ce3-bfc1-95bf9e1633b5"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Monitor provisioned throughput usage: If you use provisioned throughput, monitor provision-managed utilization to ensure you're not underutilizing the provisioned throughput you purchased.",
"description": "Continuously monitoring provision-managed utilization gives you the information you need to understand if you're underutilizing your provisioned throughput.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c36f1457-da39-416f-83d4-81365a542fc9"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Cost management: Use cost management features with OpenAI to monitor costs, set budgets to manage costs, and create alerts to notify stakeholders of risks or anomalies.",
"description": "Cost monitoring, setting budgets, and setting alerts provides governance with the appropriate accountability processes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7fc76005-932c-4cf8-b1fb-24913118e687"
},
{
"waf": "Operations",
"service": "Azure Openai",
"text": "Enable and configure Azure Diagnostics: Enable and configure Diagnostics for the Azure OpenAI Service.",
"description": "Diagnostics collects and analyzes metrics and logs, helping you monitor the availability, performance, and operation of Azure OpenAI.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "998a96ee-9218-4cee-9f3a-79d823873f6d"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -160,6 +173,6 @@
"name": "Azure Openai Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/virtualmachines_sg_checklist.en.json b/checklists-ext/virtualmachines_sg_checklist.en.json
index 03449de33..4a514fabd 100644
--- a/checklists-ext/virtualmachines_sg_checklist.en.json
+++ b/checklists-ext/virtualmachines_sg_checklist.en.json
@@ -6,229 +6,257 @@
"service": "Virtual Machines",
"text": "(Scale set) Use Virtual Machine Scale Sets in Flexible orchestration mode to deploy VMs.",
"description": "Future-proof your application for scaling and take advantage of the high availability guarantees that spread VMs across fault domains in a region or an availability zone.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9e6f3dc6-2a5d-47b5-a551-a1a9810dd935"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(VMs) Implement heath endpoints that emit instance health statuses on VMs. (Scale set) Enable automatic repairs on the scale set by specifying the preferred repair action. Consider setting a time frame during which automatic repairs pause if the VM's state changes.",
"description": "Maintain availability even if an instance is deemed unhealthy. Automatic repairs initiate recovery by replacing the faulty instance. Setting a time window can prevent inadvertent or premature repair operations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5f7478db-999e-46f3-9881-10f662f252d4"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(Scale set) Enable overprovisioning on scale sets.",
"description": "Overprovisioning reduces deployment times and has a cost benefit because the extra VMs aren't billed.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c23b6808-0b13-4786-ae3d-6d5ec13b4bdd"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(Scale set) Allow Flexible orchestration to spread the VM instances across as many fault domains as possible.",
"description": "This option isolates fault domains. During maintenance periods, when one fault domain is updated, VM instances are available in the other fault domains.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "80eb3641-4ef3-45af-88d8-7125a7765b02"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(Scale set) Deploy across availability zones on scale sets. Set up at least two instances in each zone. Zone balancing equally spreads the instances across zones.",
"description": "The VM instances are provisioned in physically separate locations within each Azure region that are tolerant to local failures. Keep in mind that, depending on resource availability, there might be an uneven number of instances across zones. Zone balancing supports availability by making sure that, if one zone is down, the other zones have sufficient instances. Two instances in each zone provide a buffer during upgrades.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e7fcfb8c-dbd8-4c10-ab73-193b9992ba0d"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(VMs) Take advantage of the capacity reservations feature.",
"description": "Capacity is reserved for your use and is available within the scope of the applicable SLAs. You can delete capacity reservations when you no longer need them, and billing is consumption based.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "27744f26-46f0-405d-8776-a3fcc988990d"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(Scale set) Assign a managed identity to scale sets. All VMs in the scale set get the same identity through the specified VM profile. (VMs) You can also assign a managed identity to individual VMs when you create them and then add it to a scale set if needed.",
"description": "When VMs communicate with other resources, they cross a trust boundary. Scale sets and VMs should authenticate their identity before communication is allowed. Microsoft Entra ID handles that authentication by using managed identities.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7023aa88-e5da-44d3-9780-af7c27801969"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(Scale set) Choose VM SKUs with security features. For example, some SKUs support BitLocker encryption, and confidential computing provides encryption of data-in-use. Review the features to understand the limitations.",
"description": "Azure-provided features are based on signals that are captured across many tenants and can protect resources better than custom controls. You can also use policies to enforce those controls.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4993d5af-59fa-453f-85b8-b2dfa6a7104d"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs, scale set) Apply organization-recommended tags in the provisioned resources.",
"description": "Tagging is a common way to segment and organize resources and can be crucial during incident management. For more information, see Purpose of naming and tagging.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "46470ed3-87b7-4ead-b84f-1a4fc6dc279b"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs, scale set) Set a security profile with the security features that you want to enable in the VM configuration. For example, when you specify encryption at host in the profile, the data that's stored on the VM host is encrypted at rest and flows are encrypted to the storage service.",
"description": "The features in the security profile are automatically enabled when the VM is created. For more information, see Azure security baseline for Virtual Machine Scale Sets.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8a6c067c-0d4d-431d-9662-18afa0a1eb69"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs) Choose secure networking options for your VM's network profile. Don't directly associate public IP addresses to your VMs and don't enable IP forwarding. Ensure that all virtual network interfaces have an associated network security group.",
"description": "You can set segmentation controls in the networking profile. Attackers scan public IP addresses, which makes VMs vulnerable to threats.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "30b6c7bc-0358-498e-bdff-efa3ff1ddd8d"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs) Choose secure storage options for your VM's storage profile. Enable disk encryption and data-at-rest encryption by default. Disable public network access to the VM disks.",
"description": "Disabling public network access helps prevent unauthorized access to your data and resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e2547651-c250-4856-8efc-ccf94f88f410"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs, scale set) Include extensions in your VMs that protect against threats. For example, - Key Vault extension for Windows and Linux - Microsoft Entra ID authentication - Microsoft Antimalware for Azure Cloud Services and Virtual Machines - Azure Disk Encryption extension for Windows and Linux.",
"description": "The extensions are used to bootstrap the VMs with the right software that protects access to and from the VMs. Microsoft-provided extensions are updated frequently to keep up with the evolving security standards.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f3838a8a-b951-4afb-bde1-a85e8d6d68c9"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(VMs, scale set) Choose the right VM plan size and SKU. Identify the best VM sizes for your workload. Use the VM selector to identify the best VM for your workload. See Windows and Linux pricing. For workloads like highly parallel batch processing jobs that can tolerate some interruptions, consider using Azure Spot Virtual Machines. Spot virtual machines are good for experimenting, developing, and testing large-scale solutions.",
"description": "SKUs are priced according to the capabilities that they offer. If you don't need advanced capabilities, don't overspend on SKUs. Spot virtual machines take advantage of the surplus capacity in Azure at a lower cost.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2a4e2b58-ed4b-4e39-a271-51c457dcee2e"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(VMs, scale set) Evaluate the disk options that are associated with your VM's SKUs. Determine your performance needs while keeping in mind your storage capacity needs and accounting for fluctuating workload patterns. For example, the Azure Premium SSD v2 disk allows you to granularly adjust your performance independent of the disk's size.",
"description": "Some high-performance disk types offer extra cost optimization features and strategies. The Premium SSD v2 disk's adjustment capability can reduce costs because it provides high performance without overprovisioning, which could otherwise lead to underutilized resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "760507a2-2b33-4f34-8fd3-6316b5a66efb"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(Scale set) Mix regular VMs with spot virtual machines. Flexible orchestration lets you distribute spot virtual machines based on a specified percentage.",
"description": "Reduce compute infrastructure costs by applying the deep discounts of spot virtual machines.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "23c211be-371c-47f9-a748-3aec060ae861"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(Scale set) Reduce the number of VM instances when demand decreases. Set a scale-in policy based on criteria. Stop VMs during off-hours. You can use the Azure Automation Start/Stop feature and configure it according to your business needs.",
"description": "Scaling in or stopping resources when they're not in use reduces the number of VMs running in the scale set, which saves costs. The Start/Stop feature is a low-cost automation option.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "561d0ceb-45f3-4aa0-82c2-38b763a370fc"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(VMs, scale set) Take advantage of license mobility by using Azure Hybrid Benefit. VMs have a licensing option that allows you to bring your own on-premises Windows Server OS licenses to Azure. Azure Hybrid Benefit also lets you bring certain Linux subscriptions to Azure.",
"description": "You can maximize your on-premises licenses while getting the benefits of the cloud.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9b99f53f-5cb5-4da0-a98b-e038fcca9f46"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(Scale set) Virtual Machine Scale Sets in Flexible orchestration mode can help simplify the deployment and management of your workload. For example, you can easily manage self-healing by using automatic repairs.",
"description": "Flexible orchestration can manage VM instances at scale. Handing individual VMs adds operational overhead. For example, when you delete VM instances, the associated disks and NICs are also automatically deleted. VM instances are spread across multiple fault domains so that update operations don't disrupt service.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7bab3601-4f66-4bbf-907d-d0f831a60f78"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(Scale set) Keep your VMs up to date by setting an upgrade policy. We recommend rolling upgrades. However, if you need granular control, choose to upgrade manually. For Flexible orchestration, you can use Azure Update Manager.",
"description": "Security is the primary reason for upgrades. Security assurances for the instances shouldn't decay over time. Rolling upgrades are done in batches, which ensures all instances aren't down at the same time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5b759f0d-ad80-4545-9e4b-44056ec228ba"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(VMs, scale set) Automatically deploy VM applications from the Azure Compute Gallery by defining the applications in the profile.",
"description": "The VMs in the scale set are created and the specified apps are preinstalled, which makes management easier.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c2f4304e-5e0d-4f98-867f-8c550340a021"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "Install prebuilt software components as extensions as part of bootstrapping. Azure supports many extensions that can be used to configure, monitor, secure, and provide utility applications for your VMs. Enable automatic upgrades on extensions.",
"description": "Extensions can help simplify the software installation at scale without you having to manually install, configure, or upgrade it on each VM.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "12bb1904-9a08-465a-9fbd-2ecd862aaa06"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(VMs, scale set) Monitor and measure the health of the VM instances. Deploy the Monitor agent extension to your VMs to collect monitoring data from the guest OS with OS-specific data collection rules. Enable VM insights to monitor health and performance and to view trends from the collected data. Use boot diagnostics to get information as VMs boot. Boot diagnostics also diagnose boot failures.",
"description": "Monitoring data is at the core of incident resolution. A comprehensive monitoring stack provides information about how the VMs are performing and their health. By continuously monitoring the instances, you can be ready for or prevent failures like performance overload and reliability issues.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "01942d35-b702-41bc-9c34-34f18da7bb0c"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Choose SKUs for VMs that align with your capacity planning. Have a good understanding of your workload requirements, including the number of cores, memory, storage, and network bandwidth so that you can filter out unsuitable SKUs.",
"description": "Rightsizing your VMs is a fundamental decision that significantly affects the performance of your workload. Without the right set of VMs, you might experience performance issues and accrue unnecessary costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "30d448f0-47b5-4658-a4f2-da8cb72f79e1"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Deploy latency-sensitive workload VMs in proximity placement groups.",
"description": "Proximity placement groups reduce the physical distance between Azure compute resources, which can improve performance and reduce network latency between stand-alone VMs, VMs in multiple availability sets, or VMs in multiple scale sets.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "14a7c24e-88ec-4509-b3b8-452e69d729ea"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Set the storage profile by analyzing the disk performance of existing workloads and the VM SKU. Use Premium SSDs for production VMs. Adjust the performance of disks with Premium SSD v2. Use locally attached NVMe devices.",
"description": "Premium SSDs deliver high-performance and low-latency disk support VMs with I/O-intensive workloads. Premium SSD v2 doesn't require disk resizing, which enables high performance without excessive over-provisioning and minimizes the cost of unused capacity. When available on VM SKUs, locally attached NVMe or similar devices can offer high performance, especially for use cases that require high input/output operations per second (IOPS) and low latency.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5c29d96d-7a19-4eb4-9830-fad2b49e03be"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs) Consider enabling accelerated networking.",
"description": "It enables single root I/O virtualization (SR-IOV) to a VM, which greatly improves its networking performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4c376dc7-a1b7-42d8-85fb-ff807e0dee45"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Set autoscale rules to increase or decrease the number of VM instances in your scale set based on demand.",
"description": "If your application demand increases, the load on the VM instances in your scale set increases. Autoscale rules ensure that you have enough resources to meet the demand.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "79cef879-8b12-4e7c-ad74-6aad9c37305a"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -265,6 +293,6 @@
"name": "Virtual Machines Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/wafsg_checklist.en.json b/checklists-ext/wafsg_checklist.en.json
index b5a385a35..31de6fcbe 100644
--- a/checklists-ext/wafsg_checklist.en.json
+++ b/checklists-ext/wafsg_checklist.en.json
@@ -6,4884 +6,6678 @@
"service": "App Service Web Apps",
"text": "Prioritize user flows: Not all flows are equally critical. Assign priorities to each flow to guide your design decisions. User flow design can influence which service tiers and number of instances that you choose for an App Service plan and configuration.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "e545b2de-84e1-4c41-81a6-46914c8e72cf"
},
{
"waf": "reliability",
"service": "App Service Web Apps",
"text": "Anticipate potential failures: Plan mitigation strategies for potential failures. The following table shows examples of failure mode analysis.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "f5e1c56f-e3a8-4dbd-b235-fdb88c41216d"
},
{
"waf": "reliability",
"service": "App Service Web Apps",
"text": "Build redundancy: Build redundancy in the application and supporting infrastructure. Spread instances across availability zones to improve fault tolerance. Traffic is routed to other zones if one zone fails. Deploy your application across multiple regions to ensure that your app remains available, even if an entire region experiences an outage.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "87816451-1e4f-42f0-a497-753b966193b0"
},
{
"waf": "reliability",
"service": "App Service Web Apps",
"text": "Have a reliable scaling strategy: Unexpected load on an application can make it unreliable. Consider the right scaling approach based on your workload characteristics. You can sometimes scale up to handle the load. However, if the load continues to increase, scale out to new instances. Prefer automatic scaling over manual approaches. Always maintain a buffer of extra capacity during scaling operations to prevent performance degradation.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "e03792ee-d7db-4ec3-8596-9d77baf09f8f"
},
{
"waf": "reliability",
"service": "App Service Web Apps",
"text": "Plan your recoverability: Redundancy is crucial for business continuity. Fail over to another instance if one instance is unreachable. Explore automatic healing capabilities in App Service, such as automatic repair of instances.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "bc69b314-43db-4c70-8b68-fcaf3b01137e"
},
{
"waf": "reliability",
"service": "App Service Web Apps",
"text": "Conduct reliability testing: Conduct load testing to evaluate your application's reliability and performance under load. Test plans should include scenarios that validate your automated recovery operations.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "04ae0e82-112b-4433-8a90-273a5684b328"
},
{
"waf": "reliability",
"service": "App Service Web Apps",
"text": "Use health probes to identify unresponsive workers: App Service has built-in capabilities that periodically ping a specific path of your web application. Unresponsive instances are removed from the load balancer and replaced with a new instance.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "10e2e605-ef6e-4f70-a77f-15ba305c15d7"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service plan) Choose the Premium tier of an App Service plan for production workloads. Set the maximum and minimum number of workers according to your capacity planning. For more information, see App Service plan overview.",
"description": "A premium App Service plan offers advanced scaling features and ensures redundancy if failures occur.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9ba4ebdd-a039-47e8-bff9-884e1852a030"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service plan) Enable zone redundancy. Consider provisioning more than three instances to enhance fault tolerance. Check regional support for zone redundancy because not all regions offer this feature.",
"description": "Your application can withstand failures in a single zone when multiple instances are spread across zones. Traffic automatically shifts to healthy instances in other zones and maintains application reliability if one zone is unavailable.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f6d4a1ff-bf30-4477-823d-b2163667a87d"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service) Consider disabling the application request routing (ARR) affinity feature. ARR affinity creates sticky sessions that redirect users to the node that handled their previous requests.",
"description": "Incoming requests are evenly distributed across all available nodes when you disable ARR affinity. Evenly distributed requests prevent traffic from overwhelming any single node. Requests can be seamlessly redirected to other healthy nodes if a node is unavailable. Avoid session affinity to ensure that your App Service instance remains stateless. A stateless App Service reduces complexity and ensures consistent behavior across nodes. Remove sticky sessions so that App Service can add or remove instances to scale horizontally.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "784f255c-4436-47c2-a1fc-65de9b5de39e"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service) Define automatic healing rules based on request count, slow requests, memory limits, and other indicators that are part of your performance baseline. Consider this configuration as part of your scaling strategy.",
"description": "Automatic healing rules help your application recover automatically from unexpected problems. The configured rules trigger healing actions when thresholds are breached. Automatic healing enables automatic proactive maintenance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "152ed4b6-dba0-4737-92c1-441704fbfe83"
},
{
"waf": "Reliability",
"service": "App Service Web Apps",
"text": "(App Service) Enable the health check feature and provide a path that responds to the health check requests.",
"description": "Health checks can detect problems early. Then the system can automatically take corrective actions when a health check request fails. The load balancer routes traffic away from unhealthy instances, which directs users to healthy nodes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "874fa451-0ef2-4638-8cfd-c07cef131d7f"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Review security baselines: To enhance the security posture of your application that's hosted on an App Service plan, review the security baseline for App Service.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "44ba257f-d6b6-4eed-b5a1-eff3dcb027e8"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Use the latest runtime and libraries: Thoroughly test your application builds before you do updates to catch problems early and ensure a smooth transition to the new version. App Service supports the language runtime support policy for updating existing stacks and retiring end-of-support stacks.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "4133fafa-441c-4d27-bfd1-f76a58ab6620"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Create segmentation through isolation boundaries to contain breach: Apply identity segmentation. For example, implement role-based access control (RBAC) to assign specific permissions based on roles. Follow the principle of least privilege to limit access rights to only what's necessary. Also create segmentation at the network level. Inject App Service apps in an Azure virtual network for isolation and define network security groups (NSGs) to filter traffic.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "dbeebd4f-c94a-4060-a2ac-c523b3e64a3d"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Apply access controls on identities: Restrict both inward access to the web app and outward access from the web app to other resources. This configuration applies access controls on identities and helps maintain the workload's overall security posture.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "5bb8daca-fde8-45bf-82f6-e55cdb28da05"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Control network traffic to and from the application: Don't expose application endpoints to the public internet. Instead, add a private endpoint on the web app that's placed in a dedicated subnet. Front your application with a reverse proxy that communicates with that private endpoint. Consider using Application Gateway or Azure Front Door for that purpose.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "e9b8f604-ff04-4eef-9949-bd6c23179186"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Encrypt data: Protect data in transit with end-to-end Transport Layer Security (TLS). Use your customer-managed keys for full encryption of data at rest. For more information, see Encryption at rest using customer-managed keys.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "4ed59aaa-9948-4387-975e-11e1fc65ff40"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Reduce the attack surface: Remove default configurations that you don't need. For example, disable remote debugging, local authentication for Source Control Manager (SCM) sites, and basic authentication. Disable unsecure protocols like HTTP and File Transfer Protocol (FTP). Enforce configurations through Azure policies. For more information, see Azure policies.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "d63a7c58-a495-4ff3-a164-88e8eac4febf"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Protect application secrets: You need to handle sensitive information, like API keys or authentication tokens. Instead of hardcoding these secrets directly into your application code or configuration files, you can use Azure Key Vault references in app settings. When the application starts, App Service automatically retrieves the secret values from Key Vault by using the app's managed identity.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "0545fb6c-0662-4ffd-8834-7d4d4ac7f2bb"
},
{
"waf": "security",
"service": "App Service Web Apps",
"text": "Enable resource logs for your application: Enable resource logs for your application to create comprehensive activity trails that provide valuable data during investigations that follow security incidents.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "1c90ec2a-85e3-400e-8937-22686ac115b8"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Assign managed identities to the web app. To maintain isolation boundaries, don't share or reuse identities across applications. Make sure that you securely connect to your container registry if you use containers for your deployment.",
"description": "The application retrieves secrets from Key Vault to authenticate outward communication from the application. Azure manages the identity and doesn't require you to provision or rotate any secrets. You have distinct identities for granularity of control. Distinct identities make revocation easy if an identity is compromised.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "14bc5ea3-400b-4bbf-9187-f0b21505173d"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Configure custom domains for applications. Disable HTTP and only accept HTTPS requests.",
"description": "Custom domains enable secure communication through HTTPS using Transport Layer Security (TLS) protocol, which ensures the protection of sensitive data and builds user trust.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ef64b1c3-a41f-4913-8ac4-27be04d96d10"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) valuate whether App Service built-in authentication is the right mechanism to authenticate users that access your application. App Service built-in authentication integrates with Microsoft Entra ID. This feature handles token validation and user identity management across multiple sign-in providers and supports OpenID Connect. With this feature, you don't have authorization at a granular level, and you don't have a mechanism to test authentication.",
"description": "When you use this feature, you don't have to use authentication libraries in application code, which reduces complexity. The user is already authenticated when a request reaches the application.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8cde5bed-8dd0-4a16-ae15-0672275bd473"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Configure the application for virtual network integration. Use private endpoints for App Service apps. Block all public traffic. Route the container image pull through the virtual network integration. All outgoing traffic from the application passes through the virtual network.",
"description": "Get the security benefits of using an Azure virtual network. For example, the application can securely access resources within the network. Add a private endpoint to help protect your application. Private endpoints limit direct exposure to the public network and allow controlled access through the reverse proxy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "703d13a6-d768-443b-b9f9-4e31d74767f9"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) To implement hardening: - Disable basic authentication that uses a username and password in favor of Microsoft Entra ID-based authentication. - Turn off remote debugging so that inbound ports aren't opened. - Enable CORS policies to tighten incoming requests. - Disable protocols, such as FTP.",
"description": "We don't recommend basic authentication as a secure deployment method. Microsoft Entra ID employs OAuth 2.0 token-based authentication, which offers numerous advantages and enhancements that address the limitations that are associated with basic authentication. Policies restrict access to application resources, only allow requests from specific domains, and secure cross-region requests.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "78fd4f02-98f6-459c-882c-5f0d659a2251"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service) Always use Key Vault references as app settings.",
"description": "Secrets are kept separate from your app's configuration. App settings are encrypted at rest. App Service also manages secret rotations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "59402f53-7298-4295-b919-609d8fc73876"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service plan) Enable Microsoft Defender for Cloud for App Service.",
"description": "Get real-time protection for resources that run in an App Service plan. Guard against threats and enhance your overall security posture.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "def198c3-8a34-4d8f-8e46-91b6f36064ab"
},
{
"waf": "Security",
"service": "App Service Web Apps",
"text": "(App Service plan) Enable diagnostic logging and add instrumentation to your app. The logs are sent to Azure Storage accounts, Azure Event Hubs, and Log Analytics. For more information about audit log types, see Supported log types.",
"description": "Logging captures access patterns. It records relevant events that provide valuable insights into how users interact with an application or platform. This information is crucial for accountability, compliance, and security purposes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "603bf106-42e6-43d3-a8e0-4470d05093b9"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Estimate the initial cost: As part of your cost modeling exercise, use the Azure pricing calculator to evaluate the approximate costs associated with various tiers based on the number of instances that you plan to run. Each App Service tier offers different compute options.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "551337b1-cb7a-4f60-870b-331efa943936"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Evaluate the discounted options: Higher tiers include dedicated compute instances. You can apply a reservation discount if your workload has a predictable and consistent usage pattern. Make sure that you analyze usage data to determine the type of reservation that suits your workload. For more information, see Save costs with App Service reserved instances.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "692ab2db-ff92-44e9-ae54-910c66389e0d"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Understand usage meters: Azure charges an hourly rate, prorated to the second, based on your App Service plan's pricing tier. Charges apply to each scaled-out instance in your plan, based on the time that you allocate the VM instance. Pay attention to underused compute resources that might increase your costs as a result of overallocation due to suboptimal SKU selection, or poorly configured scale-in configuration.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "84808948-46c4-4cd5-aa74-b79826a19b32"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Consider the tradeoffs between density and isolation: You can use App Service plans to host multiple applications on the same compute, which saves costs with shared environments. For more information, see Tradeoffs.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "66723d3b-34de-4f55-8861-299453c5b6d8"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Evaluate the effect of your scaling strategy on cost: You must properly design, test, and configure for scaling out and for scaling in when you implement autoscaling. Establish precise maximum and minimum limits on autoscaling.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "289a2a9d-eda1-4be4-af63-23d230194724"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Optimize environment costs: Consider the Basic or Free tier to run pre-production environments. These tiers are low performance and low cost. If you use the Basic or Free tier, use governance to enforce the tier, constrain the number of instances and CPUs, restrict scaling, and limit log retention.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "4e2a03a6-ff51-46c5-902d-3d7161d9c99c"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Implement design patterns: This strategy reduces the volume of requests that your workload generates. Consider using patterns like the Backends for Frontends pattern and the Gateway Aggregation pattern, which can minimize the number of requests and reduce costs.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "7ce7bbb5-df18-4e4d-86b6-83e25e835457"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Regularly check data-related costs: Extended data retention periods or expensive storage tiers can lead to high storage costs. More expenses can accumulate due to both bandwidth usage and prolonged retention of logging data.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "b7564349-7885-4f66-89ae-b732adaf29ae"
},
{
"waf": "cost",
"service": "App Service Web Apps",
"text": "Optimize deployment costs: Take advantage of deployment slots to optimize costs. The slot runs in the same compute environment as the production instance. Use them strategically for scenarios like blue-green deployments that switch between slots. This approach minimizes downtime and ensures smooth transitions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "41026085-4728-4bff-abbe-be08a46e4735"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service plan) Choose Free or Basic tiers for lower environments. We recommend these tiers for experimental use. Remove the tiers when you no longer need them.",
"description": "The Free and Basic tiers are budget-friendly compared to higher tiers. They provide a cost-effective solution for nonproduction environments that don't need the full features and performance of premium plans.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dc84dbbc-6816-48ae-9926-e52e68d4273e"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service plan) Take advantage of discounts and explore preferred pricing for: - Lower environments with dev/test plans. - Azure reservations and Azure savings plans for dedicated compute that you provision in the Premium V3 tier and App Service Environment. Use reserved instances for stable workloads that have predictable usage patterns.",
"description": "Dev/test plans provide reduced rates for Azure services, which makes them cost-effective for nonproduction environments. Use reserved instances to prepay for compute resources and get significant discounts.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1572941a-e08a-4d0c-bae6-5af048bbcc2a"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service) Monitor costs that App Service resources incur. Run the cost analysis tool in the Azure portal. Create budgets and alerts to notify stakeholders.",
"description": "You can identify cost spikes, inefficiencies, or unexpected expenses early on. This proactive approach helps you to provide budgetary controls to prevent overspending.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "83127c0d-df6c-4785-be24-e54d0933118d"
},
{
"waf": "Cost",
"service": "App Service Web Apps",
"text": "(App Service plan) Scale in when demand decreases. To scale in, define scale rules to reduce the number of instances in Azure Monitor.",
"description": "Prevent wastage and reduce unnecessary expenses.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a14a3b78-26d3-4159-975b-df8e82c9590e"
},
{
"waf": "operations",
"service": "App Service Web Apps",
"text": "Manage releases: Use deployment slots to manage releases effectively. You can deploy your application to a slot, perform testing, and validate its functionality. After verification, you can seamlessly move the app to production. This process doesn't incur extra costs because the slot runs in the same virtual machine (VM) environment as the production instance.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "d4909fdf-867b-43b7-828d-197247a83530"
},
{
"waf": "operations",
"service": "App Service Web Apps",
"text": "Run automated tests: Before you promote a release of your web app, thoroughly test its performance, functionality, and integration with other components. Use Azure Load Testing, which integrates with Apache JMeter, a popular tool for performance testing. Explore automated tools for other types of testing, such as Phantom for functional testing.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "a4224cce-1a82-4c9e-a488-86bb6b215a39"
},
{
"waf": "operations",
"service": "App Service Web Apps",
"text": "Deploy immutable units: Implement the Deployment Stamps pattern to compartmentalize App Service into an immutable stamp. App Service supports the use of containers, which are inherently immutable. Consider custom containers for your App Service web app.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "669390a7-ea5f-4e73-ba58-bf3606702be1"
},
{
"waf": "operations",
"service": "App Service Web Apps",
"text": "Keep production environments safe: Create separate App Service plans to run production and pre-production environments. Don't make changes directly in the production environment to ensure stability and reliability. Separate instances allow flexibility in development and testing before you promote changes to production.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "6e19d92c-1d22-486b-81d2-bb3125e74231"
},
{
"waf": "operations",
"service": "App Service Web Apps",
"text": "Manage certificates: For custom domains, you need to manage TLS certificates.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "dc4ab7a7-f32b-44e3-a2e5-830459d5359a"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service) Monitor the health of your instances and activate instance health probes. Set up a specific path for handling health probe requests.",
"description": "You can detect problems promptly and take necessary actions to maintain availability and performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2bf6f5fc-cc4d-4ae3-98bc-ce4d42fafc32"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service) Enable diagnostics logs for the application and the instance. Frequent logging can slow down the performance of the system, add to storage costs, and introduce risk if you have unsecure access to logs. Follow these best practices: - Log the right level of information. - Set retention policies. - Keep an audit trail of authorized access and unauthorized attempts. - Treat logs as data and apply data-protection controls.",
"description": "Diagnostic logs provide valuable insights into your app's behavior. Monitor traffic patterns and identify anomalies.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "306767a6-b162-4b64-91a0-091a3d3b37cb"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service) Take advantage of App Service managed certificates to offload certification management to Azure.",
"description": "App Service automatically handles processes like certificate procurement, certificate verification, certificate renewal, and importing certificates from Key Vault. Alternatively, upload your certificate to Key Vault and authorize the App Service resource provider to access it.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "471061e9-3f5f-43a3-a861-79108871cf91"
},
{
"waf": "Operations",
"service": "App Service Web Apps",
"text": "(App Service plan) Validate app changes in the staging slot before you swap it with the production slot.",
"description": "Avoid downtime and errors. Quickly revert to the last-known good state if you detect a problem after a swap.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "02d5a8b1-6038-49c3-96b1-87ac56064269"
},
{
"waf": "performance",
"service": "App Service Web Apps",
"text": "Identify and monitor performance indicators: Set targets for the key indicators for the application, such as the volume of incoming requests, time that the application takes to respond to requests, pending requests, and errors in HTTP responses. Consider key indicators as part of the performance baseline for the workload.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "bebcf697-35e6-4f4d-abce-329e52c87367"
},
{
"waf": "performance",
"service": "App Service Web Apps",
"text": "Assess capacity: Simulate various user scenarios to determine the optimal capacity that you need to handle expected traffic. Use Load Testing to understand how your application behaves under different levels of load.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "26455527-f19a-43ef-adf4-29ed5e966a44"
},
{
"waf": "performance",
"service": "App Service Web Apps",
"text": "Select the right tier: Use dedicated compute for production workloads. Premium tiers offer larger SKUs with increased memory and CPU capacity, more instances, and more features, such as zone redundancy. For more information, see Premium V3 pricing tier.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "5ae81d49-ba81-423f-b8a2-d7a29a30f349"
},
{
"waf": "performance",
"service": "App Service Web Apps",
"text": "Optimize your scaling strategy: When possible, use autoscaling instead of manually adjusting the number of instances as application load changes. With autoscaling, App Service adjusts server capacity based on predefined rules or triggers. Make sure you do adequate performance testing and set the right rules for the right triggers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "4cb7ff21-66c1-4347-b93c-5c4073b3c4af"
},
{
"waf": "performance",
"service": "App Service Web Apps",
"text": "Use caching: Retrieving information from a resource that doesn't change frequently and is expensive to access affects performance. Complex queries, including joins and multiple lookups, contribute to runtime. Perform caching to minimize the processing time and latency. Cache query results to avoid repeated round trips to the database or back end and reduce processing time for subsequent requests.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "66321b11-3e45-4fa8-9afa-b5f9d6894c28"
},
{
"waf": "performance",
"service": "App Service Web Apps",
"text": "Review the performance antipatterns: To make sure the web application performs and scales in accordance with your business requirements, avoid the typical antipatterns. Here are some antipatterns that App Service corrects.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/app-service-web-apps.md",
+ "guid": "62ea8582-63cb-4ac6-8a73-c800a2a0428a"
},
{
"waf": "Performance",
"service": "App Service Web Apps",
"text": "Enable the Always On setting when applications share a single App Service plan. App Service apps automatically unload when idle to save resources. The next request triggers a cold start, which can cause request timeouts.",
"description": "The application is never unloaded with Always On enabled.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "225c3a4c-ee57-48b4-99f4-93d4c4884f4d"
},
{
"waf": "Performance",
"service": "App Service Web Apps",
"text": "Consider using HTTP/2 for applications to improve protocol efficiency.",
"description": "Choose HTTP/2 over HTTP/1.1 because HTTP/2 fully multiplexes connections, reuses connections to reduce overhead, and compresses headers to minimize data transfer.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4b759c59-9b6c-44d9-a7e1-1826948deb4a"
},
{
"waf": "reliability",
"service": "Azure Application Gateway",
"text": "Deploy the instances in a zone-aware configuration, where available.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "dc6efb36-f70f-41ed-aaf2-f8667781c123"
},
{
"waf": "reliability",
"service": "Azure Application Gateway",
"text": "Use Application Gateway with Web Application Firewall (WAF) within a virtual network to protect inbound `HTTP/S` traffic from the Internet.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "56195bba-5bc2-4f00-976e-f2734b46fe2b"
},
{
"waf": "reliability",
"service": "Azure Application Gateway",
"text": "In new deployments, use Azure Application Gateway v2 unless there is a compelling reason to use Azure Application Gateway v1.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "1b30c500-4ccd-4608-be41-d21c58fb0bb4"
},
{
"waf": "reliability",
"service": "Azure Application Gateway",
"text": "Plan for rule updates",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "174a65f5-51ca-483e-937f-9096d4468afa"
},
{
"waf": "reliability",
"service": "Azure Application Gateway",
"text": "Use health probes to detect backend unavailability",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "ca9df7df-8e89-4216-b9a2-0384af19938d"
},
{
"waf": "reliability",
"service": "Azure Application Gateway",
"text": "Review the impact of the interval and threshold settings on health probes",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "9754bccf-e2a5-4b36-9bca-058ec0a08fff"
},
{
"waf": "reliability",
"service": "Azure Application Gateway",
"text": "Verify downstream dependencies through health endpoints",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "cdc7160c-bc9d-40d9-ba43-bc9fa804c8c6"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "Plan for rule updates",
"description": "Plan enough time for updates before accessing Application Gateway or making further changes. For example, removing servers from backend pool might take some time because they have to drain existing connections.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "67b006ed-a8b2-4f66-806b-ed9d83f94982"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "Use health probes to detect backend unavailability",
"description": "If Application Gateway is used to load balance incoming traffic over multiple backend instances, we recommend the use of health probes. These will ensure that traffic is not routed to backends that are unable to handle the traffic.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6dcb1632-2ca3-411f-8555-69d689b8054f"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "Review the impact of the interval and threshold settings on health probes",
"description": "The health probe sends requests to the configured endpoint at a set interval. Also, there's a threshold of failed requests that will be tolerated before the backend is marked unhealthy. These numbers present a trade-off.- Setting a higher interval puts a higher load on your service. Each Application Gateway instance sends its own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.- Setting a lower interval leaves more time before an outage is detected.- Setting a low unhealthy threshold might mean that short, transient failures might take down a backend. - Setting a high threshold it can take longer to take a backend out of rotation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1690d11b-f93e-4bc4-9db3-25e56a9b2699"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "Verify downstream dependencies through health endpoints",
"description": "Suppose each backend has its own dependencies to ensure failures are isolated. For example, an application hosted behind Application Gateway might have multiple backends, each connected to a different database (replica). When such a dependency fails, the application might be working but won't return valid results. For that reason, the health endpoint should ideally validate all dependencies. Keep in mind that if each call to the health endpoint has a direct dependency call, that database would receive 100 queries every 30 seconds instead of 1. To avoid this, the health endpoint should cache the state of the dependencies for a short period of time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f5d846c8-9341-4a57-a77e-ccf4e9818c7f"
},
{
"waf": "Reliability",
"service": "Azure Application Gateway",
"text": "When using Azure Front Door and Application Gateway to protect `HTTP/S` applications, use WAF policies in Front Door and lock down Application Gateway to receive traffic only from Azure Front Door.",
"description": "Certain scenarios can force you to implement rules specifically on Application Gateway. For example, if ModSec CRS 2.2.9, CRS 3.0 or CRS 3.1 rules are required, these rules can be only implemented on Application Gateway. Conversely, rate-limiting and geo-filtering are available only on Azure Front Door, not on AppGateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f3b0ac39-7b7c-4fea-a540-6aa367afbc12"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "Set up a TLS policy for enhanced security",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "297b842f-979b-474d-aa48-b6799a76c083"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "Use AppGateway for TLS termination",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "61aac352-64e1-4351-8bc5-7dd84996adc6"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "Use Azure Key Vault to store TLS certificates",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "2e0b6e8f-2784-4ea8-bec5-a128ddce6c98"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "d3ed4722-efc4-4567-b9fe-e4254225913e"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "Use an appropriate DNS server for backend pool resources",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "24847b21-1c0f-4ac9-9c00-f116155257b3"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "Comply with all NSG restrictions for Application Gateway",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "12e359f5-1252-4fdf-83e8-542e5d5d34d8"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "Refrain from using UDRs on the Application Gateway subnet",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "4890a129-6456-48e0-843c-195848a1eeea"
},
{
"waf": "security",
"service": "Azure Application Gateway",
"text": "Be aware of Application Gateway capacity changes when enabling WAF",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "1c10e986-48da-4cf8-acd6-2a7f7c940735"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Set up a TLS policy for enhanced security",
"description": "Set up a TLS policy for extra security. Ensure you're always using the latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7547ed98-86fb-4a8f-94d8-162c5d6fd39d"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Use AppGateway for TLS termination",
"description": "There are advantages of using Application Gateway for TLS termination:- Performance improves because requests going to different backends to have to re-authenticate to each backend.- Better utilization of backend servers because they don't have to perform TLS processing- Intelligent routing by accessing the request content.- Easier certificate management because the certificate only needs to be installed on Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "726e1bc8-2b65-4393-a9a5-1b73976c89ef"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Use Azure Key Vault to store TLS certificates",
"description": "Application Gateway can be integrated with Key Vault. This provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5692cf86-c36a-4c1b-a73f-1a73f5728cd0"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)",
"description": "A TLS certificate of the backend server must be issued by a well-known CA. If the certificate was not issued by a trusted CA, the Application Gateway checks if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate is found. Only then a secure connection is established. Otherwise, Application Gateway marks the backend as unhealthy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "08b9ecd4-7e8b-40a1-803b-bad57bec80ea"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Use an appropriate DNS server for backend pool resources",
"description": "When the backend pool contains a resolvable FQDN, the DNS resolution is based on a private DNS zone or custom DNS server (if configured on the VNet), or it uses the default Azure-provided DNS.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "694b80a2-72fb-4d42-a249-e9c86fb4d00a"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Comply with all NSG restrictions for Application Gateway",
"description": "NSGs are supported on Application Gateway subnet, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions. For details, see Network security groups.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fc06eb7c-1989-4048-9c2f-6fc6e48fc334"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Refrain from using UDRs on the Application gateway subnet",
"description": "Using User Defined Routes (UDR) on the Application Gateway subnet can cause some issues. Health status in the back-end might be unknown. Application Gateway logs and metrics might not get generated. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics. If your organizations require to use UDR in the Application Gateway subnet, please ensure you review the supported scenarios. For more information, see Supported user-defined routes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9ba32fa7-9880-47f8-aaed-93097fe35c99"
},
{
"waf": "Security",
"service": "Azure Application Gateway",
"text": "Be aware of Application Gateway capacity changes when enabling WAF",
"description": "When WAF is enabled, every request must be buffered by the Application Gateway until it fully arrives, checks if the request matches with any rule violation in its core rule set, and then forwards the packet to the backend instances. When there are large file uploads (30MB+ in size), it can result in a significant latency. Because Application Gateway capacity requirements are different with WAF, we do not recommend enabling WAF on Application Gateway without proper testing and validation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fb24f724-e47b-46ec-a3cb-426fe159fdbf"
},
{
"waf": "cost",
"service": "Azure Application Gateway",
"text": "Familiarize yourself with Application Gateway pricing",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "30cbe437-b17d-45ad-a42e-a26bef6f4b77"
},
{
"waf": "cost",
"service": "Azure Application Gateway",
"text": "Review underutilized resources",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "74ad737c-cbb8-4e91-84b7-2aa937b37ede"
},
{
"waf": "cost",
"service": "Azure Application Gateway",
"text": "Stop Application Gateway instances that are not in use",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "a36bac4f-bf10-44c6-a51e-0d845162b3af"
},
{
"waf": "cost",
"service": "Azure Application Gateway",
"text": "Have a scale-in and scale-out policy",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "96bcda1b-240a-4d4b-93fa-6872b549d711"
},
{
"waf": "cost",
"service": "Azure Application Gateway",
"text": "Review consumption metrics across different parameters",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "0ce550b6-f2ed-428c-b8c2-b224c065a0db"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Familiarize yourself with Application Gateway pricing",
"description": "For information about Application Gateway pricing, see Understanding Pricing for Azure Application Gateway and Web Application Firewall. You can also leverage the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6f1432ef-61d2-4037-8f85-58e005d16b8c"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Review underutilized resources",
"description": "Identify and delete Application Gateway instances with empty backend pools to avoid unnecessary costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7947e534-c9a8-435b-9e03-d300143b5f74"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Stop Application Gateway instances when not in use",
"description": "You aren't billed when Application Gateway is in the stopped state. Continuously running Application Gateway instances can incur extraneous costs. Evaluate usage patterns and stop instances when you don't need them. For example, usage after business hours in Dev/Test environments is expected to be low.See these articles for information about how to stop and start instances.- Stop-AzApplicationGateway- Start-AzApplicationGateway",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3c5f0966-3c57-4e15-a6b0-6cb73405bbf1"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Have a scale-in and scale-out policy",
"description": "A scale-out policy ensures that there will be enough instances to handle incoming traffic and spikes. Also, have a scale-in policy that makes sure the number of instances are reduced when demand drops. Consider the choice of instance size. The size can significantly impact the cost. Some considerations are described in the Estimate the Application Gateway instance count.For more information, see What is Azure Application Gateway v2?",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d0c4b44f-7b43-428c-93f2-dedd7bf00799"
},
{
"waf": "Cost",
"service": "Azure Application Gateway",
"text": "Review consumption metrics across different parameters",
"description": "You're billed based on metered instances of Application Gateway based on the metrics tracked by Azure. Evaluate the various metrics and capacity units and determine the cost drivers. For more information, see Microsoft Cost Management and Billing. The following metrics are key for Application Gateway. This information can be used to validate that the provisioned instance count matches the amount of incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units- Current Capacity UnitsFor more information, see Application Gateway metrics.Make sure you account for bandwidth costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ac8bb190-71ba-48ec-9fef-351c1cd5501f"
},
{
"waf": "operations",
"service": "Azure Application Gateway",
"text": "Monitor capacity metrics",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "188b768d-c65f-46c8-b0a7-e7b288b0c15d"
},
{
"waf": "operations",
"service": "Azure Application Gateway",
"text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "63eb295f-ef20-4749-a576-fbbdd528d093"
},
{
"waf": "operations",
"service": "Azure Application Gateway",
"text": "Use Azure Monitor Network Insights",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "3b24c03f-1fab-436e-b45c-4b4838f9f01a"
},
{
"waf": "operations",
"service": "Azure Application Gateway",
"text": "Match timeout settings with the backend application",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "02610076-047b-4f48-9c50-0172c4bac957"
},
{
"waf": "operations",
"service": "Azure Application Gateway",
"text": "Monitor Key Vault configuration issues using Azure Advisor",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "b53da374-3be5-405b-b543-b104491fc2e5"
},
{
"waf": "operations",
"service": "Azure Application Gateway",
"text": "Configure and monitor SNAT port limitations",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "d32ea6dc-3993-4536-b570-bc4d0236a136"
},
{
"waf": "operations",
"service": "Azure Application Gateway",
"text": "Consider SNAT port limitations in your design",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "fa9b6a56-3144-4d79-b409-8fc896c4ba76"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Monitor capacity metrics",
"description": "Use these metrics as indicators of utilization of the provisioned Application Gateway capacity. We strongly recommend setting up alerts on capacity. For details, see Application Gateway high traffic support.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "14cdf40e-36a1-4947-90a3-3b833e2df9d3"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Troubleshoot using metrics",
"description": "There are other metrics that can indicate issues either at Application Gateway or the backend. We recommend evaluating the following alerts:- Unhealthy Host Count- Response Status (dimension 4xx and 5xx)- Backend Response Status (dimension 4xx and 5xx)- Backend Last Byte Response Time- Application Gateway Total TimeFor more information, see Metrics for Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "00ddc7ab-c60b-4249-92e0-939a99ac890c"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)",
"description": "Diagnostic logs allow you to view firewall logs, performance logs, and access logs. Use these logs to manage and troubleshoot issues with Application Gateway instances. For more information, see Back-end health and diagnostic logs for Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ee3b1f28-7d23-484a-a721-a0e0da65aed8"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Use Azure Monitor Network Insights",
"description": "Azure Monitor Network Insights provides a comprehensive view of health and metrics for network resources, including Application Gateway. For additional details and supported capabilities for Application Gateway, see Azure Monitor Network insights.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "98530e65-c941-48d2-8ce7-55649e17a701"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Match timeout settings with the backend application",
"description": "Ensure you have configured the IdleTimeout settings to match the listener and traffic characteristics of the backend application. The default value is set to four minutes and can be configured to a maximum of 30. For more information, see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring application health for reliability.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9dd45a04-f63b-4ba8-bb19-0fa074b57dcc"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Monitor Key Vault configuration issues using Azure Advisor",
"description": "Application Gateway checks for the renewed certificate version in the linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation. You must configure the Advisor alerts to stay updated and fix such issues immediately to avoid any Control or Data plane related problems. For more information, see Investigating and resolving key vault errors. To set an alert for this specific case, use the Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "91366299-47be-4ee6-a9c1-adfa6b11beff"
},
{
"waf": "Operations",
"service": "Azure Application Gateway",
"text": "Consider SNAT port limitations in your design",
"description": "SNAT port limitations are important for backend connections on the Application Gateway. There are separate factors that affect how Application Gateway reaches the SNAT port limit. For example, if the backend is a public IP address, it will require its own SNAT port. In order to avoid SNAT port limitations, you can increase the number of instances per Application Gateway, scale out the backends to have more IP addresses, or move your backends into the same virtual network and use private IP addresses for the backends.Requests per second (RPS) on the Application Gateway will be affected if the SNAT port limit is reached. For example, if an Application Gateway reaches the SNAT port limit, then it won't be able to open a new connection to the backend, and the request will fail.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9bb30e02-43fd-4ed2-9189-c9a23ae9933f"
},
{
"waf": "performance",
"service": "Azure Application Gateway",
"text": "Estimate the Application Gateway instance count",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "63dd2b1b-6076-46c9-8b80-54a255b77f49"
},
{
"waf": "performance",
"service": "Azure Application Gateway",
"text": "Define the maximum instance count",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "adb085fc-433d-4bde-815d-77486524d8a3"
},
{
"waf": "performance",
"service": "Azure Application Gateway",
"text": "Define the minimum instance count",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "33ae0084-c64e-471f-aef1-c84a5cf77d5d"
},
{
"waf": "performance",
"service": "Azure Application Gateway",
"text": "Define Application Gateway subnet size",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "0e38111f-c642-46ca-a2a0-72d5eb520cab"
},
{
"waf": "performance",
"service": "Azure Application Gateway",
"text": "Take advantage of Application Gateway V2 features for autoscaling and performance benefits",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-application-gateway.md",
+ "guid": "66695955-0890-4f69-ab88-292a6c641558"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Define the minimum instance count",
"description": "For Application Gateway v2 SKU, autoscaling takes some time (approximately six to seven minutes) before the additional set of instances is ready to serve traffic. During that time, if there are short spikes in traffic, expect transient latency or loss of traffic.We recommend that you set your minimum instance count to an optimal level. After you estimate the average instance count and determine your Application Gateway autoscaling trends, define the minimum instance count based on your application patterns. For information, see Application Gateway high traffic support.Check the Current Compute Units for the past one month. This metric represents the gateway's CPU utilization. To define the minimum instance count, divide the peak usage by 10. For example, if your average Current Compute Units in the past month is 50, set the minimum instance count to five.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "af6f1096-14f3-465c-8691-b15cf5361942"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Define the maximum instance count",
"description": "We recommend 125 as the maximum autoscale instance count. Make sure the subnet that has the Application Gateway has sufficient available IP addresses to support the scale-up set of instances.Setting the maximum instance count to 125 has no cost implications because you're billed only for the consumed capacity.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e1a91738-8def-4c1e-83ce-cd7dac9c986a"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Define Application Gateway subnet size",
"description": "Application Gateway needs a dedicated subnet within a virtual network. The subnet can have multiple instances of the deployed Application Gateway resource. You can also deploy other Application Gateway resources in that subnet, v1 or v2 SKU.Here are some considerations for defining the subnet size:- Application Gateway uses one private IP address per instance and another private IP address if a private front-end IP is configured.- Azure reserves five IP addresses in each subnet for internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support up to 125 instances, using the same calculation, a subnet size of /24 is recommended.- If you want to deploy additional Application Gateway resources in the same subnet, consider the additional IP addresses that will be required for their maximum instance count for both, Standard and Standard v2.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6d9985b2-103c-4b47-82b9-148e22af311b"
},
{
"waf": "Performance",
"service": "Azure Application Gateway",
"text": "Take advantage of features for autoscaling and performance benefits",
"description": "The v2 SKU offers autoscaling to ensure that your Application Gateway can scale up as traffic increases. When compared to v1 SKU, v2 has capabilities that enhance the performance of the workload. For example, better TLS offload performance, quicker deployment and update times, zone redundancy, and more. For more information about autoscaling features, see Scaling Application Gateway v2 and WAF v2.If you are running v1 SKU Application gateway, consider migrating to the Application gateway v2 SKU. For more information, see Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "22740e5f-f63b-4b82-8629-fb9d4fd74c36"
},
{
"waf": "reliability",
"service": "Azure Blob Storage",
"text": "Use failure mode analysis: Minimize points of failure by considering internal dependencies such as the availability of virtual networks, Azure Key Vault, or Azure Content Delivery Network or Azure Front Door endpoints. Failures can occur if credentials required by workloads to access Blob Storage go missing from Key Vault, or if workloads use an endpoint based on a content delivery network that's removed. In these cases, workloads might need to use an alternative endpoint to connect. For general information about failure mode analysis, see Recommendations for performing failure mode analysis.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "42f14a23-b4d3-47a8-a0d1-5f9987aab27b"
},
{
"waf": "reliability",
"service": "Azure Blob Storage",
"text": "Define reliability and recovery targets: Review the Azure service-level agreements (SLAs). Derive the service-level objective (SLO) for the storage account. For example, the SLO might be affected by the redundancy configuration that you chose. Consider the effect of a regional outage, the potential for data loss, and the time required to restore access after an outage. Also consider the availability of any internal dependencies that you identified as part of your failure mode analysis.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "ce838d0f-8069-420d-9adb-5c508c091e3f"
},
{
"waf": "reliability",
"service": "Azure Blob Storage",
"text": "Configure data redundancy: For maximum durability, choose a configuration that copies data across availability zones or global regions. For maximum availability, choose a configuration that allows clients to read data from the secondary region during an outage of the primary region.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "8930145f-653c-4630-8090-7ddfb1522a30"
},
{
"waf": "reliability",
"service": "Azure Blob Storage",
"text": "Design applications: Design applications to seamlessly shift to reading data from the secondary region if the primary region becomes unavailable for any reason. This only applies to geo-redundant storage (GRS) and geo-zone-redundant storage (GZRS) configurations. Designing applications to handle outages reduces downtime for end users.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "b819c0de-783e-4b18-8232-416710492029"
},
{
"waf": "reliability",
"service": "Azure Blob Storage",
"text": "Explore features to help you meet your recovery targets: Make blobs restorable so that they can be recovered if they're corrupted, edited, or deleted by mistake.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "ff928466-de8a-496a-b5ba-aa8c358e3e09"
},
{
"waf": "reliability",
"service": "Azure Blob Storage",
"text": "Create a recovery plan: Consider data protection features, backup and restore operations, or failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over. For more information, see Recommendations for designing a disaster recovery strategy.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "d93ddbcf-8760-4b99-8fdc-4f31268e76f7"
},
{
"waf": "reliability",
"service": "Azure Blob Storage",
"text": "Monitor potential availability problems: Subscribe to the Azure Service Health dashboard to monitor potential availability problems. Use storage metrics in Azure Monitor and diagnostic logs to investigate alerts.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "778ba0b4-9f48-4fd5-a788-949f2f2ea331"
},
{
"waf": "Reliability",
"service": "Azure Blob Storage",
"text": "Configure your account for redundancy. For maximum availability and durability, configure your account by using zone-redundant storage (ZRS) or GZRS.",
"description": "Redundancy protects your data against unexpected failures. The ZRS and GZRS configuration options replicate across different availability zones and enable applications to continue reading data during an outage. For more information, see Durability and availability by outage scenario and Durability and availability parameters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0a6a14f8-c014-4339-a444-45013d989209"
},
{
"waf": "Reliability",
"service": "Azure Blob Storage",
"text": "Before initiating a failover or failback, evaluate the potential for data loss by checking the value of the last synchronization time property. This recommendation applies only to GRS and GZRS configurations.",
"description": "This property helps you estimate how much data you might lose by initiating an account failover. All data and metadata written before the last synchronization time is available on the secondary region, but data and metadata written after the last synchronization time might be lost because it's not written to the secondary region.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "af07c8fb-ba63-41e5-b924-3bc6759ad671"
},
{
"waf": "Reliability",
"service": "Azure Blob Storage",
"text": "As a part of your backup and recovery strategy, enable the container soft delete, blob soft delete, versioning, and point-in-time restore options.",
"description": "The soft delete option enables a storage account to recover deleted containers and blobs. The versioning option automatically tracks changes made to blobs. This option lets you restore a blob to a previous state.The point-in-time restore option protects against accidental blob deletion or corruption and lets you restore block blob data to an earlier state. For more information, see Data protection overview.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "349d483b-5d14-4335-954a-4f8cbecfd7df"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Review the security baseline for Azure Storage: To get started, first review the security baseline for Storage.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "a7cd3662-4984-4a5a-8ed7-95c707f19c25"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Use network controls to restrict ingress and egress traffic: Disable all public traffic to the storage account. Use account network controls to grant the minimal level of access required by users and applications. For more information, see How to approach network security for your storage account.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "345a1c5e-8ca7-41e1-9acc-702b9684df71"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Reduce the attack surface: Preventing anonymous access, account key access, or access over non-secure (HTTP) connections can reduce the attack surface. Require clients to send and receive data by using the latest version of the Transport Layer Security (TLS) protocol.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "ceb9eb53-c2e4-4f28-b6e0-d42414ab3439"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Authorize access without using passwords or keys: Microsoft Entra ID provides superior security and ease of use compared to shared keys and shared access signatures. Grant security principals only those permissions that are necessary for them to do their tasks.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "0936d029-8a6b-4eae-a739-863462bbecf4"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Protect sensitive information: Protect sensitive information such as account keys and shared access signature tokens. While these forms of authorization are generally not recommended, you should make sure to rotate, expire, and store them securely.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "48fe0f97-d78a-4907-b588-0b6d53172ff2"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Enable the secure transfer required option: Enabling this setting for all your storage accounts ensures that all requests made against the storage account must take place over secure connections. Any requests made over HTTP fail.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "b174e3db-c952-4b33-a72e-874f60a0f671"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Protect critical objects: Apply immutability policies to protect critical objects. Policies protect blobs that are stored for legal, compliance, or other business purposes from being modified or deleted. Configure holds for set time periods or until restrictions are lifted by an administrator.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "96a5a2e1-d8de-4297-b395-168cbd02467b"
},
{
"waf": "security",
"service": "Azure Blob Storage",
"text": "Detect threats: Enable Microsoft Defender for Storage to detect threats. Security alerts are triggered when anomalies in activity occur. The alerts notify subscription administrators via email with details of suspicious activity and recommendations on how to investigate and remediate threats.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "d0d49387-46dd-4aad-b467-19ecd0142c05"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Disable anonymous read access to containers and blob.",
"description": "When anonymous access is allowed for a storage account, a user that has the appropriate permissions can modify a container's anonymous access setting to enable anonymous access to the data in that container.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a2c5082f-3260-46ef-a44f-cab9c74fd16f"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Apply an Azure Resource Manager lock on the storage account.",
"description": "Locking an account prevents it from being deleted and causing data loss.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3195423b-0513-45e2-951b-87f9c5d534b0"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Disable traffic to the public endpoints of your storage account. Create private endpoints for clients that run in Azure. Enable the public endpoint only if clients and services external to Azure require direct access to your storage account. Enable firewall rules that limit access to specific virtual networks.",
"description": "Start with zero access and then incrementally authorize the lowest levels of access required for clients and services to minimize the risk of creating unnecessary openings for attackers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4c73ba4b-1d06-42f6-afcb-2dc1d4b8885a"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Authorize access by using Azure role-based access control (RBAC).",
"description": "With RBAC, there are no passwords or keys that can be compromised. The security principal (user, group, managed identity, or service principal) is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token is used to authorize a request against the Blob Storage service.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "02be562a-9a28-4e56-94a3-a3671dd382fc"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Disallow shared key authorization. This disables not only account key access but also service and account shared access signature tokens because they're based on account keys.",
"description": "Only secured requests that are authorized with Microsoft Entra ID are permitted.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c1c19545-ae06-45b2-9770-1bc64e63c70b"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "We recommend that you don't use an account key. If you must use account keys, then store them in Key Vault, and make sure that you regenerate them periodically.",
"description": "Key Vault lets you retrieve keys at runtime, instead of saving them by using your application. Key Vault also makes it easy to rotate your keys without interruption to your applications. Rotating the account keys periodically reduces the risk of exposing your data to malicious attacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fa8fe7b9-8118-4913-adbe-be4420b62cfd"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "We recommend that you don't use shared access signature tokens. Evaluate whether you need shared access signature tokens to secure access to Blob Storage resources. If you must create one, then review this list of shared access signature best practices before you create and distribute it.",
"description": "Best practices can help you prevent a shared access signature token from being leaked and quickly recover if a leak does occur.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "74296778-eb6c-4ef3-b2db-f64839ca4140"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Configure your storage account so clients can send and receive data by using the minimum version of TLS 1.2.",
"description": "TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support modern cryptographic algorithms and cipher suites.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "42a36eba-778e-437d-9750-4002823c8835"
},
{
"waf": "Security",
"service": "Azure Blob Storage",
"text": "Consider using your own encryption key to protect the data in your storage account. For more information, see Customer-managed keys for Azure Storage encryption.",
"description": "Customer-managed keys provide greater flexibility and control. For example, you can store encryption keys in Key Vault and automatically rotate them.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fd88f923-7d9f-4071-9152-15ee808cc9ed"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Identify the meters that are used to calculate your bill: Meters are used to track the amount of data stored in the account (data capacity) and the number and type of operations that are performed to write and read data. There are also meters associated with the use of optional features such as blob index tags, blob inventory, change feed support, encryption scopes, and SSH File Transfer Protocol (SFTP) support. For more information, see How you're charged for Blob Storage.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "322c5ad8-8c4a-4aa9-acd7-6f34a3e47c9c"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Understand the price of each meter: Make sure to use the appropriate pricing page and apply the appropriate settings in that page. For more information, see Finding the unit price for each meter. Consider the number of operations associated with each price. For example, the price associated with write and read operations applies to 10,000 operations. To determine the price of an individual operation, divide the listed price by 10,000.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "e53d71d3-879f-4a64-b425-e30f007e7221"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Estimate the cost of capacity and operations: You can model the costs associated with data storage, ingress, and egress by using the Azure pricing calculator. Use fields to compare the cost associated with various regions, account types, namespace types, and redundancy configurations. For certain scenarios, you can use sample calculations and worksheets available in Microsoft documentation. For example, you can estimate the cost of archiving data or estimate the cost of using the AzCopy command to transfer blobs.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "4d17df43-4382-430a-9463-13abf73774d0"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Choose a billing model for capacity: Evaluate whether using a commitment-based model is more cost-efficient than using a consumption-based model. If you're unsure about how much capacity you need, you can start with a consumption-based model, monitor the capacity metrics, and then evaluate later.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "5bf631db-5818-4a48-9bb2-12383fb22c27"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Choose an account type, a redundancy level, and a default access tier: You must select a value for each of these settings when you create a storage account. All the values affect transaction charges and capacity charges. All these settings except for the account type can be changed after the account is created.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "96e18bc5-92d9-4184-990e-0916f7c116fa"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Choose the most cost-effective default access tier: Unless a tier is specified with each blob upload, blobs infer their access tier from the default access tier setting. A change to the default access tier setting of a storage account applies to all blobs in the account for which an access tier hasn't been explicitly set. This cost could be significant if you've collected a large number of blobs. For more information about how a tier change affects each existing blob, see Changing a blob's access tier.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "d78ebd83-3708-43dc-a146-c87c0bc845cc"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Upload data directly to the most cost-efficient access tier: For example, if the default access tier setting of your account is hot, but you're uploading files for archiving purposes, specify a cooler tier as the archive or a cold tier as part of your upload operation. After uploading blobs, use lifecycle management policies to move blobs to the most cost-efficient tiers based on usage metrics such as the last accessed time. Choosing the most optimal tier up front can reduce costs. If you change the tier of a block blob that you already uploaded, then you pay the cost of writing to the initial tier when you first upload the blob, and then pay the cost of writing to the desired tier.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "d8225b92-cc37-400e-9e24-660b9f4c1a28"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Have a plan for managing the data lifecycle: Optimize transaction and capacity costs by taking advantage of access tiers and lifecycle management. Data used less often should be placed in cooler access tiers while data that's accessed often should be placed in warmer access tiers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "d48626ce-bf57-4b9a-92b4-58d2904aca16"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Decide which features you need: Some features such as versioning and blob soft delete incur additional transaction and capacity costs as well as other charges. Make sure to review the pricing and billing sections in articles that describe those capabilities when you choose which capabilities to add to your account.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "ccbe2ffd-7bea-41ce-93fa-a9facc5bc5d0"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Create guardrails: Create budgets based on subscriptions and resource groups. Use governance policies to restrict resource types, configurations, and locations. Additionally, use RBAC to block actions that can lead to overspending.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "f0c38fed-fc9f-458d-aab7-9b03b8a0dfea"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Monitor costs: Ensure costs stay within budgets, compare costs against forecasts, and see where overspending occurs. You can use the cost analysis pane in the Azure portal to monitor costs. You also can export cost data to a storage account and analyze that data by using Excel or Power BI.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "18f1f2f6-de79-405d-b7a1-65fb571c0493"
},
{
"waf": "cost",
"service": "Azure Blob Storage",
"text": "Monitor usage: Continuously monitor usage patterns and detect unused or underutilized accounts and containers. Use Storage insights to identity accounts with no or low use. Enable blob inventory reports, and use tools such as Azure Databricks or Azure Synapse Analytics and Power BI to analyze cost data. Watch out for unexpected increases in capacity, which might indicate that you're collecting numerous log files, blob versions, or soft-deleted blobs. Develop a strategy for expiring or transitioning objects to more cost-effective access tiers.Have a plan for expiring objects or moving objects to more affordable access tiers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "d48bcd05-e5af-4500-b04e-e35dce0f17f9"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Pack small files into larger files before moving them to cooler tiers. You can use file formats such as TAR or ZIP.",
"description": "Cooler tiers have higher data transfer costs. By having fewer large files, you can reduce the number of operations required to transfer data.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1e8c6cb4-abe1-4ba1-899f-5ddc0d700517"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Use standard-priority rehydration when rehydrating blobs from archive storage. Use high-priority rehydration only for emergency data restoration situations. For more information, see Rehydrate an archived blob to an online tier",
"description": "High-priority rehydration from the archive tier can lead to higher-than-normal bills.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ab60898d-c5ae-4087-95ce-5b55ed006972"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Reduce the cost of using resource logs by choosing the appropriate log storage location and by managing log-retention periods. If you only plan to query logs occasionally (for example, querying logs for compliance auditing), consider sending resource logs to a storage account instead of sending them to an Azure Monitor Logs workspace. You can use a serverless query solution such as Azure Synapse Analytics to analyze logs. For more information, see Optimize cost for infrequent queries. Use lifecycle management policies to delete or archive logs.",
"description": "Storing resource logs in a storage account for later analysis can be a cheaper option. Using lifecycle management policies to manage log retention in a storage account prevents large numbers of logs files building up over time, which can lead to unnecessary capacity charges.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4ee9e348-ad55-46c9-bdbf-e17adcae5fd0"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "If you enable versioning, use a lifecycle management policy to automatically delete old blob versions.",
"description": "Every write operation to a blob creates a new version. This increases capacity costs. You can keep costs in check by removing versions that you no longer need.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "72af3409-f6b8-43b7-b254-31990577bb73"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "If you enable versioning, then place blobs that are frequently overwritten into an account that doesn't have versioning enabled.",
"description": "Every time a blob is overwritten, a new version is added which leads to increased storage capacity charges. To reduce capacity charges, store frequently overwritten data in a separate storage account with versioning disabled.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4fb53237-e44f-4292-a7a5-f8e79d55fc4e"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "If you enable soft delete, then place blobs that are frequently overwritten into an account that doesn't have soft delete enabled. Set retention periods. Consider starting with a short retention period to better understand how the feature affects your bill. The minimum recommended retention period is seven days.",
"description": "Every time a blob is overwritten, a new snapshot is created. The cause of increased capacity charges might be difficult to access because the creation of these snapshots doesn't appear in logs. To reduce capacity charges, store frequently overwritten data in a separate storage account with soft delete disabled. A retention period keeps soft-deleted blobs from piling up and adding to the cost of capacity.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "edc3f7bc-6b6c-41a8-8f11-1485781fdf58"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Enable SFTP support only when it's used to transfer data.",
"description": "Enabling the SFTP endpoint incurs an hourly cost. By thoughtfully disabling SFTP support, and then enabling it as needed, you can avoid passive charges from accruing in your account.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dd86bdc7-a08c-4624-9028-e0e80335a9ba"
},
{
"waf": "Cost",
"service": "Azure Blob Storage",
"text": "Disable any encryption scopes that aren't needed to avoid unnecessary charges.",
"description": "Encryptions scopes incur a per month charge.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a97cd83a-ed73-43df-bf01-11853e14f665"
},
{
"waf": "operations",
"service": "Azure Blob Storage",
"text": "Create maintenance and emergency recovery plans: Consider data protection features, backup and restore operations, and failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "2f429983-43fe-4e9a-a0f7-ec3328270b5c"
},
{
"waf": "operations",
"service": "Azure Blob Storage",
"text": "Monitor the health of your storage account: Create Storage insights dashboards to monitor availability, performance, and resilience metrics. Set up alerts to identify and address problems in your system before your customers notice them. Use diagnostic settings to route resource logs to an Azure Monitor Logs workspace. Then you can query logs to investigate alerts more deeply.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "16a0b5cc-d1a3-430b-a8d1-141a721f4e76"
},
{
"waf": "operations",
"service": "Azure Blob Storage",
"text": "Enable blob inventory reports: Enable blob inventory reports to review the retention, legal hold, or encryption status of your storage account contents. You can also use blob inventory reports to understand the total data size, age, tier distribution, or other attributes of your data. Use tools such as Azure Databricks or Azure Synapse Analytics and Power BI to better visualize inventory data and to create reports for stakeholders.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "c9e1bce3-8d36-44f7-a91a-e7d35e67297c"
},
{
"waf": "operations",
"service": "Azure Blob Storage",
"text": "Set up policies that delete blobs or move them to cost-efficient access tiers: Create a lifecycle management policy with an initial set of conditions. Policy runs automatically delete or set the access tier of blobs based on the conditions you define. Periodically analyze container use by using Monitor metrics and blob inventory reports so that you can refine conditions to optimize cost efficiency.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "508126c2-2c18-4411-a803-1d9c7ee07e7a"
},
{
"waf": "Operations",
"service": "Azure Blob Storage",
"text": "Use infrastructure as code (IaC) to define the details of your storage accounts in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.",
"description": "You can use your existing DevOps processes to deploy new storage accounts, and use Azure Policy to enforce their configuration.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1c680237-1240-4015-b028-1e1525ac1a41"
},
{
"waf": "Operations",
"service": "Azure Blob Storage",
"text": "Use Storage insights to track the health and performance of your storage accounts. Storage insights provides a unified view of the failures, performance, availability, and capacity for all your storage accounts.",
"description": "You can track the health and operation of each of your accounts. Easily create dashboards and reports that stakeholders can use to track the health of your storage accounts.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "15f258d9-8353-49ff-9eca-441c96e911be"
},
{
"waf": "performance",
"service": "Azure Blob Storage",
"text": "Plan for scale: Understand the scale targets for storage accounts.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "aaf8acc7-9e41-4997-8da4-cc82b102db09"
},
{
"waf": "performance",
"service": "Azure Blob Storage",
"text": "Choose the optimal storage account type: If your workload requires high transaction rates, smaller objects, and a consistently low transaction latency, then consider using premium block blob storage accounts. A standard general-purpose v2 account is most appropriate in most cases.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "414185fb-3518-4ff6-a275-a48689d44e4d"
},
{
"waf": "performance",
"service": "Azure Blob Storage",
"text": "Reduce travel distance between the client and server: Place data in regions nearest to connecting clients (ideally in the same region). Optimize for clients in regions far away by using object replication or a content delivery network. Default network configurations provide the best performance. Modify network settings only to improve security. In general, network settings don't decrease travel distance and don't improve performance.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "4732ffbc-7fe6-4e88-9178-932e7fbeddf5"
},
{
"waf": "performance",
"service": "Azure Blob Storage",
"text": "Choose an efficient naming scheme: Decrease the latency of listing, list, query, and read operations by using hash tag prefixes nearest the beginning of the blob partition key (account, container, virtual directory, or blob name). This scheme benefits mostly accounts that have a flat namespace.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "e79e1149-9aa1-4064-8c07-52e390f99d9e"
},
{
"waf": "performance",
"service": "Azure Blob Storage",
"text": "Optimize the performance of data clients: Choose a data transfer tool that's most appropriate for the data size, transfer frequency, and bandwidth of your workloads. Some tools such as AzCopy are optimized for performance and require little intervention. Consider the factors that influence latency, and fine-tune performance by reviewing the performance optimization guidance that's published with each tool.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "2c5c76ee-3c54-4063-9deb-6e02b3b046e6"
},
{
"waf": "performance",
"service": "Azure Blob Storage",
"text": "Optimize the performance of custom code: Consider using Storage SDKs instead of creating your own wrappers for blob REST operations. Azure SDKs are optimized for performance and provide mechanisms to fine-tune performance. Before creating an application, review the performance and scalability checklist for Blob Storage. Consider using query acceleration to filter out unwanted data during the storage request and keep clients from needlessly transferring data across the network.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "faea0cea-49d5-462b-bece-94cca446b10a"
},
{
"waf": "performance",
"service": "Azure Blob Storage",
"text": "Collect performance data: Monitor your storage account to identify performance bottlenecks that occur from throttling. For more information, see Monitoring your storage service with Monitor Storage insights. Use both metrics and logs. Metrics provide numbers such as throttling errors. Logs describe activity. If you see throttling metrics, you can use logs to identity which clients are receiving throttling errors. For more information, see Auditing data plane operations.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-blob-storage.md",
+ "guid": "557fe672-1057-4798-acbb-bb377abcb704"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "Provision storage accounts in the same region where dependent resources are placed. For applications that aren't hosted on Azure, such as mobile device apps or on-premises enterprise services, locate the storage account in a region nearer to those clients. For more information, see Azure geographies.If clients from a different region don't require the same data, then create a separate account in each region.If clients from a different region require only some data, consider using an object-replication policy to asynchronously copy relevant objects to a storage account in the other region.",
"description": "Reducing the physical distance between the storage account and VMs, services, and on-premises clients can improve performance and reduce network latency. Reducing the physical distance also reduces cost for applications hosted in Azure because bandwidth usage within a single region is free.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "876895f8-8298-4cda-9569-2fb95405511a"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "For broad consumption by web clients (streaming video, audio, or static website content), consider using a content delivery network through Azure Front Door.",
"description": "Content is delivered to clients faster because it uses the Microsoft global edge network with hundreds of global and local points of presence around the world.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b14ffaa1-4873-48ce-be43-05203e7e2562"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "Add a hash character sequence (such as three digits) as early as possible in the partition key of a blob. The partition key is the account name, container name, virtual directory name, and blob name. If you plan to use timestamps in names, then consider adding a seconds value to the beginning of that stamp. For more information, see Partitioning.",
"description": "Using a hash code or seconds value nearest the beginning of a partition key reduces the time required to list query and read blobs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5111fdd2-bb7e-46bf-9c14-371d1371c935"
},
{
"waf": "Performance",
"service": "Azure Blob Storage",
"text": "When uploading blobs or blocks, use a blob or block size that's greater than 256 KiB.",
"description": "Blob or block sizes above 256 KiB takes advantage of performance enhancements in the platform made specifically for larger blobs and block sizes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "22fb7fa5-e280-4a6a-8ae4-53fcd802c196"
},
{
"waf": "reliability",
"service": "Azure Expressroute",
"text": "Select between ExpressRoute circuit or ExpressRoute Direct for business requirements.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "c18e33dd-d764-42da-b855-cd050de2367a"
},
{
"waf": "reliability",
"service": "Azure Expressroute",
"text": "Configure Active-Active ExpressRoute connections between on-premises and Azure.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "7a87eeb7-44d2-409f-842f-fad32d9b01e1"
},
{
"waf": "reliability",
"service": "Azure Expressroute",
"text": "Set up availability zone aware ExpressRoute Virtual Network Gateways.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "51ac729d-25ff-4632-88e5-72df1106559d"
},
{
"waf": "reliability",
"service": "Azure Expressroute",
"text": "Configure ExpressRoute Virtual Network Gateways in different regions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "2d31b435-8edb-46cb-a682-8190d7cfedf9"
},
{
"waf": "reliability",
"service": "Azure Expressroute",
"text": "Configure site-to-site VPN as a backup to ExpressRoute private peering.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "d8dbe205-0115-4fc8-8aaf-fff7d9382a5e"
},
{
"waf": "reliability",
"service": "Azure Expressroute",
"text": "Configure service health to receive ExpressRoute circuit maintenance notification.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "41687924-ef94-411f-b71a-c8ec2543dbb7"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Plan for ExpressRoute circuit or ExpressRoute Direct",
"description": "During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection. An ExpressRoute circuit allows a private dedicated connection into Azure with the help of a connectivity provider. ExpressRoute Direct allows you to extend on-premises network directly into the Microsoft network at a peering location. You also need to identify the bandwidth requirement and the SKU type requirement for your business needs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "47e7f99c-d9da-440c-96f3-53c2d1b3578e"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Physical layer diversity",
"description": "For better resiliency, plan to have multiple paths between the on-premises edge and the peering locations (provider/Microsoft edge locations). This configuration can be achieved by going through different service provider or through a different location from the on-premises network.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "18491e10-13a3-4864-87e9-3e37cbf8625e"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Plan for geo-redundant circuits",
"description": "To plan for disaster recovery, set up ExpressRoute circuits in more than one peering locations. You can create circuits in peering locations in the same metro or different metro and choose to work with different service providers for diverse paths through each circuit. For more information, see Designing for disaster recovery and Designing for high availability.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6807a566-19b0-4db5-a02e-af800136355e"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Plan for Active-Active connectivity",
"description": "ExpressRoute dedicated circuits guarantee `99.95%` availability when an active-active connectivity is configured between on-premises and Azure. This mode provides higher availability of your Expressroute connection. It's also recommended to configure BFD for faster failover if there's a link failure on a connection.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b145c875-e017-4b1e-af6a-e2c86150d5b9"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Planning for Virtual Network Gateways",
"description": "Create availability zone aware Virtual Network Gateway for higher resiliency and plan for Virtual Network Gateways in different region for disaster recovery and high availability.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a71ef0ea-30fd-4a34-b4ca-10a87d4db10a"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Monitor circuits and gateway health",
"description": "Set up monitoring and alerts for ExpressRoute circuits and Virtual Network Gateway health based on various metrics available.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1f311354-8e72-4308-ac18-29dd48ce58ad"
},
{
"waf": "Reliability",
"service": "Azure Expressroute",
"text": "Enable service health",
"description": "ExpressRoute uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your ExpressRoute circuits.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1c26f51d-9ce7-49c5-87e8-d45a56f9fa14"
},
{
"waf": "security",
"service": "Azure Expressroute",
"text": "Configure Activity log to send logs to archive.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "dbcfcfa3-dcb3-43f7-8e98-a9d6d44ab3ae"
},
{
"waf": "security",
"service": "Azure Expressroute",
"text": "Maintain an inventory of administrative accounts with access to ExpressRoute resources.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "fd7f29a7-ae31-4983-8510-e219a25cfdfc"
},
{
"waf": "security",
"service": "Azure Expressroute",
"text": "Configure MD5 hash on ExpressRoute circuit.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "5f06f160-46b8-48b3-ab94-89da0ff37c56"
},
{
"waf": "security",
"service": "Azure Expressroute",
"text": "Configure MACSec for ExpressRoute Direct resources.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "e09a0328-3f6e-4ab5-9856-581a76090453"
},
{
"waf": "security",
"service": "Azure Expressroute",
"text": "Encrypt traffic over private peering and Microsoft peering for virtual network traffic.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "960e86aa-d918-4a37-917a-eab33a2a98fa"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Configure Activity log to send logs to archive",
"description": "Activity logs provide insights into operations that were performed at the subscription level for ExpressRoute resources. With Activity logs, you can determine who and when an operation was performed at the control plane. Data retention is only 90 days and required to be stored in Log Analytics, Event Hubs or a storage account for archive.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b893441c-5f7c-44fe-bfa2-457af4ae1cb8"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Maintain inventory of administrative accounts",
"description": "Use Azure RBAC to configure roles to limit user accounts that can add, update, or delete peering configuration on an ExpressRoute circuit.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "44059f81-2473-4325-ad67-70df146e1f5d"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Configure MD5 hash on ExpressRoute circuit",
"description": "During configuration of private peering or Microsoft peering, apply an MD5 hash to secure messages between the on-premises route and the MSEE routers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0d7a206c-e977-4c39-9379-766f5f20365b"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Configure MACSec for ExpressRoute Direct resources",
"description": "Media Access Control security is a point-to-point security at the data link layer. ExpressRoute Direct supports configuring MACSec to prevent security threats to protocols such as ARP, DHCP, LACP not normally secured on the Ethernet link. For more information on how to configure MACSec, see MACSec for ExpressRoute Direct ports.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "02e71cb8-379a-45ef-8daa-e4bfa3fa7237"
},
{
"waf": "Security",
"service": "Azure Expressroute",
"text": "Encrypt traffic using IPsec",
"description": "Configure a Site-to-site VPN tunnel over your ExpressRoute circuit to encrypt data transferring between your on-premises network and Azure virtual network. You can configure a tunnel using private peering or using Microsoft peering.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a7cb83ea-dfc8-49eb-9c03-a57fbcd3a0ef"
},
{
"waf": "cost",
"service": "Azure Expressroute",
"text": "Familiarize yourself with ExpressRoute pricing.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "96599299-4653-4e94-989b-8c7fe64cb2bd"
},
{
"waf": "cost",
"service": "Azure Expressroute",
"text": "Determine the ExpressRoute circuit SKU and bandwidth required.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "a3aaf86d-0531-404f-b881-78bbacd912ca"
},
{
"waf": "cost",
"service": "Azure Expressroute",
"text": "Determine the ExpressRoute virtual network gateway size required.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "2d710fcf-b8bc-461d-81a1-895193ce91cc"
},
{
"waf": "cost",
"service": "Azure Expressroute",
"text": "Monitor cost and create budget alerts.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "7327aac3-008f-4878-bf49-a6c3f76746a1"
},
{
"waf": "cost",
"service": "Azure Expressroute",
"text": "Deprovision ExpressRoute circuits no longer in use.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "271b6cfe-4507-4afa-a1e5-000e3be105ac"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Familiarize yourself with ExpressRoute pricing",
"description": "For information about ExpressRoute pricing, see Understand pricing for Azure ExpressRoute. You can also use the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "92eec823-61dd-486c-b46e-0339fc02987e"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Determine SKU and bandwidth required",
"description": "The way you're charged for your ExpressRoute usage varies between the three different SKU types. With Local SKU, you're automatically charged with an Unlimited data plan. With Standard and Premium SKU, you can select between a Metered or an Unlimited data plan. All ingress data are free of charge except when using the Global Reach add-on. It's important to understand which SKU types and data plan works best for your workload to best optimize cost and budget. For more information resizing ExpressRoute circuit, see upgrading ExpressRoute circuit bandwidth.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c5c27eb1-6f1c-4b97-a216-0cbdc31a3c98"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Determine the ExpressRoute virtual network gateway size",
"description": "ExpressRoute virtual network gateways are used to pass traffic into a virtual network over private peering. Review the performance and scale needs of your preferred Virtual Network Gateway SKU. Select the appropriate gateway SKU on your on-premises to Azure workload.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "73967d95-39ff-47bb-b4f4-33ddade69d1f"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Monitor cost and create budget alerts",
"description": "Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks. For more information, see Monitoring ExpressRoute costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "edd459fa-3105-4a03-b009-4f983d23da5a"
},
{
"waf": "Cost",
"service": "Azure Expressroute",
"text": "Deprovision and delete ExpressRoute circuits no longer in use.",
"description": "ExpressRoute circuits are charged from the moment they're created. To reduce unnecessary cost, deprovision the circuit with the service provider and delete the ExpressRoute circuit from your subscription. For steps on how to remove an ExpressRoute circuit, see Deprovisioning an ExpressRoute circuit.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c36e0c83-11b4-409a-a4a6-2118b52a380f"
},
{
"waf": "operations",
"service": "Azure Expressroute",
"text": "Configure connection monitoring between your on-premises and Azure network.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "138436b3-3868-43ad-8a1c-61c8e4a84d8e"
},
{
"waf": "operations",
"service": "Azure Expressroute",
"text": "Configure Service Health for receiving notification.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "7cfb8c20-2449-4892-bb3f-d994944ba6c9"
},
{
"waf": "operations",
"service": "Azure Expressroute",
"text": "Review metrics and dashboards available through ExpressRoute Insights using Network Insights.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "6c4de9f0-b0f4-4390-8222-d5b9dfb506b6"
},
{
"waf": "operations",
"service": "Azure Expressroute",
"text": "Review ExpressRoute resource metrics.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "8c22c571-98a1-4d91-94b7-efb58db4763e"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Configure connection monitoring",
"description": "Connection monitoring allows you to monitor connectivity between your on-premises resources and Azure over the ExpressRoute private peering and Microsoft peering connection. Connection monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "06b83763-eef7-4e07-8c16-8e0fcc9a388c"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Configure Service Health",
"description": "Set up Service Health notifications to alert when planned and upcoming maintenance is happening to all ExpressRoute circuits in your subscription. Service Health also displays past maintenance along with RCA if an unplanned maintenance were to occur.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "98086164-1e4f-4bd3-b67b-904b60e32470"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Review metrics with Network Insights",
"description": "ExpressRoute Insights with Network Insights allow you to review and analyze ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute Insights also provide a topology view of your ExpressRoute connections where you can view details of your peering components all in a single place.Metrics available:- Availability- Throughput- Gateway metrics",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f48383e3-3d08-47a4-852e-211cc3a792df"
},
{
"waf": "Operations",
"service": "Azure Expressroute",
"text": "Review ExpressRoute resource metrics",
"description": "ExpressRoute uses Azure Monitor to collect metrics and create alerts base on your configuration. Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e2ca25a4-7d0d-49f8-8618-f81f0f3ff3e0"
},
{
"waf": "performance",
"service": "Azure Expressroute",
"text": "Test ExpressRoute gateway performance to meet work load requirements.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "986e4310-6a7c-469e-bd94-8b8d1c388f51"
},
{
"waf": "performance",
"service": "Azure Expressroute",
"text": "Increase the size of the ExpressRoute gateway.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "68ebf30c-d5f8-4e5a-bafa-9b8ff5aea0cc"
},
{
"waf": "performance",
"service": "Azure Expressroute",
"text": "Upgrade the ExpressRoute circuit bandwidth.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "124c88c4-391e-41fc-be92-f8efd3ae6b71"
},
{
"waf": "performance",
"service": "Azure Expressroute",
"text": "Enable ExpressRoute FastPath for higher throughput.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "21303a27-77fc-4cd0-afab-0080bbbf6501"
},
{
"waf": "performance",
"service": "Azure Expressroute",
"text": "Monitor the ExpressRoute circuit and gateway metrics.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-expressroute.md",
+ "guid": "a77220d0-45e2-4ac9-9f8e-352f4e4848d8"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Test ExpressRoute gateway performance to meet work load requirements.",
"description": "Use Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "71513d98-78dc-49ad-ba19-3d769b03c9bb"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Increase the size of the ExpressRoute gateway.",
"description": "Upgrade to a higher gateway SKU for improved throughput performance between on-premises and Azure environment.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "caa42667-014b-4fb2-9e0a-954e05385785"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Upgrade ExpressRoute circuit bandwidth",
"description": "Upgrade your circuit bandwidth to meet your work load requirements. Circuit bandwidth is shared between all virtual networks connected to the ExpressRoute circuit. Depending on your work load, one or more virtual networks can use up all the bandwidth on the circuit.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "be5fc5f6-92bd-4239-87a0-275d786b8d68"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Enable ExpressRoute FastPath for higher throughput",
"description": "If you're using an Ultra performance or an ErGW3AZ virtual network gateway, you can enable FastPath to improve the data path performance between your on-premises network and Azure virtual network.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a5327e51-9367-4f91-bca2-71b5724e6acb"
},
{
"waf": "Performance",
"service": "Azure Expressroute",
"text": "Monitor ExpressRoute circuit and gateway metrics",
"description": "Set up alerts base on ExpressRoute metrics to proactively notify you when a certain threshold is met. These metrics are useful to understand anomalies that can happen with your ExpressRoute connection such as outages and maintenance happening to your ExpressRoute circuits.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3e5d89cf-a4b0-4624-8a74-c086ce3665ac"
},
{
"waf": "reliability",
"service": "Azure Files",
"text": "Use failure mode analysis: Minimize points of failure by considering internal dependencies such as the availability of virtual networks, Azure Key Vault, or Azure Content Delivery Network or Azure Front Door endpoints. Failures can occur if you need credentials to access Azure Files, and the credentials go missing from Key Vault. Or you might have a failure if your workloads use an endpoint that's based on a missing content delivery network. In these cases, you might need to configure your workloads to connect to an alternative endpoint. For general information about failure mode analysis, see Recommendations for performing failure mode analysis.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "49da89d4-35df-4837-884f-ffa0dc248d0b"
},
{
"waf": "reliability",
"service": "Azure Files",
"text": "Define reliability and recovery targets: Review the Azure service-level agreements (SLAs). Derive the service-level objective (SLO) for the storage account. For example, the redundancy configuration that you chose might affect the SLO. Consider the effect of a regional outage, the potential for data loss, and the time required to restore access after an outage. Also consider the availability of internal dependencies that you identified as part of your failure mode analysis.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "76ae68b8-d5dd-44a0-a0e0-9abec3695316"
},
{
"waf": "reliability",
"service": "Azure Files",
"text": "Configure data redundancy: For maximum durability, choose a configuration that copies data across availability zones or global regions. For maximum availability, choose a configuration that allows clients to read data from the secondary region during an outage of the primary region.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "0363e36d-5971-4e00-8bc6-7e0fd7e00889"
},
{
"waf": "reliability",
"service": "Azure Files",
"text": "Design applications: Design your applications to seamlessly shift so that they read data from a secondary region if the primary region is unavailable. This design consideration only applies to geo-redundant storage (GRS) and geo-zone-redundant storage (GZRS) configurations. Design your applications to properly handle outages, which reduces downtime for customers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "6104ed5f-a4ee-4d87-82dd-1f7bafd7c468"
},
{
"waf": "reliability",
"service": "Azure Files",
"text": "Explore features to help you meet your recovery targets: Make files restorable so that you can recover corrupted, edited, or deleted files.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "a5aa4909-7ee1-421e-a4c6-fa465f9bbdb5"
},
{
"waf": "reliability",
"service": "Azure Files",
"text": "Create a recovery plan: Consider data protection features, backup and restore operations, or failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over. For more information, see Recommendations for designing a disaster recovery strategy.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "02300e9f-94e9-4cbd-b3ca-5c6cf17f2833"
},
{
"waf": "reliability",
"service": "Azure Files",
"text": "Monitor potential availability problems: Subscribe to the Azure Service Health dashboard to monitor potential availability problems. Use storage metrics and diagnostic logs in Azure Monitor to investigate alerts.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "58746f78-dba5-4a3a-b4a5-bdbcb9a00a28"
},
{
"waf": "Reliability",
"service": "Azure Files",
"text": "Configure your storage account for redundancy. For maximum availability and durability, configure your account with\u202fzone-redundant storage (ZRS), GRS, or\u202fGZRS. Limited Azure regions support ZRS for standard and premium file shares. Only standard SMB accounts support GRS and GZRS. Premium SMB shares and NFS shares don't support GRS and GZRS. Azure Files doesn't support read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS). If you configure a storage account to use RA-GRS or RA-GZRS, the file shares are configured and billed as GRS or GZRS.",
"description": "Redundancy protects your data against unexpected failures. The ZRS and GZRS configuration options replicate across various availability zones and enable applications to continue reading data during an outage. For more information, see Durability and availability by outage scenario and Durability and availability parameters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "57930240-9165-4fe1-a7ea-24bc09930158"
},
{
"waf": "Reliability",
"service": "Azure Files",
"text": "Before you initiate a failover or failback, check the value of the last synchronization time property to evaluate the potential for data loss. This recommendation applies only to GRS and GZRS configurations.",
"description": "This property helps you estimate how much data you might lose if you initiate an account failover. All data and metadata that's written before the last synchronization time is available on the secondary region, but you might lose data and metadata that's written after the last synchronization time because it's not written to the secondary region.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f436bbde-bfd0-4be2-85a6-c13f0d79cee1"
},
{
"waf": "Reliability",
"service": "Azure Files",
"text": "As a part of your backup and recovery strategy, enable\u202fsoft delete\u202fand\u202fuse snapshots for point-in-time restore. You can use Azure Backup to back up your SMB file shares. You can also use Azure File Sync to back up on-premises SMB file shares to an Azure file share. Azure Backup also allows you to do a vaulted backup (preview) of Azure Files to protect your data from ransomware attacks or source data loss due to a malicious actor or rogue admin. By using vaulted backup, Azure Backup copies and stores data in the Recovery Services vault. This creates an offsite copy of data that you can retain for up to 99 years. Azure Backup creates and manages the recovery points as per the schedule and retention defined in the backup policy. Learn more.",
"description": "Soft delete works on a file share level to protect Azure file shares against accidental deletion. Point-in-time restore protects against accidental deletion or corruption because you can restore file shares to an earlier state. For more information, see Data protection overview.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0bcee250-521d-467f-94d6-ddeeb20844af"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Review the security baseline for Azure Storage: To get started, review the security baseline for Storage.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "486329dd-f6a9-4714-bab2-0c7da68e2473"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Consider using network controls to restrict ingress and egress traffic: You might be comfortable exposing your storage account to the public internet under certain conditions, like if you use identity-based authentication to grant access to file shares. But we recommend that you use network controls to grant the minimum required level of access to users and applications. For more information, see How to approach network security for your storage account.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "e450fd68-ca8c-4380-96f4-812a146c50a3"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Reduce the attack surface: Use encryption in transit and prevent access over non-secure (HTTP) connections to reduce the attack surface. Require clients to send and receive data by using the latest version of the Transport Layer Security (TLS) protocol.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "57e9b6de-1640-41de-93c5-8306d37660ff"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Minimize the use of storage account keys: Identity-based authentication provides superior security compared to using a storage account key. But you must use a storage account key to get full administrative control of a file share, including the ability to take ownership of a file. Grant security principals only the necessary permissions that they need to perform their tasks.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "88413b43-c031-4930-acbf-fc1d33b7d930"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Protect sensitive information: Protect sensitive information, such as storage account keys and passwords. We don't recommend that you use these forms of authorization, but if you do, you should make sure to rotate, expire, and store them securely.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "5542bb7f-c507-480d-8881-93f7a2854e63"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Detect threats: Enable Microsoft Defender for Storage to detect potentially harmful attempts to access or exploit your Azure file shares over SMB or FileREST protocols. Subscription administrators get email alerts with details of suspicious activity and recommendations about how to investigate and remediate threats. Defender for Storage doesn't support antivirus capabilities for Azure file shares. If you use Defender for Storage, transaction-heavy file shares incur significant costs, so consider opting out of Defender for Storage for specific storage accounts.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "776e5617-ee35-4172-b15b-848e3d5c7c7b"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Apply an Azure Resource Manager lock on the storage account.",
"description": "Lock the account to prevent accidental or malicious deletion of the storage account, which can cause data loss.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5efa7ffa-1cc0-4a74-bd15-c809185ccb58"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Open TCP port 445 outbound or set up a VPN gateway or Azure ExpressRoute connection for clients outside of Azure to access the file share.",
"description": "SMB 3.x is an internet-safe protocol, but you might not have the ability to change organizational or ISP policies. You can use a VPN gateway or an ExpressRoute connection as an alternative option.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bfd07ef0-3cde-4965-bb68-0e382d5704c3"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "If you open port 445, be sure to disable SMBv1 on Windows and Linux clients. Azure Files doesn't support SMB 1, but you should still disable it on your clients.",
"description": "SMB 1 is an outdated, inefficient, and insecure protocol. Disable it on clients to improve your security posture.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ff7ac920-b3a0-4fbd-8434-69b5f5d52d89"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Consider disabling public network access to your storage account. Enable public network access only if SMB clients and services that are external to Azure require access to your storage account. If you disable public network access,create a private endpoint for your storage account. Standard data processing rates for private endpoints apply. A private endpoint doesn't block connections to the public endpoint. You should still disable public network access as previously described. If you don't require a static IP address for your file share and want to avoid the cost of private endpoints, you can instead restrict public endpoint access to specific virtual networks and IP addresses.",
"description": "Network traffic travels over the Microsoft backbone network instead of the public internet, which eliminates risk exposure from the public internet.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "27f96d86-72a7-4c44-8cdd-146d39feefaf"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Enable firewall rules that limit access to specific virtual networks. Start with zero access, and then methodically and incrementally provide the least amount of access required for clients and services.",
"description": "Minimize the risk of creating openings for attackers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bbbb3c40-4a58-4602-87cd-5bb36d95381d"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "When possible, use identity-based authentication with AES-256 Kerberos ticket encryption to authorize access to SMB Azure file shares.",
"description": "Use identity-based authentication to decrease the possibility of an attacker using a storage account key to access file shares.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b8abb5ae-bde5-40bc-b8d4-8518c9dd23c2"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "If you use storage account keys, store them in Key Vault, and make sure to regenerate them periodically. You can completely disallow storage account key access to the file share by removing NTLMv2 from the share's SMB security settings. But you generally shouldn't remove NTLMv2 from the share's SMB security settings because administrators still need to use the account key for some tasks.",
"description": "Use Key Vault to retrieve keys at runtime instead of saving them with your application. Key Vault also makes it easy to rotate your keys without interruption to your applications. Periodically rotate the account keys to reduce the risk of exposing your data to malicious attacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c034b5bc-eaca-4ba4-b9c7-3d427108584d"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "In most cases, you should enable the Secure transfer required option on all your storage accounts to enable encryption in transit for SMB file shares. Don't enable this option if you need to allow very old clients to access the share. If you disable secure transfer, be sure to use network controls to restrict traffic.",
"description": "This setting ensures that all requests that are made against the storage account take place over secure connections (HTTPS). Any requests made over HTTP will fail.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b9cbb598-dcaa-431a-bae0-f8a7909f577b"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Configure your storage account so that TLS 1.2 is the minimum version for clients to send and receive data.",
"description": "TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support modern cryptographic algorithms and cipher suites.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e780c530-cf9a-42d2-8ccc-b32e44ab73cd"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Use only the most recent supported SMB protocol version (currently 3.1.1.), and use only AES-256-GCM for SMB channel encryption. Azure Files exposes settings that you can use to toggle the SMB protocol and make it more compatible or more secure, depending on your organization's requirements. By default, all SMB versions are allowed. However, SMB 2.1 is disallowed if you enable Require secure transfer because SMB 2.1 doesn't support encryption of data in transit. If you restrict these settings to a high level of security, some clients might not be able to connect to the file share.",
"description": "SMB 3.1.1, released with Windows 10, contains important security and performance updates. AES-256-GCM offers more secure channel encryption.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "59fe4bee-d21b-4f74-880f-eb22da54ee6e"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Review the security baseline for Storage: To get started, review the security baseline for Storage.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "c5f40aec-9c2c-4c16-8ae9-f9fdd4733804"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Understand your organization's security requirements: NFS Azure file shares only support Linux clients that use the NFSv4.1 protocol, with support for most features from the 4.1 protocol specification. Some security features, such as Kerberos authentication, access control lists (ACLs), and encryption in transit, aren't supported.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "a07d96be-b231-444c-8b2e-3123950de82f"
},
{
"waf": "security",
"service": "Azure Files",
"text": "Use network-level security and controls to restrict ingress and egress traffic: Identity-based authentication isn't available for NFS Azure file shares, so you must use network-level security and controls to grant the minimum required level of access to users and applications. For more information, see How to approach network security for your storage account.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "b3a2f115-8ee1-401e-a939-f4406b43b460"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Apply a Resource Manager lock on the storage account.",
"description": "Lock the account to prevent accidental or malicious deletion of the storage account, which might cause data loss.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0148ed98-3b9a-4b7f-81c2-8b550f56f793"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "You must open port 2049 on the clients that you want to mount your NFS share to.",
"description": "Open port 2049 to let clients communicate with the NFS Azure file share.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "45ae6fe2-da4c-4e41-9d2c-d9237a619ec6"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "NFS Azure file shares are only accessible through restricted networks. So you must create a private endpoint for your storage account or restrict public endpoint access to selected virtual networks and IP addresses. We recommend that you create a private endpoint. You must configure network-level security for NFS shares because Azure Files doesn't support encryption in transit with the NFS protocol. You need to disable the Require secure transfer setting on the storage account to use NFS Azure file shares. Standard data processing rates apply for private endpoints. If you don't require a static IP address for your file share and want to avoid the cost of private endpoints, you can restrict public endpoint access instead.",
"description": "Network traffic travels over the Microsoft backbone network instead of the public internet, which eliminates risk exposure from the public internet.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8959f137-e162-4b86-a14f-6e96c9fd5494"
},
{
"waf": "Security",
"service": "Azure Files",
"text": "Consider disallowing storage account key access at the storage account level. You don't need this access to mount NFS file shares. But keep in mind that full administrative control of a file share, including the ability to take ownership of a file, requires use of a storage account key.",
"description": "Disallow the use of storage account keys to make your storage account more secure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f7b42a8a-fb21-4101-a256-8bbab4e1bd25"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Decide whether your workload requires the performance of premium file shares (Azure Premium SSD) or if Azure Standard HDD storage is sufficient: Determine your storage account type and billing model based on the type of storage that you need. If you require large amounts of input/output operations per second (IOPS), extremely fast data transfer speeds, or very low latency, then you should choose premium Azure file shares. NFS Azure file shares are only available on the premium tier. NFS and SMB file shares are the same price on the premium tier.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "54bceac0-695d-4d3a-9e50-91fdb4c9f51a"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Create a storage account for your file share, and choose a redundancy level: Choose either a standard (GPv2) or premium (FileStorage) account. The redundancy level that you choose affects cost. The more redundancy, the higher the cost. Locally redundant storage (LRS) is the most affordable. GRS is only available for standard SMB file shares. Standard file shares only show transaction information at the storage account level, so we recommend that you deploy only one file share in each storage account to ensure full billing visibility.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "220f8243-dcba-41cd-95c1-70b8b0cc3bd2"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Understand how your bill is calculated: Standard Azure file shares provide a pay-as-you-go model. Premium shares use a provisioned model in which you specify and pay for a certain amount of capacity, IOPS, and throughput up front. In the pay-as-you-go model, meters track the amount of data that's stored in the account, or the capacity, and the number and type of transactions based on your usage of that data. The pay-as-you-go model can be cost efficient because you pay only for what you use. With the pay-as-you-go model, you don't need to overprovision or deprovision storage based on performance requirements or demand fluctuations.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "6a667592-f9c4-45ba-81c8-bb4841aa8781"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Estimate the cost of capacity and operations: You can use the Azure pricing calculator to model the costs associated with data storage, ingress, and egress. Compare the cost associated with various regions, account types, and redundancy configurations. For more information, see Azure Files pricing.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "c1f59c13-a5f1-4969-a1f4-a3180d9f7a30"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Choose the most cost-effective access tier: Standard SMB Azure file shares offer three access tiers: transaction optimized, hot, and cool. All three tiers are stored on the same standard storage hardware. The main difference for these three tiers is their data at rest storage prices, which are lower in cooler tiers, and the transaction prices, which are higher in cooler tiers. For more information, see Differences in standard tiers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "f3dd18d1-9937-413e-99a6-6abbe25b574c"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Decide which value-added services you need: Azure Files supports integrations with value-added services such as Backup, Azure File Sync, and Defender for Storage. These solutions have their own licensing and product costs but are often considered part of the total cost of ownership for file storage. Consider other cost aspects if you use Azure File Sync.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "318fe019-cffa-4ca1-aa56-e00d1df86fe2"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Create guardrails: Create budgets based on subscriptions and resource groups. Use governance policies to restrict resource types, configurations, and locations. Additionally, use role-based access control (RBAC) to block actions that can lead to overspending.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "a5675d94-de9f-44b1-8b21-f8032cdf3f3d"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Monitor costs: Ensure costs stay within budgets, compare costs against forecasts, and see where overspending occurs. You can use the cost analysis pane in the Azure portal to monitor costs. You can also export cost data to a storage account, and use Excel or Power BI to analyze that data.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "5473960a-7ac3-44a0-8d01-695132b782cd"
},
{
"waf": "cost",
"service": "Azure Files",
"text": "Monitor usage: Continuously monitor usage patterns to detect unused or underused storage accounts and file shares. Check for unexpected increases in capacity, which might indicate that you're collecting numerous log files or soft-deleted files. Develop a strategy for deleting files or moving files to more cost-effective access tiers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "a294f2dd-cd4f-42f7-80d8-798759c799e4"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "When you migrate to standard Azure file shares, we recommend that you start in the transaction-optimized tier during the initial migration. Transaction usage during migration isn't typically indicative of normal transaction usage. This consideration doesn't apply for premium file shares because the provisioned billing model doesn't charge for transactions.",
"description": "Migrating to Azure Files is a temporary, transaction-heavy workload. Optimize the price for high-transaction workloads to help reduce migration costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "72b9477f-3c39-4633-a052-90b1203f9be5"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "After you migrate your workload, if you use standard file shares, carefully choose the most cost effective access tier for your file share: hot, cool, or transaction optimized. After you operate for a few days or weeks with regular usage, you can insert your transaction counts in the pricing calculator to figure out which tier best suits your workload. Most customers should choose cool even if they actively use the share. But you should examine each share and compare the balance of storage capacity to transactions to determine your tier. If transaction costs make up a significant percentage of your bill, the savings from using the cool access tier often offsets this cost and minimizes the total overall cost. We recommend that you move standard file shares between access tiers only when necessary to optimize for changes in your workload pattern. Each move incurs transactions. For more information, see Switching between standard tiers.",
"description": "Select the appropriate access tier for standard file shares to considerably reduce your costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9dd18ccf-33eb-4da0-9710-7b3d64290faa"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "If you use premium shares, ensure that you provision more than enough capacity and performance for your workload but not so much that you incur unnecessary costs. We recommend overprovisioning by two to three times. You can dynamically scale premium file shares up or down depending on your storage and input/output (IO) performance characteristics.",
"description": "Overprovision premium file shares by a reasonable amount to help maintain performance and account for future growth and performance requirements.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "11b05f06-7a9a-4f25-9816-f41f893897b4"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "Use Azure Files reservations, also referred to as reserved instances, to precommit to storage usage and get a discount. Use reservations for production workloads or dev/test workloads with consistent footprints. For more information, see Optimize costs with storage reservations. Reservations don't include transaction, bandwidth, data transfer, and metadata storage charges.",
"description": "Three-year reservations can provide a discount up to 36% on the total cost of file storage. Reservations don't affect performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f455ac95-f1e3-4a9a-9fab-044e7faeff2f"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "Monitor snapshot usage. Snapshots incur charges, but they're billed based on the differential storage usage of each snapshot. You pay only for the difference in each snapshot. For more information, see Snapshots. Azure File Sync takes share-level and file-level snapshots as part of regular usage, which can increase your total Azure Files bill.",
"description": "Differential snapshots ensure that you're not billed multiple times for storing the same data. However, you should still monitor snapshot usage to help reduce your Azure Files bill.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f3715e13-e5c7-4830-b1a0-4319523efab1"
},
{
"waf": "Cost",
"service": "Azure Files",
"text": "Set retention periods for the soft-delete feature, especially when you first start using it. Consider starting with a short retention period to better understand how the feature affects your bill. The minimum recommended retention period is seven days. When you soft delete standard and premium file shares, they're billed as used capacity rather than provisioned capacity. And premium file shares are billed at the snapshot rate while in the soft-delete state. Standard file shares are billed at the regular rate while in the soft-delete state.",
"description": "Set a retention period so that soft-deleted files don't pile up and increase the cost of capacity. After the configured retention period, permanently deleted data doesn't incur cost.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bb6048c7-29fd-4388-aa22-de89fdbb39ea"
},
{
"waf": "operations",
"service": "Azure Files",
"text": "Create maintenance and emergency recovery plans: Consider data protection features, backup and restore operations, and failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "7de2699b-2c67-4b05-90a4-45d6c9d6693a"
},
{
"waf": "operations",
"service": "Azure Files",
"text": "Monitor the health of your storage account: Create Storage insights dashboards to monitor availability, performance, and resiliency metrics. Set up alerts to identify and address problems in your system before your customers notice them. Use diagnostic settings to route resource logs to an Azure Monitor Logs workspace. Then you can query logs to investigate alerts more deeply.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "b860ac4e-04bd-4fca-bbe3-b6d4659a3a62"
},
{
"waf": "operations",
"service": "Azure Files",
"text": "Periodically review file share activity: Share activity can change over time. Move standard file shares to cooler access tiers, or you can provision or deprovision capacity for premium shares. When you move standard file shares to a different access tier, you incur a transaction charge. Move standard file shares only when needed to reduce your monthly bill.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "b7ee3665-5f27-4d59-89d1-ab99c6dba955"
},
{
"waf": "Operations",
"service": "Azure Files",
"text": "Use infrastructure as code (IaC) to define the details of your storage accounts in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.",
"description": "You can use your existing DevOps processes to deploy new storage accounts, and use Azure Policy to enforce their configuration.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6a7d5ccf-3cbf-468c-84cb-d5bdee7c7f3d"
},
{
"waf": "Operations",
"service": "Azure Files",
"text": "Use Storage insights to track the health and performance of your storage accounts. Storage insights provides a unified view of the failures, performance, availability, and capacity for all your storage accounts.",
"description": "You can track the health and operation of each of your accounts. Easily create dashboards and reports that stakeholders can use to track the health of your storage accounts.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5fff0543-7133-4501-bd87-ea55392c6a7e"
},
{
"waf": "Operations",
"service": "Azure Files",
"text": "Use Monitor to analyze metrics, such as availability, latency, and usage, and to create alerts.",
"description": "Monitor provides a view of availability, performance, and resiliency for your file shares.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9e6f3601-b1cc-47e4-9f7e-715ec473b941"
},
{
"waf": "performance",
"service": "Azure Files",
"text": "Plan for scale: Understand the scalability and performance targets for storage accounts, Azure Files, and Azure File Sync.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "606bb21e-2197-4b38-89bd-3cf48e053a7d"
},
{
"waf": "performance",
"service": "Azure Files",
"text": "Understand your application and usage patterns to achieve predictable performance: Determine latency sensitivity, IOPS and throughput requirements, workload duration and frequency, and workload parallelization. Use Azure Files for multi-threaded applications to help you achieve the upper performance limits of a service. If most of your requests are metadata-centric, such as createfile, openfile, closefile, queryinfo, or querydirectory, the requests create poor latency that's higher than the read and write operations. If you have this problem, consider separating the file share into multiple file shares within the same storage account.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "de7e1635-911b-43e8-a887-95b8e13778d1"
},
{
"waf": "performance",
"service": "Azure Files",
"text": "Choose the optimal storage account type: If your workload requires large amounts of IOPS, extremely fast data transfer speeds, or very low latency, then you should choose premium (FileStorage) storage accounts. You can use a standard general-purpose v2 account for most SMB file share workloads. The primary tradeoff between the two storage account types is cost versus performance.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "6014ae08-0163-41c5-84ea-1467ad0d98ee"
},
{
"waf": "performance",
"service": "Azure Files",
"text": "Create storage accounts in the same regions as connecting clients to reduce latency: The farther you are from the Azure Files service, the greater the latency and the more difficult to achieve performance scale limits. This consideration is especially true when you access Azure Files from on-premises environments. If possible, ensure that your storage account and your clients are co-located in the same Azure region. Optimize for on-premises clients by minimizing network latency or by using an ExpressRoute connection to extend on-premises networks into the Microsoft cloud over a private connection.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "056cff2c-647d-41c8-82b0-f3ce60d82973"
},
{
"waf": "performance",
"service": "Azure Files",
"text": "Collect performance data: Monitor workload performance, including latency, availability, and usage metrics. Analyze logs to diagnose problems such as timeouts and throttling. Create alerts to notify you if a file share is being throttled, about to be throttled, or experiencing high latency.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "b67e8471-7d96-4b52-83d2-622c83758327"
},
{
"waf": "performance",
"service": "Azure Files",
"text": "Optimize for hybrid deployments: If you use Azure File Sync, sync performance depends on many factors: your Windows Server and the underlying disk configuration, network bandwidth between the server and the Azure storage, file size, total dataset size, and the activity on the dataset. To measure the performance of a solution that's based on Azure File Sync, determine the number of objects, such as files and directories, that you process per second.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-files.md",
+ "guid": "06194a9a-646b-40f8-81df-2cffae089d7b"
},
{
"waf": "Performance",
"service": "Azure Files",
"text": "Enable SMB Multichannel for premium SMB file shares. SMB Multichannel allows an SMB 3.1.1 client to establish multiple network connections to an SMB Azure file share. SMB Multichannel only works when the feature is enabled on both client-side (your client) and service-side (Azure). On Windows clients, SMB Multichannel is enabled by default, but you need to enable it on your storage account.",
"description": "Increase throughput and IOPS while reducing the total cost of ownership. Performance benefits increase with the number of files that distribute load.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "877da8a6-ccba-4655-a550-a1d0b01c13fc"
},
{
"waf": "Performance",
"service": "Azure Files",
"text": "Use the nconnect client-side mount option with NFS Azure file shares on Linux clients. Nconnect enables you to use more TCP connections between the client and the Azure Files premium service for NFSv4.1.",
"description": "Increase performance at scale, and reduce the total cost of ownership for NFS file shares.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "830493d9-b872-469b-8248-88a098ae834f"
},
{
"waf": "Performance",
"service": "Azure Files",
"text": "Make sure your file share or storage account isn't being throttled, which can result in high latency, low throughput, or low IOPS. Requests are throttled when the IOPS, ingress, or egress limits are reached. For standard storage accounts, throttling occurs at the account level. For premium file shares, throttling usually occurs at the share level.",
"description": "Avoid throttling to provide the best possible client experience.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1ba7c827-9dea-42c2-ae8f-6a8399bedf94"
},
{
"waf": "reliability",
"service": "Azure Firewall",
"text": "Deploy Azure Firewall in hub virtual networks or as part of Azure Virtual WAN hubs.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "29c79d8a-974d-4768-9036-6b7c3980258b"
},
{
"waf": "reliability",
"service": "Azure Firewall",
"text": "Leverage Availability Zones resiliency.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "59945fc0-9f70-4b5d-a8b6-2ac38dc2508d"
},
{
"waf": "reliability",
"service": "Azure Firewall",
"text": "Create Azure Firewall Policy structure.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "457a41f6-6cc9-48a8-b16b-01f2312b6537"
},
{
"waf": "reliability",
"service": "Azure Firewall",
"text": "Review the Known Issue list.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "8af18b41-9be2-4bb2-aaac-8c2a5734539a"
},
{
"waf": "reliability",
"service": "Azure Firewall",
"text": "Monitor Azure Firewall health state.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "4ab78087-97ce-4ec5-ab5d-f67e47b20854"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Use Azure Firewall Manager with traditional Hub & Spokes or Azure Virtual WAN network topologies to deploy and manage instances of Azure Firewall.",
"description": "Easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection. For more information on network topologies, see the Azure Cloud Adoption Framework documentation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "22e4993d-53d4-4655-84fa-4d1bc8523e41"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Create Azure Firewall Policies to govern the security posture across global network environments. Assign policies to all instances of Azure Firewall.",
"description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Delegate incremental firewall policies to local security teams through role-based access control (RBAC). Some settings are specific per instance, for example DNAT Rules and DNS configuration, then multiple specialized policies might be required.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "965fde84-1253-4833-93bc-9476a10ce2ad"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Migrate Azure Firewall Classic Rules to Azure Firewall Manager Policies for existing deployments.",
"description": "For existing deployments, migrate Azure Firewall rules to Azure Firewall Manager policies. Use Azure Firewall Manager to centrally manage your firewalls and policies. For more information, see Migrate to Azure Firewall Premium.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "15329f1b-13d3-43a7-b76c-d110d7933148"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Review the list of Azure Firewall Known Issues.",
"description": "Azure Firewall Product Group maintains an updated list of known-issues at this location. This list contains important information related to by-design behavior, fixes under construction, platform limitations, along with possible workarounds or mitigation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8af66a9f-689a-4e52-a9f1-08cf07f86047"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Ensure your Azure Firewall Policy adheres to Azure Firewall limits and recommendations.",
"description": "There are limits on the policy structure, including numbers of Rules and Rule Collection Groups, total policy size, source/target destinations. Be sure to compose your policy and stay behind the documented thresholds.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c673cfb7-5f2f-40ff-a878-c4ffeb26acd9"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Deploy Azure Firewall across multiple availability zones for higher service-level agreement (SLA).",
"description": "Azure Firewall provides different SLAs when it's deployed in a single availability zone and when it's deployed in multiple zones. For more information, see SLA for Azure Firewall. For information about all Azure SLAs, see SLA summary for Azure services.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bc96dc36-32aa-404b-b450-aaacf0b1becc"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "In multi-region environments, deploy an Azure Firewall instance per region.",
"description": "For traditional Hub & Spokes architectures, multi-region details are explained in this article. For secured virtual hubs (Azure Virtual WAN), Routing Intent and Policies must be configured to secure inter-hub and branch-to-branch communications. For workloads designed to be resistant to failures and fault tolerant, remember to consider that instances of Azure Firewall and Azure Virtual Network as regional resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "82ee097d-7480-4896-92e9-78b3b335cfcb"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Monitor Azure Firewall Metrics and Resource Health state.",
"description": "Closely monitor key metrics indicator of Azure Firewall health state such as Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics. Additionally, Azure Firewall now integrates with Azure Resource Health. With the Azure Firewall Resource Health check, you can now view the health status of your Azure Firewall and address service problems that might affect your Azure Firewall resource.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "778a05b2-ee67-42f2-b35e-0adfe817cded"
},
{
"waf": "security",
"service": "Azure Firewall",
"text": "Determine if you need Forced Tunneling.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "f3ff369e-56ed-45da-ad6a-c135803249ba"
},
{
"waf": "security",
"service": "Azure Firewall",
"text": "Create rules for Policies based on least privilege access criteria.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "a8db6917-b19a-4e97-a797-97a3cc882b45"
},
{
"waf": "security",
"service": "Azure Firewall",
"text": "Leverage Threat Intelligence.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "dbfeaa71-3a9d-4c45-b68c-05fd8ccd6d66"
},
{
"waf": "security",
"service": "Azure Firewall",
"text": "Enable Azure Firewall DNS proxy.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "eb9ee852-eda8-41a8-917d-4a5a25a6d866"
},
{
"waf": "security",
"service": "Azure Firewall",
"text": "Direct network traffic through Azure Firewall.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "0d173bba-16e4-4779-bbc6-b18447718271"
},
{
"waf": "security",
"service": "Azure Firewall",
"text": "Determine if you want to use third-party security as a service (SECaaS) providers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "6cf7bc2c-7416-48d1-8966-05f18b4c77dc"
},
{
"waf": "security",
"service": "Azure Firewall",
"text": "Protect your Azure Firewall public IP addresses with DDoS.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "b64f5de8-7f72-4545-a18e-9e75bc46a712"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "If required to route all internet-bound traffic to a designated next hop instead of going directly to the internet, configure Azure Firewall in forced tunneling mode (does not apply to Azure Virtual WAN).",
"description": "Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in the forced tunneling mode. Using the forced tunneling feature, you'll need another /26 address space for the Azure Firewall Management subnet. You're required to name it AzureFirewallManagementSubnet.If this is an existing Azure Firewall instance that can't be reconfigured in the forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. Associate it with AzureFirewallSubnet to maintain internet connectivity.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "00be10aa-262b-44b5-a82a-8c68aad4cccd"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in the forced tunneling mode (does not apply to Azure Virtual WAN).",
"description": "When you deploy a new Azure Firewall instance, if you enable the forced tunneling mode, you can set the public IP address to None to deploy a fully private data plane. However, the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks won't use that public IP. For more about forced tunneling, see Azure Firewall forced tunneling.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0b4f833f-2a39-4d49-85b2-221317d24865"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Create rules for Firewall Policies based on least privilege access criteria.",
"description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Each policy can contains different sets of DNAT, Network and Application rules with specific priority, action and processing order. Create your rules based on least privilege access Zero Trust principle . How rules are processed is explained in this article.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "eea03b99-3b97-4c7a-b1ab-76404535a87f"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Enable IDPS in Alert or Alert and deny mode.",
"description": "IDPS is one of the most powerful Azure Firewall (Premium) security features and should be enabled. Based on security and application requirements, and considering the performance impact (see the Cost section below), Alert or Alert and deny modes can be selected.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "25ca3e7f-b569-4ddf-8f50-3577a7f8a86c"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Enable Azure Firewall (DNS) proxy configuration.",
"description": "Enabling this feature points clients in the VNets to Azure Firewall as a DNS server. It will protect internal DNS infrastructure that will not be directly accessed and exposed. Azure Firewall must be also configured to use custom DNS that will be used to forward DNS queries.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "35c2f653-acd6-471c-91a9-f7e4a3fcce3e"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Configure user-defined routes (UDR) to force traffic through Azure Firewall.",
"description": "In a traditional Hub & Spokes architecture, configure UDRs to force traffic through Azure Firewall for `SpoketoSpoke`, `SpoketoInternet`, and `SpoketoHybrid` connectivity. In Azure Virtual WAN, instead, configure Routing Intent and Policies to redirect private and/or Internet traffic through the Azure Firewall instance integrated into the hub.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0eb2861e-50ba-479a-93d2-ca98a617e5fb"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "If not possible to apply UDR, and only web traffic redirection is required, consider using Azure Firewall as an Explicit Proxy",
"description": "With explicit proxy feature enabled on the outbound path, you can configure a proxy setting on the sending web application (such as a web browser) with Azure Firewall configured as the proxy. As a result, web traffic will reach the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the usage of multiple firewalls without modifying existing network routes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "24f05ffb-5b19-4ff8-8168-0884bfd131cd"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Configure supported third-party software as a service (SaaS) security providers within Firewall Manager if you want to use these solutions to protect outbound connections.",
"description": "You can use your familiar, best-in-breed, third-party SECaaS offerings to protect internet access for your users. This scenario does require Azure Virtual WAN with a S2S VPN Gateway in the Hub, as it uses an IPSec tunnel to connect to the provider's infrastructure. SECaaS providers might charge additional license fees and limit throughput on IPSec connections. Alternative solutions such as ZScaler Cloud Connector exist and might be more suitable.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b1b6c964-c59a-42fb-85fe-61e5ec11da56"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Fully Qualified Domain Name (FQDN) filtering in network rules.",
"description": "You can use FQDN based on DNS resolution in Azure Firewall and firewall policies. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable the Azure Firewall DNS Proxy configuration to use FQDNs in your network rules. To learn how it works, see Azure Firewall FQDN filtering in network rules.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "edad73e6-11f4-4f3d-ad4d-85a803631d88"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Service Tags in Network Rules to enable selective access to specific Microsoft services.",
"description": "A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. Using Service Tags in Network Rules, it is possible to enable outbound access to specific services in Azure, Dynamics and Office 365 without opening wide ranges of IP addresses. Azure will maintain automatically the mapping between these tags and underlying IP addresses used by each service. The list of Service Tags available to Azure Firewall are listed here: Az Firewall Service Tags.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2747c05a-f1a0-44e2-918a-f673f409e9aa"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use FQDN Tags in Application Rules to enable selective access to specific Microsoft services.",
"description": "An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for some specific Azure services, Office 365, Windows 365 and Intune.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2ee28c36-0f0e-4da4-96a9-985f44b29615"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Azure Firewall Manager to create and associate a DDoS protection plan with your hub virtual network (does not apply to Azure Virtual WAN).",
"description": "A DDoS protection plan provides enhanced mitigation features to defend your firewall from DDoS attacks. Azure Firewall Manager is an integrated tool to create your firewall infrastructure and DDoS protection plans. For more information, see Configure an Azure DDoS Protection Plan using Azure Firewall Manager.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1b052318-dd38-486c-97f3-b20c584c1bcd"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use an Enterprise PKI to generate certificates for TLS Inspection.",
"description": "With Azure Firewall Premium, if TLS Inspection feature is used, it is recommended to leverage an internal Enterprise Certification Authority (CA) for production environment. Self-signed certificates should be used for testing/PoC purposes only.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c5db7b18-fa0c-48be-a754-ddb21f1acdcb"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Review Zero-Trust configuration guide for Azure Firewall and Application Gateway",
"description": "If your security requirements necessitate implementing a Zero-Trust approach for web applications (inspection and encryption), it is recommended to follow this guide. In this document, how to integrate together Azure Firewall and Application Gateway will be explained, in both traditional Hub & Spoke and Virtual WAN scenarios.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "96522d15-f2d0-41d0-b021-c87b47bf8b59"
},
{
"waf": "cost",
"service": "Azure Firewall",
"text": "Select the Azure Firewall SKU to deploy.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "e23cca89-b750-4a14-8187-038aa999ab81"
},
{
"waf": "cost",
"service": "Azure Firewall",
"text": "Determine if some instances don't need permanent 24x7 allocation.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "c606fee7-9b75-4ce1-921f-aac5591768f8"
},
{
"waf": "cost",
"service": "Azure Firewall",
"text": "Determine where you can optimize firewall use across workloads.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "b68aec37-acbd-4101-be19-3e99e8d641f6"
},
{
"waf": "cost",
"service": "Azure Firewall",
"text": "Monitor and optimize firewall instances usage to determine cost-effectiveness.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "5f8eaf16-cabf-4fc4-82f9-1b9069b3bac2"
},
{
"waf": "cost",
"service": "Azure Firewall",
"text": "Review and optimize the number of public IP addresses required and Policies used.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "c88ea77e-1e9c-4d30-8b5e-c5e35cd4d93f"
},
{
"waf": "cost",
"service": "Azure Firewall",
"text": "Review logging requirements, estimate cost and control over time.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "ed8185a5-8f3a-402b-bd40-a3db15b390fd"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Deploy the proper Azure Firewall SKU.",
"description": "Azure Firewall can be deployed in three different SKUs: Basic, Standard and Premium. Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). Azure Firewall Standard is recommended for customers looking for Layer 3\u2013Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. Azure Firewall Basic is recommended for SMB customers with throughput needs of 250 Mbps. If required, downgrade or upgrade is possible between Standard and Premium as documented here. For more information, see Choose the right Azure Firewall SKU to meet your needs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f91761cf-5135-4dc1-bebc-0f25ebd32c55"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Stop Azure Firewall deployments that don't need to run for 24x7.",
"description": "You might have development or testing environments that are used only during business hours. For more information, see Deallocate and allocate Azure Firewall.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e3cd59af-4664-4d35-b291-45076f5452bd"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Share the same instance of Azure Firewall across multiple workloads and Azure Virtual Networks.",
"description": "You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same firewall across many spoke virtual networks that are connected to the same hub from the same region. Ensure there's no unexpected cross-region traffic as part of the hub-spoke topology.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0648162b-e60c-4625-811d-8e844e53d297"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Regularly review traffic processed by Azure Firewall and look for originating workload optimizations",
"description": "Top Flows log (known in the industry as Fat Flows), shows the top connections that are contributing to the highest throughput through the firewall. It is recommended to regularly review traffic processed by the Azure Firewall and search for possible optimizations to reduce the amount of traffic traversing the firewall.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c6b65421-d9c6-46aa-85c5-9e891c888744"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Review under-utilized Azure Firewall instances. Identify and delete unused Azure Firewall deployments.",
"description": "To identify unused Azure Firewall deployments, start by analyzing the monitoring metrics and UDRs associated with subnets pointing to the firewall's private IP. Combine that information with other validations, such as if your instance of Azure Firewall has any rules (classic) for NAT, Network and Application, or even if the DNS Proxy setting is configured to Disabled, and with internal documentation about your environment and deployments. You can detect deployments that are cost-effective over time. For more information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ef951ddc-d36a-4194-a039-48af1cd3b1dd"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Use Azure Firewall Manager and its Policies to reduce operational costs, increase efficiency, and reduce management overhead.",
"description": "Review your Firewall Manager policies, associations, and inheritance carefully. Policies are billed based on firewall associations. A policy with zero or one firewall association is free of charge. A policy with multiple firewall associations is billed at a fixed rate.For more information, see Pricing - Azure Firewall Manager.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a8ac7739-8682-4369-84c6-e0fd8185f1a6"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Delete unused public IP addresses.",
"description": "Validate whether all the associated public IP addresses are in use. If they aren't in use, disassociate and delete them. Evaluate SNAT port utilization before removing any IP addresses.You'll only use the number of public IPs your firewall needs. For more information, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "01e92d97-de38-46fd-a4b3-a180301ada9b"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Review logging requirements.",
"description": "Azure Firewall has the ability to comprehensively log metadata of all traffic it sees, to Log Analytics Workspaces, Storage or third party solutions through Event Hubs. However, all logging solutions incur costs for data processing and storage. At very large volumes these costs can be significant, a cost effective approach and alternative to Log Analytics should be considered and cost estimated. Consider whether it is required to log traffic metadata for all logging categories and modify in Diagnostic Settings if needed.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9fba472e-101a-4d6c-b9e9-762ce0e6035d"
},
{
"waf": "operations",
"service": "Azure Firewall",
"text": "Maintain inventory and backup of Azure Firewall configuration and Policies.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "3309c420-34ee-475f-983a-d258c92d73d1"
},
{
"waf": "operations",
"service": "Azure Firewall",
"text": "Leverage diagnostic logs for firewall monitoring and troubleshooting.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "32f7e307-f271-46d7-a0ea-e32ce5cf5f9a"
},
{
"waf": "operations",
"service": "Azure Firewall",
"text": "Leverage Azure Firewall Monitoring workbook.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "35c3a850-dd12-46fc-8748-d8e549a9b70e"
},
{
"waf": "operations",
"service": "Azure Firewall",
"text": "Regularly review your Policy insights and analytics.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "bc079e69-8f2f-43e6-94a7-61a05d1dd447"
},
{
"waf": "operations",
"service": "Azure Firewall",
"text": "Integrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "9b0b7514-18c1-4687-8a29-66e9e15c570d"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Do not use Azure Firewall for intra-VNet traffic control.",
"description": "Azure Firewall should be used to control traffic across VNets, between VNets and on-premises networks, outbound traffic to the Internet and incoming non-HTTP/s traffic. For intra-VNet traffic control, it is recommended to use Network Security Groups.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0405f896-a746-4bd5-831e-9914e4cb840f"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Maintain regular backups of Azure Policy artifacts.",
"description": "If Infrastructure-as-Code (IaC) approach is used to maintain Azure Firewall and all dependencies then backup and versioning of Azure Firewall Policies should be already in place. If not, a companion mechanism based on external Logic App can be deployed to automate and provide an effective solution.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1fe21c62-7800-4bd8-b1ed-b13c020a0759"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Enable Diagnostic Logs for Azure Firewall.",
"description": "Diagnostic Logs is a key component for many monitoring tools and strategies for Azure Firewall and should be enabled. You can monitor Azure Firewall by using firewall logs or workbooks. You can also use activity logs for auditing operations on Azure Firewall resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "afcc1df9-da67-4db4-a2d4-bad67422d890"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Use Structured Firewall Logs format.",
"description": "Structured Firewall Logs are a type of log data that are organized in a specific new format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze. The latest monitoring tools are based on this type of logs hence it is often a pre-requisite. Use the previous Diagnostic Logs format only if there is an existing tool with a pre-requisite on that. Do not enable both logging formats at the same time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4f3d5677-801a-48f2-834c-4a2326a6a1c8"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Use the built-in Azure Firewall Monitoring Workbook.",
"description": "Azure Firewall portal experience now includes a new workbook under the Monitoring section UI, a separate installation is no more required. With the Azure Firewall Workbook, you can extract valuable insights from Azure Firewall events, delve into your application and network rules, and examine statistics regarding firewall activities across URLs, ports, and addresses.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c108c3a4-1cb0-4b5f-84dc-060e313574c4"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Monitor key metrics and create alerts for indicators of the utilization of Azure Firewall capacity.",
"description": "Alerts should be created to monitor at least Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics.For information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "912d5cba-1c0b-4a40-8ec0-81e5492c3023"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Configure Azure Firewall integration with Microsoft Defender for Cloud and Microsoft Sentinel.",
"description": "If these tools are available in the environment, it is recommended to leverage integration with Microsoft Defender for Cloud and Microsoft Sentinel solutions. With Microsoft Defender for Cloud integration, you can visualize the all-up status of network infrastructure and network security in one place, including Azure Network Security across all VNets and Virtual Hubs spread across different regions in Azure. Integration with Microsoft Sentinel provides threat detection and prevention capabilities.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e900c615-4865-4658-8cba-0d0f5fb6d169"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Regularly review Policy Analytics dashboard to identify potential issues.",
"description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8ad68872-c312-4c23-9f23-be376493dfdb"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Become familiar with KQL (Kusto Query Language) queries to allow quick analysis and troubleshooting using Azure Firewall logs.",
"description": "Sample queries are provided for Azure Firewall. Those will enable you to quickly identify what's happening inside your firewall and check to see which rule was triggered, or which rule is allowing/blocking a request.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bc0c5e49-a3d6-4d3d-b95d-aa96ce824f4b"
},
{
"waf": "performance",
"service": "Azure Firewall",
"text": "Regularly review and optimize firewall rules.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "0a96b331-2efc-47d2-8e25-f5c57b890ea9"
},
{
"waf": "performance",
"service": "Azure Firewall",
"text": "Review policy requirements and opportunities to summarize IP ranges and URLs list.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "be71278e-b14a-4c1b-9007-b7513095b138"
},
{
"waf": "performance",
"service": "Azure Firewall",
"text": "Assess your SNAT port requirements.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "503f63e3-bdd2-4e37-9a44-644670d204f0"
},
{
"waf": "performance",
"service": "Azure Firewall",
"text": "Plan load tests to test auto-scale performance in your environment.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "5dcb4cd3-a501-4d37-b2a6-3f59c3e1bd32"
},
{
"waf": "performance",
"service": "Azure Firewall",
"text": "Do not enable diagnostic tools and logging if not required.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-firewall.md",
+ "guid": "565d2322-9a28-4f3d-a657-95391fa683a5"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Use Policy Analytics dashboard to identify potential optimizations for Firewall Policies.",
"description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e104f2f7-c376-4ed8-b536-a10a16be484d"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Consider Web Categories to allow or deny outbound access in bulk.",
"description": "Instead of explicitly building and maintaining a long list of public Internet sites, consider the usage of Azure Firewall Web Categories. This feature will dynamically categorize web content and will permit the creation of compact Application Rules.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0fb0141c-f1ac-4149-a10c-4b7954050b12"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Evaluate the performance impact of IDPS in Alert and deny mode.",
"description": "If Azure Firewall is required to operate in IDPS mode Alert and deny, carefully consider the performance impact as documented in this page.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "9263120f-b82d-4784-9c9a-73941e85079b"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Assess potential SNAT port exhaustion problem.",
"description": "Azure Firewall currently supports 2496 ports per Public IP address per backend Virtual Machine Scale Set instance. By default, there are two Virtual Machine Scale Set instances. So, there are 4992 ports per flow destination IP, destination port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances. You can work around the limits by configuring Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b2acb591-6e44-49f2-97f9-1196094776f3"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Properly warm up Azure Firewall before any performance test.",
"description": "Create initial traffic that isn't part of your load tests 20 minutes before the test. Use diagnostics settings to capture scale-up and scale-down events. You can use the Azure Load Testing service to generate the initial traffic. Allows the Azure Firewall instance to scale up its instances to the maximum.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0ec844d3-4b8c-41ee-ad0a-89c2b23f007b"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Configure an Azure Firewall subnet (AzureFirewallSubnet) with a /26 address space.",
"description": "Azure Firewall is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the instance of Azure Firewall. Azure Firewall provisions more capacity as it scales.A /26 address space for its subnets ensures that the firewall has enough IP addresses available to accommodate the scaling. Azure Firewall doesn't need a subnet bigger than /26. The Azure Firewall subnet name must be AzureFirewallSubnet.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d1510802-2f00-4995-8a04-fbebce7fe966"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Do not enable advanced logging if not required",
"description": "Azure Firewall provides some advanced logging capabilities that can be expensive to maintain always active. Instead, they should be used for troubleshooting purposes only, and limited in duration, then disabled when no more necessary. For example, Top flows and Flow trace logs are expensive can cause excessive CPU and storage usage on the Azure Firewall infrastructure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "60d6a84a-dcc9-4fbb-a68f-810341b9253c"
},
{
"waf": "reliability",
"service": "Azure Front Door",
"text": "Estimate the traffic pattern and volume. The number of requests from the client to the Azure Front Door edge might influence your tier choice. If you need to support a high volume of requests, consider the Azure Front Door Premium tier because performance ultimately impacts availability. However, there's a cost tradeoff. These tiers are described in Performance Efficiency.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "fd9f0940-7c31-4ed9-bd8c-5e927973c6c5"
},
{
"waf": "reliability",
"service": "Azure Front Door",
"text": "Choose your deployment strategy. The fundamental deployment approaches are active-active and active-passive. Active-active deployment means that multiple environments or stamps that run the workload serve traffic. Active-passive deployment means that only the primary region handles all traffic, but it fails over to the secondary region when necessary. In a multiregion deployment, stamps run in different regions for higher availability with a global load balancer, like Azure Front Door, that distributes traffic. Therefore, it's important to configure the load balancer for the appropriate deployment approach.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "1bc246b5-fba0-4047-bfaf-e5b677c6d003"
},
{
"waf": "reliability",
"service": "Azure Front Door",
"text": "Use the same host name on Azure Front Door and origin servers. To ensure that cookies or redirect URLs work properly, preserve the original HTTP host name when you use a reverse proxy, like a load balancer, in front of a web application.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "70c56b7a-a811-4c35-9fe0-939d9e866854"
},
{
"waf": "reliability",
"service": "Azure Front Door",
"text": "Implement the health endpoint monitoring pattern. Your application should expose health endpoints, which aggregate the state of the critical services and dependencies that your application needs to serve requests. Azure Front Door health probes use the endpoint to detect origin servers' health. For more information, see Health Endpoint Monitoring pattern.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "c30bd721-eb70-4887-8b8a-ce38e47ec178"
},
{
"waf": "reliability",
"service": "Azure Front Door",
"text": "Take advantage of the built-in content delivery network functionality in Azure Front Door. The content delivery network feature of Azure Front Door has hundreds of edge locations and can help withstand distributed denial of service (DDoS) attacks. These capabilities help improve reliability.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "ec18a3d4-61d5-4247-aa88-acbf11a339df"
},
{
"waf": "reliability",
"service": "Azure Front Door",
"text": "Consider a redundant traffic management option. Azure Front Door is a globally distributed service that runs as a singleton in an environment. Azure Front Door is a potential single point of failure in the system. If the service fails, then clients can't access your application during the downtime.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "5a88863f-43e9-48c7-8346-cf797fa4e4fa"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.",
"description": "You can select the best origin resource by using a series of decision steps and your design. The selected origin serves traffic within the allowable latency range in the specified ratio of weights.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2de15aa6-f607-4487-8972-2267a304f313"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.",
"description": "Multiple origins support redundancy by distributing traffic across multiple instances of the application. If one instance is unavailable, then other back-end origins can still receive traffic.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d5494be7-6a79-4d3f-bf44-ebe88788cd95"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Set up health probes on the origin. Configure Azure Front Door to conduct health checks to determine if the back-end instance is available and ready to continue receiving requests.",
"description": "Enabled health probes are part of the health monitoring pattern implementation. Health probes make sure that Azure Front Door only routes traffic to instances that are healthy enough to handle requests. For more information, see Best practices on health probes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "803e063d-1267-43c9-9878-54b1f3bb33b1"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout. For more information, see Troubleshooting unresponsive requests.",
"description": "Timeouts help prevent performance issues and availability issues by terminating requests that take longer than expected to complete.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "afb9a354-567a-4820-ae85-8eff0ad71f44"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Use the same host name on Azure Front Door and your origin. Azure Front Door can rewrite the host header of incoming requests, which is useful when you have multiple custom domain names that route to one origin. However, rewriting the host header might cause issues with request cookies and URL redirection.",
"description": "Set the same host name to prevent malfunction with session affinity, authentication, and authorization. For more information, see Preserve the original HTTP host name between a reverse proxy and its back-end web application.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "afa6253b-fffa-487f-a9b9-911e9821afef"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.",
"description": "With session affinity, user connections stay on the same origin during the user session. If that origin becomes unavailable, the user experience might be disrupted.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "702c37d1-ddfb-40fc-9ea0-58643a2e61b6"
},
{
"waf": "Reliability",
"service": "Azure Front Door",
"text": "Take advantage of the rate-limiting rules that are included with a web application firewall (WAF).",
"description": "Limit requests to prevent clients from sending too much traffic to your application. Rate limiting can help you avoid problems like a retry storm.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4a17bea1-3951-4f73-8de7-cd3193bca5d2"
},
{
"waf": "security",
"service": "Azure Front Door",
"text": "Review the security baseline for Azure Front Door.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "017b3c2c-d4ae-434f-8a34-07892661814d"
},
{
"waf": "security",
"service": "Azure Front Door",
"text": "Protect the back-end servers. The front end acts as the single point of ingress to the application.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "cbbd35ba-ecdb-4139-ab42-bdac8141062a"
},
{
"waf": "security",
"service": "Azure Front Door",
"text": "Allow only authorized access to the control plane. Use Azure Front Door role-based access control (RBAC) to restrict access to only the identities that need it.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "959ab078-8d43-4796-9fef-6445a325097c"
},
{
"waf": "security",
"service": "Azure Front Door",
"text": "Block common threats at the edge. WAF is integrated with Azure Front Door. Enable WAF rules on the front ends to protect applications from common exploits and vulnerabilities at the network edge, closer to the attack source.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "45987127-47d8-43a3-ad12-9f625ed6a883"
},
{
"waf": "security",
"service": "Azure Front Door",
"text": "Protect Azure Front Door against unexpected traffic. Azure Front Door uses the basic plan of Azure DDoS protection to protect application endpoints from DDoS attacks. If you need to expose other public IP addresses from your application, consider adding the DDoS Protection standard plan for those addresses for advanced protection and detection capabilities.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "92f43df8-151b-4445-bba9-e1b96da81d10"
},
{
"waf": "security",
"service": "Azure Front Door",
"text": "Protect data in transit. Enable end-to-end Transport Layer Security (TLS), HTTP to HTTPS redirection, and managed TLS certificates when applicable. For more information, see TLS best practices for Azure Front Door.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "ad119b63-dfca-446a-a65b-9f1e5849be6b"
},
{
"waf": "security",
"service": "Azure Front Door",
"text": "Monitor anomalous activity. Regularly review the logs to check for attacks and false positives. Send WAF logs from Azure Front Door to your organization's centralized security information and event management (SIEM), such as Microsoft Sentinel, to detect threat patterns and incorporate preventative measures in the workload design.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "7eec048b-3dfe-4a71-b4ac-5a3f554ff7ae"
},
{
"waf": "Security",
"service": "Azure Front Door",
"text": "Enable WAF rule sets that detect and block potentially malicious traffic. This feature is available on the Premium tier. We recommend these rule sets: - Default- Bot protection- IP restriction- Geo-filtering- Rate limiting",
"description": "Default rule sets are updated frequently based on OWASP top-10 attack types and information from Microsoft Threat Intelligence. The specialized rule sets detect certain use cases. For example, bot rules classify bots as good, bad, or unknown based on the client IP addresses. They also block bad bots and known IP addresses and restrict traffic based on geographical location of the callers. By using a combination of rule sets, you can detect and block attacks with various intents.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "67a91ccb-b42b-486c-8d10-99717d93fdb8"
},
{
"waf": "Security",
"service": "Azure Front Door",
"text": "Create exclusions for managed rule sets. Test a WAF policy in detection mode for a few weeks and adjust any false positives before you deploy it.",
"description": "Reduce false positives and allow legitimate requests for your application.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e85f5804-244d-4e3e-bd19-9c5476602260"
},
{
"waf": "Security",
"service": "Azure Front Door",
"text": "Enable end-to-end TLS, HTTP to HTTPS redirection, and managed TLS certificates when applicable. Review the TLS best practices for Azure Front Door. Use TLS version 1.2 as the minimum allowed version with ciphers that are relevant for your application. Azure Front Door managed certificates should be your default choice for ease of operations. However, if you want to manage the lifecycle of the certificates, use your own certificates in Azure Front Door custom domain endpoints and store them in Key Vault.",
"description": "TLS ensures that data exchanges between the browser, Azure Front Door, and the back-end origins are encrypted to prevent tampering. Key Vault offers managed certificate support and simple certificate renewal and rotation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5d4054fd-512a-4af5-84bd-1b039783b5e2"
},
{
"waf": "cost",
"service": "Azure Front Door",
"text": "Review Azure Front Door tiers and pricing. Use the pricing calculator to estimate the realistic costs for each tier. Compare the features and suitability of each tier for your scenario. For instance, only the Premium tier supports connecting to your origin via Private Link.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "5ecb8da9-9b18-4f39-a69e-c69eb2513b4b"
},
{
"waf": "cost",
"service": "Azure Front Door",
"text": "Consider bandwidth costs. The bandwidth costs of Azure Front Door depend on the tier that you choose and the type of data transfer. Azure Front Door provides built-in reports for billable metrics. To assess your costs related to bandwidth and where you can focus your optimization efforts, see Azure Front Door reports.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "3db5b1f9-57ec-44a6-adec-4f7cef47e63c"
},
{
"waf": "cost",
"service": "Azure Front Door",
"text": "Optimize incoming requests. Azure Front Door bills the incoming requests. You can set restrictions in your design configuration.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "871b4651-734d-40f4-b8a5-1705fa30dbe3"
},
{
"waf": "cost",
"service": "Azure Front Door",
"text": "Use resources efficiently. Azure Front Door uses a routing method that helps with resource optimization. Unless the workload is extremely latency sensitive, distribute traffic evenly across all environments to effectively use deployed resources.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "d16d79fc-3c0c-4da4-9cfe-8a6b97d7259d"
},
{
"waf": "cost",
"service": "Azure Front Door",
"text": "Consider using a shared instance that's provided by the organization. Costs incurred from centralized services are shared between the workloads. However, consider the tradeoff with reliability. For mission-critical applications that have high availability requirements, we recommend an autonomous instance.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "78f09072-d08f-430c-9d24-6d3b938ecd14"
},
{
"waf": "cost",
"service": "Azure Front Door",
"text": "Pay attention to the amount of data logged. Costs related to both bandwidth and storage can accrue if certain requests aren't necessary or if logging data is retained for a long period of time.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "1069bc46-68c3-46dd-80d0-700866521165"
},
{
"waf": "Cost",
"service": "Azure Front Door",
"text": "Use caching for endpoints that support it.",
"description": "Caching optimizes data transfer costs because it reduces the number of calls from your Azure Front Door instance to the origin.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fc470281-721e-40db-9289-ad73b03159d7"
},
{
"waf": "Cost",
"service": "Azure Front Door",
"text": "Consider enabling file compression. For this configuration, the application must support compression and caching must be enabled.",
"description": "Compression reduces bandwidth consumption and improves performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "638db3b0-f9b3-49b8-86f1-11621086b10f"
},
{
"waf": "Cost",
"service": "Azure Front Door",
"text": "Disable health checks in single back-end pools.If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary.",
"description": "You can save on bandwidth costs by disabling requests that aren't required to make routing decisions.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f397a438-b320-46f8-a41a-f94545db3412"
},
{
"waf": "operations",
"service": "Azure Front Door",
"text": "Use infrastructure as code (IaC) technologies. Use IaC technologies like Bicep and Azure Resource Manager templates to provision the Azure Front Door instance. These declarative approaches provide consistency and straightforward maintenance. For example, by using IaC technologies, you can easily adopt new ruleset versions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "58485d89-afb9-4dd4-bc01-1c487bce0642"
},
{
"waf": "operations",
"service": "Azure Front Door",
"text": "Simplify configurations. Use Azure Front Door to easily manage configurations. For example, suppose your architecture supports microservices. Azure Front Door supports redirection capabilities, so you can use path-based redirection to target individual services.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "bd0f5f64-5670-4d70-9e1e-a455f393824b"
},
{
"waf": "operations",
"service": "Azure Front Door",
"text": "Handle progressive exposure by using Azure Front Door routing methods. For a weighted load balancing approach you can use a canary deployment to send a specific percentage of traffic to a back end. This approach helps you test new features and releases in a controlled environment before you roll them out.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "34d0c653-4565-4c84-b000-6226c6410dac"
},
{
"waf": "operations",
"service": "Azure Front Door",
"text": "Collect and analyze Azure Front Door operational data as part of your workload monitoring. Capture relevant Azure Front Door logs and metrics with Azure Monitor Logs. This data helps you troubleshoot, understand user behaviors, and optimize operations.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "46ce7fe1-829b-48d0-889f-cafd0e5cae28"
},
{
"waf": "operations",
"service": "Azure Front Door",
"text": "Offload certificate management to Azure. Ease the operational burden associated with certification rotation and renewals.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "29049b7b-7468-4852-895e-f33d1fb0c7fb"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Use HTTP to HTTPS redirection to support forward compatibility.",
"description": "When redirection is enabled, Azure Front Door automatically redirects clients that are using older protocol to use HTTPS for a secure experience.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1e9aecf0-747c-47c6-936e-a0c404ae8e21"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Capture logs and metrics. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.",
"description": "Monitoring ingress flow is a crucial part of monitoring an application. You want to track requests and make performance and security improvements. You need data to debug your Azure Front Door configuration. With alerts in place, you can get instant notifications of any critical operational issues.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "90aa5326-da06-4070-bcb0-26d31648029a"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Review the built-in analytics reports.",
"description": "A holistic view of your Azure Front Door profile helps drive improvements based on traffic and security reports through WAF metrics.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bf371c38-103b-4467-953d-f6fc7746d599"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Use managed TLS certificates when possible.",
"description": "Azure Front Door can issue and manage certificates for you. This feature eliminates the need for certificate renewals and minimizes the risk of an outage due to an invalid or expired TLS certificate.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "544fffff-4bcd-4d30-851d-05b7bc2cdb91"
},
{
"waf": "Operations",
"service": "Azure Front Door",
"text": "Use wildcard TLS certificates.",
"description": "You don't need to modify the configuration to add or specify each subdomain separately.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bf934891-a9a1-49f7-9036-ea7ba9630bdc"
},
{
"waf": "performance",
"service": "Azure Front Door",
"text": "Plan capacity by analyzing your expected traffic patterns. Conduct thorough testing to understand how your application performs under different loads. Consider factors like simultaneous transactions, request rates, and data transfer.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "231e1a74-b2af-4061-8703-c1bc0c84ad7c"
},
{
"waf": "performance",
"service": "Azure Front Door",
"text": "Analyze performance data by regularly reviewing Azure Front Door reports. These reports provide insights into various metrics that serve as performance indicators at the technology level.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "83ea22a9-10c2-4d23-a022-05fc70bfc284"
},
{
"waf": "performance",
"service": "Azure Front Door",
"text": "Optimize data transfers.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "b3216475-74fa-46b9-b5a3-f13fcbb7e718"
},
{
"waf": "performance",
"service": "Azure Front Door",
"text": "Optimize the use of health probes. Get health information from health probes only when the state of the origins change. Strike a balance between monitoring accuracy and minimizing unnecessary traffic.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "fa0e75e6-5669-406a-8155-44e8d40ae935"
},
{
"waf": "performance",
"service": "Azure Front Door",
"text": "Review the origin routing method. Azure Front Door provides various routing methods, including latency-based, priority-based, weighted, and session affinity-based routing, to the origin. These methods significantly affect your application's performance. To learn more about the best traffic routing option for your scenario, see Traffic routing methods to origin.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "c1024a4d-bcba-42d9-92a8-070c5de5abf4"
},
{
"waf": "performance",
"service": "Azure Front Door",
"text": "Review the location of origin servers. Your origin servers' location impacts the responsiveness of your application. Origin servers should be closer to the users. Azure Front Door ensures that users from a specific location access the nearest Azure Front Door entry point. The performance benefits include faster user experience, better use of latency-based routing by Azure Front Door, and minimized data transfer time by using caching, which stores content closer to users.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-front-door.md",
+ "guid": "95d67b4f-c19e-40d0-9a55-dba46c40eea8"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "Enable caching. You can optimize query strings for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.",
"description": "Azure Front Door offers a robust content delivery network solution that caches content at the edge of the network. Caching reduces the load on the back-end servers and reduces data movement across the network, which helps offload bandwidth usage.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6133804d-8e26-4b44-b0ac-9a94fc420227"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "Use file compression when you're accessing downloadable content.",
"description": "Compression in Azure Front Door helps deliver content in the optimal format, has a smaller payload, and delivers content to the users faster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1c3bbe86-1c5f-491f-99c7-54f0603b943a"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "When you configure health probes in Azure Front Door, consider using `HEAD` requests instead of `GET` requests. The health probe reads only the status code, not the content.",
"description": "`HEAD` requests let you query a state change without fetching its entire content.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a03377e9-9c4a-49dd-abbc-6b240286eb1d"
},
{
"waf": "Performance",
"service": "Azure Front Door",
"text": "Evaluate whether you should enable session affinity when requests from the same user should be directed to the same back-end server. From a reliability perspective, we don't recommend this approach. If you use this option, the application should gracefully recover without disrupting user sessions. There's also a tradeoff on load balancing because it restricts the flexibility of distributing traffic across multiple back ends evenly.",
"description": "Optimize performance and maintain continuity for user sessions, especially when applications rely on maintaining state information locally.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c1acd7ab-028c-4f25-a0a9-840fe534fca7"
},
{
"waf": "reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: For critical workloads, use availability zones for your AKS clusters.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "2e9764a8-9f04-49c8-912c-41f40b2307e3"
},
{
"waf": "reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Plan the IP address space to ensure your cluster can reliably scale, including handling of failover traffic in multi-cluster topologies.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "5e7f4600-3959-4c9c-b29d-c555c79dfd9e"
},
{
"waf": "reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable Container insights to monitor your cluster and configure alerts for reliability-impacting events.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "217d3e94-7267-4b11-bd87-928d6119a666"
},
{
"waf": "reliability",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Ensure workloads are built to support horizontal scaling and report application readiness and health.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "b07721f6-5bd8-47df-8a79-e7e3ffa4e84a"
},
{
"waf": "reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Ensure your workload is running on user node pools and chose the right size SKU. At a minimum, include two nodes for user node pools and three nodes for the system node pool.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "3d531a79-530b-416f-8176-d18fb151f2a0"
},
{
"waf": "reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use the AKS Uptime SLA to meet availability targets for production workloads.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "359d4a34-78c9-41e3-9fce-3a4b5fb08a2b"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Control pod scheduling using node selectors and affinity.",
"description": "Allows the Kubernetes scheduler to logically isolate workloads by hardware in the node. Unlike tolerations, pods without a matching node selector can be scheduled on labeled nodes, which allows unused resources on the nodes to consume, but gives priority to pods that define the matching node selector. Use node affinity for more flexibility, which allows you to define what happens if the pod can't be matched with a node.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dd3b6ffb-7e93-4b1a-aaf0-3cc42e6271df"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Ensure proper selection of network plugin based on network requirements and cluster sizing.",
"description": "Azure CNI is required for specific scenarios, for example, Windows-based node pools, specific networking requirements and Kubernetes Network Policies. Reference Kubenet versus Azure CNI for more information.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a2c3dd5a-7ebc-4e4e-8061-a4cb90ed1fe7"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Use the AKS Uptime SLA for production grade clusters.",
"description": "The AKS Uptime SLA guarantees: - `99.95%` availability of the Kubernetes API server endpoint for AKS Clusters that use Azure Availability Zones, or - `99.9%` availability for AKS Clusters that don't use Azure Availability Zones.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "856eeb19-e8cf-4c18-8443-69a4d4a66600"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.",
"description": "Container insights help monitor the health and performance of controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Integration with Prometheus enables collection of application and workload metrics.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1b92e639-a727-409c-a343-17109a2861f2"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use availability zones to maximize resilience within an Azure region by distributing AKS agent nodes across physically separate data centers.",
"description": "By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down. If colocality requirements exist, either a regular VMSS-based AKS deployment into a single zone or proximity placement groups can be used to minimize internode latency.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4834a7a7-6bf7-4a58-961b-f1b97da3c724"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.",
"description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "57d11e53-f830-4930-9d74-2ce5435cd971"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Define Pod resource requests and limits in application deployment manifests, and enforce with Azure Policy.",
"description": "Container CPU and memory resource limits are necessary to prevent resource exhaustion in your Kubernetes cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5527c666-0096-4a1d-9022-cada9d4c77da"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Keep the System node pool isolated from application workloads.",
"description": "System node pools require a VM SKU of at least 2 vCPUs and 4 GB memory, but 4 vCPU or more is recommended. Reference System and user node pools for detailed requirements.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "80a4d735-cacb-456d-a188-ebf3e6610e6b"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Separate applications to dedicated node pools based on specific requirements.",
"description": "Applications may share the same configuration and need GPU-enabled VMs, CPU or memory optimized VMs, or the ability to scale-to-zero. Avoid large number of node pools to reduce extra management overhead.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "caa13588-59c1-416a-8b81-4e1ce3d9b707"
},
{
"waf": "Reliability",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use a NAT gateway for clusters that run workloads that make many concurrent outbound connections.",
"description": "To avoid reliability issues with Azure Load Balancer limitations with high concurrent outbound traffic, us a NAT Gateway instead to support reliable egress traffic at scale.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ecb8bcd9-2f8b-4394-86bb-c7ee533f7d08"
},
{
"waf": "security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Managed Identities to avoid managing and rotating service principles.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "5f6c3708-ec93-417b-909c-4414202ff1e6"
},
{
"waf": "security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Kubernetes role-based access control (RBAC) with Microsoft Entra ID for least privilege access and minimize granting administrator privileges to protect configuration, and secrets access.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "c90dce11-1c77-4b0e-b1c4-4aba286475af"
},
{
"waf": "security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Microsoft Defender for containers with Azure Sentinel to detect and quickly respond to threats across your cluster and workloads running on them.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "35a19511-d5d5-4a36-8fdc-796b8549dc4c"
},
{
"waf": "security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Deploy a private AKS cluster to ensure cluster management traffic to your API server remains on your private network. Or use the API server allow list for non-private clusters.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "a572c855-d42a-4490-ab5e-afab4018fd8f"
},
{
"waf": "security",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "80693bc5-79bf-4928-8887-1a77544d3bad"
},
{
"waf": "security",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Ensure your CI/CID pipeline is hardened with container-aware scanning.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "ab5dd3a3-2d8f-4a82-b209-05715fba7e61"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Microsoft Entra integration.",
"description": "Using Microsoft Entra ID centralizes the identity management component. Any change in user account or group status is automatically updated in access to the AKS cluster. The developers and application owners of your Kubernetes cluster need access to different resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a97490b6-9e41-45a1-83bd-7d78dcaa75a6"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Authenticate with Microsoft Entra ID to Azure Container Registry.",
"description": "AKS and Microsoft Entra ID enables authentication with Azure Container Registry without the use of `imagePullSecrets` secrets. Review Authenticate with Azure Container Registry from Azure Kubernetes Service for more information.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0b153016-434a-419e-8114-530956194357"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Secure network traffic to your API server with private AKS cluster.",
"description": "By default, network traffic between your node pools and the API server travels the Microsoft backbone network; by using a private cluster, you can ensure network traffic to your API server remains on the private network only.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "539f0f42-b505-41d0-b297-3b49cc829720"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: For non-private AKS clusters, use API server authorized IP ranges.",
"description": "When using public clusters, you can still limit the traffic that can reach your clusters API server by using the authorized IP range feature. Include sources like the public IPs of your deployment build agents, operations management, and node pools' egress point (such as Azure Firewall).",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f169dfc7-70ef-478d-a483-12f396742584"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Protect the API server with Microsoft Entra RBAC.",
"description": "Securing access to the Kubernetes API Server is one of the most important things you can do to secure your cluster. Integrate Kubernetes role-based access control (RBAC) with Microsoft Entra ID to control access to the API server. Disable local accounts to enforce all cluster access using Microsoft Entra ID-based identities.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8431face-139d-4a91-ba8c-6053f0125e74"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Azure network policies or Calico.",
"description": "Secure and control network traffic between pods in a cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d1008f3b-5c0d-42ff-8513-fcd6b064fc5d"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Secure clusters and pods with Azure Policy.",
"description": "Azure Policy can help to apply at-scale enforcement and safeguards on your clusters in a centralized, consistent manner. It can also control what functions pods are granted and if anything is running against company policy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "e4987bda-a67a-4407-b133-8c378788a8b8"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Secure container access to resources.",
"description": "Limit access to actions that containers can perform. Provide the least number of permissions, and avoid the use of root or privileged escalation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6fff442f-deed-462d-90b6-7fde6ce81fae"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.",
"description": "To scan incoming traffic for potential attacks, use a web application firewall such as Azure Web Application Firewall (WAF) on Azure Application Gateway or Azure Front Door.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dc2dfc11-1574-4228-88d9-50e077b7d8d3"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Control cluster egress traffic.",
"description": "Ensure your cluster's outbound traffic is passing through a network security point such as Azure Firewall or an HTTP proxy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "267d8ee6-5cfb-471c-ac5c-d2543358525b"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use the open-source Microsoft Entra Workload ID and Secrets Store CSI Driver with Azure Key Vault.",
"description": "Protect and rotate secrets, certificates, and connection strings in Azure Key Vault with strong encryption. Provides an access audit log, and keeps core secrets out of the deployment pipeline.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f5ae12ec-66b2-43fa-844d-3be5e07b91f0"
},
{
"waf": "Security",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use Microsoft Defender for Containers.",
"description": "Monitor and maintain the security of your clusters, containers, and their applications.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "628bfcb8-06cb-495f-a25e-5890b6f5dbba"
},
{
"waf": "cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use appropriate VM SKU per node pool and reserved instances where long-term capacity is expected.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "ec710c29-e6c0-4675-b051-73fc3a0010d7"
},
{
"waf": "cost",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Use appropriate managed disk tier and size.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "9cd3e427-64d5-48e8-aa6a-dfa7a473512c"
},
{
"waf": "cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Review performance metrics, starting with CPU, memory, storage, and network, to identify cost optimization opportunities by cluster, nodes, and namespace.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "aa2243d7-e30a-4963-b569-a93bf2660bb2"
},
{
"waf": "cost",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architecture: Use autoscalers to scale in when workloads are less active.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "d917bb41-11ca-4487-a354-abad918096e6"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Align SKU selection and managed disk size with workload requirements.",
"description": "Matching your selection to your workload demands ensures you don't pay for unneeded resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "60822342-a88f-4260-a595-c5919386bbdd"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select the right virtual machine instance type.",
"description": "Selecting the right virtual machine instance type is critical as it directly impacts the cost of running applications on AKS. Choosing a high-performance instance without proper utilization can lead to wasteful spending, while choosing a powerful instance can lead to performance issues and increased downtime. To determine the right virtual machine instance type, consider workload characteristics, resource requirements, and availability needs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "45c1b3bf-8e01-4337-984d-e8b03a969e4c"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select virtual machines based on the Arm architecture.",
"description": "AKS supports creating ARM64 Ubuntu agent nodes, as well as a of mix Intel and ARM architecture nodes within a cluster that can bring better performance at a lower cost.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "620cb68e-2005-464b-90d3-0e767babcfcd"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select Azure Spot Virtual Machines.",
"description": "Spot VMs allow you to take advantage of unutilized Azure capacity with significant discounts (up to 90% as compared to pay-as-you-go prices). If Azure needs capacity back, the Azure infrastructure evicts the Spot nodes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "357e61fe-86e6-41c6-b446-3f0def6d8bcf"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Select the appropriate region.",
"description": "Due to many factors, cost of resources varies per region in Azure. Evaluate the cost, latency, and compliance requirements to ensure you are running your workload cost-effectively and it doesn't affect your end-users or create extra networking charges.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ddb71774-895b-4149-9e0c-e348a9829df5"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Maintain small and optimized images.",
"description": "Streamlining your images helps reduce costs since new nodes need to download these images. Build images in a way that allows the container start as soon as possible to help avoid user request failures or timeouts while the application is starting up, potentially leading to overprovisioning.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d6b9a1b1-66b9-4f32-9269-4dba8ff3691d"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable Cluster Autoscaler to automatically reduce the number of agent nodes in response to excess resource capacity.",
"description": "Automatically scaling down the number of nodes in your AKS cluster lets you run an efficient cluster when demand is low and scale up when demand returns.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "330a0b20-69f1-44b9-9b9e-907e8e1bf5ca"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable Node Autoprovision to automate VM SKU selection.",
"description": "Node Autoprovision simplifies the SKU selection process and decides, based on pending pod resource requirements, the optimal VM configuration to run workloads in the most efficient and cost effective manner.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "479e3bcb-48bb-4f49-a449-d67df3a82c1e"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use the Horizontal Pod Autoscaler.",
"description": "Adjust the number of pods in a deployment depending on CPU utilization or other select metrics, which support cluster scale-in operations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "18dfc1c5-f5e8-4c89-9805-af9dd82f595d"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use Vertical Pod Autoscaler (preview).",
"description": "Rightsize your pods and dynamically set requests and limits based on historic usage.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ff159e4c-281f-4c30-aa1c-819ce3c94aad"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use Kubernetes Event Driven Autoscaling (KEDA).",
"description": "Scale based on the number of events being processed. Choose from a rich catalogue of 50+ KEDA scalers.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "afad2446-229b-4b5c-89fc-33e0a1ffdf05"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Adopt a cloud financial discipline and cultural practice to drive ownership of cloud usage.",
"description": "The foundation of enabling cost optimization is the spread of a cost saving cluster. A financial operations approach (FinOps) is often used to help organizations reduce cloud costs. It is a practice involving collaboration between finance, operations, and engineering teams to drive alignment on cost saving goals and bring transparency to cloud costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "7bf19a02-eeec-4611-b559-f5cef964cc63"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Sign up for Azure Reservations or Azure Savings Plan.",
"description": "If you properly planned for capacity, your workload is predictable and exists for an extended period of time, sign up for an Azure Reservation or a savings plan to further reduce your resource costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8b20a125-f425-42b9-9636-128941325958"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Configure monitoring of cluster with Container insights.",
"description": "Container insights help provides actionable insights into your clusters idle and unallocated resources. Container insights also supports collecting Prometheus metrics and integrates with Azure Managed Grafana to get a holistic view of your application and infrastructure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3c328ad3-02b3-4b44-b833-e8e0edcf8fd8"
},
{
"waf": "Cost",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Configure the AKS Cost Analysis add-on.",
"description": "The cost analysis cluster extension enables you to obtain granular insight into costs associated with various Kubernetes resources in your clusters or namespaces.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1104dc91-14f0-4330-ac7d-fa85039a0802"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use a template-based deployment using Bicep, Terraform, or others. Make sure that all deployments are repeatable, traceable, and stored in a source code repo.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "231e994a-ffa3-4eef-bcd5-e85c0fd017ef"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Build an automated process to ensure your clusters are bootstrapped with the necessary cluster-wide configurations and deployments. This is often performed using GitOps.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "484c6621-c021-430c-a94b-633da893adc5"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use a repeatable and automated deployment processes for your workload within your software development lifecycle.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "a394bfb7-a185-4416-af7f-908ad78ba2cf"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable diagnostics settings to ensure control plane or core API server interactions are logged.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "b88f9b48-fd82-404f-8b7b-5acea4d17dc4"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Enable Container insights to collect metrics, logs, and diagnostics to monitor the availability and performance of the cluster and workloads running on it.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "9ab6b90d-899e-4c61-8127-e097c1d80cca"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: The workload should be designed to emit telemetry that can be collected, which should also include liveliness and readiness statuses.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "a36b0ea0-7805-4deb-8c01-75ad610ecdc7"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Use chaos engineering practices that target Kubernetes to identify application or platform reliability issues.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "e14572fc-3556-4968-a23b-dcdb2305c57c"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Optimize your workload to operate and deploy efficiently in a container.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "3e3b24ae-ab28-40fe-8074-1a30b6c1a71f"
},
{
"waf": "operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Enforce cluster and workload governance using Azure Policy.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "cb964e93-b3f5-43b4-a52f-30f53a16d163"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Review AKS best practices documentation.",
"description": "To build and run applications successfully in AKS, there are key considerations to understand and implement. These areas include multi-tenancy and scheduler features, cluster, and pod security, or business continuity and disaster recovery.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "df3a72a5-8d24-4289-aa12-803287bb182d"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Review Azure Chaos Studio.",
"description": "Azure Chaos Studio can help simulate faults and trigger disaster recovery situations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "037e283c-7763-4006-939e-f101331fef86"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.",
"description": "Container insights help monitor the performance of containers by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API and container logs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bdab324d-7736-4444-a03e-a1ec180f3699"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Monitor application performance with Azure Monitor.",
"description": "Configure Application Insights for code-based monitoring of applications running in an AKS cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ea1485fc-32d7-46dc-a000-9e87c4834091"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Configure scraping of Prometheus metrics with Container insights.",
"description": "Container insights, which are part of Azure Monitor, provide a seamless onboarding experience to collect Prometheus metrics. Reference Configure scraping of Prometheus metrics for more information.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "35367a45-61fb-4731-a636-e59e8ce67fac"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.",
"description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8dd12fab-e3cb-4b39-9ebf-3609a3de2e34"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Operationalize clusters and pods configuration standards with Azure Policy.",
"description": "Azure Policy can help to apply at-scale enforcement and safeguards on your clusters in a centralized, consistent manner. It can also control what functions pods are granted and if anything is running against company policy.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3dc59879-d877-4719-84d1-8262c08c7081"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use platform capabilities in your release engineering process.",
"description": "Kubernetes and ingress controllers support many advanced deployment patterns for inclusion in your release engineering process. Consider patterns like blue-green deployments or canary releases.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "cb3372a2-16ef-4ebf-b7c2-b58f984ef966"
},
{
"waf": "Operations",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: For mission-critical workloads, use stamp-level blue/green deployments.",
"description": "Automate your mission-critical design areas, including deployment and testing.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0586a21b-1b24-4112-b1b6-9e10119bed8b"
},
{
"waf": "performance",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Perform and iterate on a detailed capacity plan exercise that includes SKU, autoscale settings, IP addressing, and failover considerations.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "f527e0a1-3ba5-48d8-93db-07cf5ce42fdd"
},
{
"waf": "performance",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable cluster autoscaler to automatically adjust the number of agent nodes in response workload demands.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "d8ec7ce1-bb32-4042-93f3-ad468f9c120b"
},
{
"waf": "performance",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Use the Horizontal pod autoscaler to adjust the number of pods in a deployment depending on CPU utilization or other select metrics.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "1cb2782a-f301-4c47-b0a5-f355abdbb796"
},
{
"waf": "performance",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Perform ongoing load testing activities that exercise both the pod and cluster autoscaler.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "a805eb93-ffa7-4fc8-a8ce-7481da64aa1e"
},
{
"waf": "performance",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Separate workloads into different node pools allowing independent scalling.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-kubernetes-service.md",
+ "guid": "162e3ed3-bde4-4a09-b074-aec1140b735a"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Develop a detailed capacity plan and continually review and revise.",
"description": "After formalizing your capacity plan, it should be frequently updated by continuously observing the resource utilization of the cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1b9c4ae0-1ae6-4d09-a1e8-22dec6edb20b"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Cluster architecture: Enable cluster autoscaler to automatically adjust the number of agent nodes in response to resource constraints.",
"description": "The ability to automatically scale up or down the number of nodes in your AKS cluster lets you run an efficient, cost-effective cluster.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b71f8835-94bd-4396-88e2-07a8ce2916e0"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Cluster and workload architectures: Separate workloads into different node pools and consider scaling user node pools.",
"description": "Unlike System node pools that always require running nodes, user node pools allow you to scale up or down.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0b3fd6dd-f113-441a-bf35-e6e49400a99e"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use AKS advanced scheduler features.",
"description": "Helps control balancing of resources for workloads that require them.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "259b98d6-ff88-4ba1-b459-bf1fab15ae3e"
},
{
"waf": "Performance",
"service": "Azure Kubernetes Service",
"text": "Workload architecture: Use meaningful workload scaling metrics.",
"description": "Not all scale decisions can be derived from CPU or memory metrics. Often scale considerations will come from more complex or even external data points. Use KEDA to build a meaningful auto scale ruleset based on signals that are specific to your workload.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5cf34320-3414-4c06-93c7-945fc9f3d7e2"
},
{
"waf": "reliability",
"service": "Azure Machine Learning",
"text": "Resiliency: Deploy models to environments that support availability zones, such as AKS. By ensuring deployments are distributed across availability zones, you're ensuring a deployment is available even in the event of a datacenter failure. For enhanced reliability and availability, consider a multi-region deployment topology.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "0d13edb5-8966-463a-868e-c3ba9d94e644"
},
{
"waf": "reliability",
"service": "Azure Machine Learning",
"text": "Resiliency: Ensure you have sufficient compute for both training and inferencing. Through resource planning, make sure your compute SKU and scale settings meet the requirements of your workload.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "9a42f7b9-41db-4c47-854d-90d08c4cbe22"
},
{
"waf": "reliability",
"service": "Azure Machine Learning",
"text": "Resiliency: Segregate Machine Learning workspaces used for exploratory work from those used for production.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "3994dafd-ee4c-4768-8c9f-a3b8ff74b1ba"
},
{
"waf": "reliability",
"service": "Azure Machine Learning",
"text": "Resiliency: When using managed online endpoints for inferencing, use a release strategy such as blue-green deployments to minimize downtime and reduce the risk associated with deploying new versions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "a8c2bbfa-d47f-44bd-ad33-4c635773259e"
},
{
"waf": "reliability",
"service": "Azure Machine Learning",
"text": "Business requirements: Select your use of compute clusters, compute instances, and externalized inference hosts based on reliability needs, considering service-level agreements (SLAs) as a factor.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "a03b959b-6c2a-485f-824c-4d105fce8c68"
},
{
"waf": "reliability",
"service": "Azure Machine Learning",
"text": "Recovery: Ensure you have self-healing capabilities, such as checkpointing features supported by Machine Learning, when training large models.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "45f7fa49-0339-464b-94cb-b20ec1700e14"
},
{
"waf": "reliability",
"service": "Azure Machine Learning",
"text": "Recovery: Ensure you have a recovery strategy defined. Machine Learning doesn't have automatic failover. Therefore, you must design a strategy that encompasses the workspace and all its dependencies, such as Key Vault, Azure Storage, and Azure Container Registry.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "bfa8abfb-faee-4eff-aff9-240353e483e2"
},
{
"waf": "Reliability",
"service": "Azure Machine Learning",
"text": "Multi-region model deployment: For enhanced reliability and availability, consider a multi-region deployment environment when possible.",
"description": "A multi-region deployment ensures that your Machine Learning workloads continue to run even if one region experiences an outage. Multi-region deployment improves load distribution across regions, potentially enhancing performance for users located in different geographical areas. For more information, see Failover for business continuity and disaster recovery.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c953c774-517c-48ce-82cb-105448b8a647"
},
{
"waf": "Reliability",
"service": "Azure Machine Learning",
"text": "Model training resiliency: Use checkpointing features supported by Machine Learning including Azure Container for PyTorch, the TensorFlow Estimator class, or the Run object and the FileDataset class that support model checkpointing.",
"description": "Model checkpointing periodically saves the state of your machine learning model during training, so that it can be restored in case of interruption, failure, or termination. For more information, see Boost checkpoint speed and reduce cost with Nebula.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "176382f6-20de-404a-a6c1-1cb00618b101"
},
{
"waf": "Reliability",
"service": "Azure Machine Learning",
"text": "Use the Dedicated virtual machine tier for compute clusters: Use the Dedicated virtual machine tier for compute clusters for batch inferencing to ensure your batch job isn't preempted.",
"description": "Low-priority virtual machines come at a reduced price but are preemptible. Clusters that use the Dedicated virtual machine tier aren't preempted.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "68b3ba0d-ab8c-44b9-b840-601535753fcc"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Availability: Reduce the attack surface of the Machine Learning workspace by restricting access to the workspace to resources within the virtual network.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "53cd2461-3b8d-47ca-ab08-a9b4491d71ae"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Confidentiality: Guard against data exfiltration from the Machine Learning workspace by implementing network isolation. Ensure access to all external resources is explicitly approved and access to all other external resources isn't permitted.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "bad5ff5c-bdeb-4648-b667-1ea0a76266dc"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Integrity: Implement access controls that authenticate and authorize the Machine Learning workspace for external resources based on the least privilege principle.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "dad6ac87-fd6d-44a4-9882-6d51b37bc564"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Integrity: Implement use case segregation for Machine Learning workspaces by setting up workspaces based on specific use cases or projects. This approach adheres to the principle of least privilege by ensuring that workspaces are only accessible to individuals that require access to data and experimentation assets for the use case or project.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "18119160-8531-45fb-b169-3e5488b9bd30"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Integrity: Regulate access to foundational models. Ensure only approved registries have access to models in the model registry.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "ad0a3245-9a51-46d2-81e0-1fa77b288902"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Integrity: Regulate access to approved container registries. Ensure Machine Learning compute can only access approved registries.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "20487ff0-e5c9-436d-939c-35c856dd64aa"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Integrity: Regulate the Python packages that can be run on Machine Learning compute. Regulating the Python packages ensures only trusted packages are run.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "a6718d1d-a5e1-4064-a501-7068066d74ba"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Integrity: Require code used for training in Machine Learning compute environments to be signed. Requiring code signing ensures that the code running is from a trusted source and hasn't been tampered with.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "69440a0f-3fab-4ea2-95b1-ba0ec1c637fc"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Confidentiality: Adhere to the principle of least privilege for role-based access control (RBAC) to the Machine Learning workspace and related resources, such as the workspace storage account, to ensure individuals have only the necessary permissions for their role, thereby minimizing potential security risks.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "3fff9526-ef3a-487b-b89e-cb04d344c691"
},
{
"waf": "security",
"service": "Azure Machine Learning",
"text": "Integrity: Establish trust and verified access by implementing encryption for data at rest and data in transit.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "99910102-9fb9-4526-ad60-f0ef309b0230"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Security baseline: To enhance the security and compliance of your Machine Learning Service, apply the Azure security baseline for Machine Learning.",
"description": "The security baseline provides tailored guidance on crucial security aspects such as network security, identity management, data protection, and privileged access. For optimal security, use Microsoft Defender for Cloud to monitor these aspects.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "255aca7d-7c4e-4b83-a0d8-aee85f7c2695"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Managed virtual network isolation: Configure managed virtual network isolation for Machine Learning. When you enable managed virtual network isolation, a managed virtual network is created for the workspace. Managed compute resources you create for the workspace automatically use this managed virtual network. If you can't implement managed virtual network isolation, then you must follow the network topology recommendations to separate compute into a dedicated subnet away from the rest of the resources in the solution, including the private endpoints for workspace resources.",
"description": "Managed virtual network isolation enhances security by isolating your workspace from other networks, reducing the risk of unauthorized access. In a scenario in which a breach occurs in another network within your organization, the isolated network of your Machine Learning workspace remains unaffected, protecting your machine learning workloads.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "afb9783e-67e0-4aca-9f01-0299630c34f0"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Machine Learning network isolation: Configure a private endpoint for your Machine Learning workspace and connect to the workspace over that private endpoint.",
"description": "Machine Learning network isolation enhances security by ensuring that access to your workspace is secure and controlled. With a private endpoint configured for your workspace, you can then limit access to your workspace to only occur over the private IP addresses.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a4cde3d0-7ea2-40b0-b2a8-b047c132dab2"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Allow only approved outbound access: Configure the outbound mode on the Machine Learning workspace managed outbound access to `Allow only approved outbound` to minimize the risk of data exfiltration. Configure private endpoints, service tags, or fully qualified domain names (FQDNs) for resources that you need to access.",
"description": "This configuration minimizes the risk of data exfiltration, improving data security. With this configuration enabled, a malicious actor who gains access to your system can\u2019t send your data to an unapproved external destination.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6b50845b-0ab2-416a-bbd9-2b4295f8ffcc"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Virtual network isolation for dependent services: Configure dependent services, such as Storage, Key Vault, and Container Registry with private endpoints and disable public access.",
"description": "Network isolation bolsters security by restricting access to Azure platform as a service (PaaS) solutions to private IP addresses only.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f2bbde49-82c0-4b92-b593-5b66537909de"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Managed identity: Use managed identities for authentication between Machine Learning and other services.",
"description": "Managed identities improve security by eliminating the need to store credentials and manually manage and rotate service principals.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "75bc1a96-b2a0-449e-b0e5-93c8a658a39d"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Disable local authentication: Disable local authentication for Machine Learning compute clusters and instances.",
"description": "Disabling local authentication increases the security of your Machine Learning compute and provides centralized control and management of identities and resource credentials.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f4b8cd6c-b939-4cd6-a88f-cb56c5f1958f"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Disable the public SSH port: Ensure the public Secure Shell (SSH) port is closed on the Machine Learning compute cluster by setting `remoteLoginPortPublicAccess` to `Disabled`. Apply a similar configuration if you use a different compute.",
"description": "Disabling SSH access helps prevent unauthorized individuals from gaining access and potentially causing harm to your system and protects you against brute force attacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "10b9366c-cd35-439f-ac46-68b330714d4d"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Don't provision public IP addresses for Machine Learning compute: Set enableNodePublicIp to `false` when provisioning Machine Learning compute clusters or compute instances. Apply a similar configuration if you use a different compute.",
"description": "Refrain from provisioning public IP addresses to enhance security by limiting the potential for unauthorized access to your compute instance or clusters.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "aa25efe6-19ad-455e-8bae-886c75a8092b"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Get the latest operating system image: Recreate compute instances to get the latest operating system image.",
"description": "Using the latest images ensures you're maintaining a consistent, stable, and secure environment, including ensuring you have the latest security patches.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "97fb061c-e8f2-49ae-9932-bc3b16cfd9e5"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Strict Machine Learning workspace access controls: Use Microsoft Entra ID groups to manage workspace access and adhere to the principle of least privilege for RBAC.",
"description": "Strict workspace access controls enhance security by ensuring that individuals have only the necessary permissions for their role. A data scientist, for instance, might have access to run experiments but not to modify security settings, minimizing potential security risks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "07d3c478-039d-4654-9e75-44712f822a98"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Restrict model catalog deployments: Restrict model deployments to specific registries.",
"description": "Restricting the deployments from the model catalog to specific registries ensures you only deploy models to approved registries. This approach helps regulate access to the open-source foundational models.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ce858034-a1e7-475c-82df-73878cfb2b42"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Encrypt data at rest: Consider using customer-managed keys with Machine Learning.",
"description": "Encrypting data at rest enhances data security by ensuring that sensitive data is encrypted by using keys directly managed by you. If you have a regulatory requirement to manage your own encryption keys, use this feature to comply with that requirement.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bf8d8030-a273-4136-b91b-3e926b3265b1"
},
{
"waf": "Security",
"service": "Azure Machine Learning",
"text": "Minimize the risk of data exfiltration: Implement data exfiltration prevention. For example, create a service endpoint policy to filter egress virtual network traffic and permit data exfiltration only to specific Azure Storage accounts.",
"description": "Minimize the risk of data exfiltration by limiting inbound and outbound requirements.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "5842dc88-8f4b-4f34-9cba-9a3ecbd083f7"
},
{
"waf": "cost",
"service": "Azure Machine Learning",
"text": "Usage optimization: Choose the appropriate resources to ensure that they align with your workload requirements. For example, choose between CPUs or GPUs, various SKUs, or low versus regular-priority VMs.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "ac00077c-9c99-40f8-8b08-9938b9ab6445"
},
{
"waf": "cost",
"service": "Azure Machine Learning",
"text": "Usage optimization: Ensure compute resources that aren't being used are scaled down or shut down when idle to reduce waste.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "42466537-fe74-483d-94b7-3525c15f3cf8"
},
{
"waf": "cost",
"service": "Azure Machine Learning",
"text": "Usage optimization: Apply policies and configure quotas to comply with the design's upper and lower limits.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "66c94617-9ee4-4b81-be7a-ef5dbd521fc6"
},
{
"waf": "cost",
"service": "Azure Machine Learning",
"text": "Usage optimization: Test parallelizing training workloads to determine if training requirements can be met on lower cost SKUs.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "feac1256-41f0-435e-8d6c-c66c264deb5b"
},
{
"waf": "cost",
"service": "Azure Machine Learning",
"text": "Rate optimization: Purchase Azure Reserved Virtual Machine Instances if you have a good estimate of usage over the next one to three years.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "f846a556-0f24-45ba-a2e2-43855e78ca2d"
},
{
"waf": "cost",
"service": "Azure Machine Learning",
"text": "Monitor and optimize: Monitor your resource usage such as CPU and GPU usage when training models. If the resources aren't being fully used, modify your code to better use resources or scale down to smaller or cheaper VM sizes.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "2905301e-e22b-4203-8fa0-6c7d740dd465"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Optimize compute resources: Optimize your compute resources based on the requirements of your workload. Choose the SKU that best suits your workload:
- General Purpose \u2013 Balanced CPU to memory ratio, good for all purposes.
- Compute Optimized \u2013 High CPU to memory ratio, good for math-heavy computations.
- Memory Optimized \u2013 High memory to CPU, good for in-memory computations or database applications.
- M Series \u2013 Very large machines that have huge amounts of memory and CPU.
- GPU \u2013 Better for models with a high number of variables that can benefit from higher parallelism and specialized core instructions. Typical applications are deep learning, image or video processing, scientific simulations, data mining, and taking advantage of GPU development frameworks. Test with multiple families and document the results as your baseline. As your model and data evolve, the most adequate compute resource might change. Monitor execution times and reevaluate as needed.",
"description": "Selecting the right compute is critical as it directly impacts the cost of running your workload. Choosing a GPU or a high-performance SKU without proper usage can lead to wasteful spending, while choosing undersized compute can lead to prohibitively long training times and performance problems.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "1d3deb66-a7cf-4c9e-8071-3b3e3d60c478"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Optimize compute scaling: Configure your compute clusters for autoscaling to ensure you only use what you need.For training clusters, set the minimum number of nodes to 0 and configure the amount of time the node is idle to an appropriate time. For less iterative experimentation, reduce the time to save costs. For more iterative experimentation, use a higher time to prevent paying for scaling up or down after each change.",
"description": "Configure autoscaling for compute clusters to scale down when their usage is low. Set the minimum number of nodes to 0 for training clusters to scale down to 0 when not in use.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f96f9439-c6c3-4bd1-a6ef-912307025375"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Set training termination policies: Set early termination policies to limit the duration of training runs or terminate them early.",
"description": "Setting termination policies can help you save costs by stopping nonperforming runs early.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d02f1c6b-b32d-4027-8c23-dad429d06570"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Use low-priority virtual machines for batch workloads: Consider using low-priority virtual machines for batch workloads that aren't time-sensitive and in which interruptions are recoverable.",
"description": "Low-priority virtual machines enable a large amount of compute power to be used for a low cost. They take advantage of surplus capacity in Azure.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8fff224b-1d7f-4116-8624-e92ed5afc67a"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Enable idle shutdown for compute instances: Enable idle shutdown for compute instances or schedule a start and stop time if usage time is known.",
"description": "By default, compute instances are available to you, accruing cost. Configuring compute instances to shut down when idle or configuring a schedule for them saves cost when they aren't in use.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "af8c167c-be44-45c2-bb57-a1bc383a8abd"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Parallelize training workloads: Consider parallelizing training workloads. Test running them with the help of the parallel components in Machine Learning.",
"description": "Parallel workloads can be run on multiple smaller instances, potentially yielding cost savings.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2c88452f-1c05-46c4-a541-54acbfc708b2"
},
{
"waf": "Cost",
"service": "Azure Machine Learning",
"text": "Azure Reserved VM Instances: Purchase Azure Reserved VM Instances if you have a good estimate of usage over the next one to three years. Take advantage of reserved capacity options for services when you have good estimates of usage.",
"description": "Purchase Azure Reserved VM Instances to prepay for virtual machine usage and provide discounts with pay-as-you-go pricing. The discount is automatically applied for virtual machine usage that matches the reservation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bfc81863-3497-4a8d-a16e-aab55f3bae72"
},
{
"waf": "operations",
"service": "Azure Machine Learning",
"text": "Development standards: Take advantage of Machine Learning model catalogs and registries to store, version, and share machine learning assets.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "f5da553a-b026-4714-a3e3-d34ff609f316"
},
{
"waf": "operations",
"service": "Azure Machine Learning",
"text": "Automate for efficiency: Follow good machine learning operations (MLOps) practices. When possible, build end-to-end automated pipelines for data preparation, training, and scoring processes. In development, use scripts instead of notebooks for training models, as scripts are easier to integrate into automated pipelines.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "b796f824-2db6-452c-abf7-38292ba5b5f2"
},
{
"waf": "operations",
"service": "Azure Machine Learning",
"text": "Deploy with confidence: Implement infrastructure as code (IaC) for Machine Learning workspaces, compute clusters, compute instances, and other deployment environments.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "47a26596-5524-4dd6-8fdd-fcc6ccbc9601"
},
{
"waf": "operations",
"service": "Azure Machine Learning",
"text": "Observability: Monitor the performance of your deployed models including data drift.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "528dda34-794b-4acb-bd29-67d14b1cac5b"
},
{
"waf": "operations",
"service": "Azure Machine Learning",
"text": "Observability: If your models are deployed to online endpoints, enable Application Insights to monitor online endpoints and deployments. Monitor training infrastructure to ensure you're meeting your baseline requirements.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "b5a47cd0-f65e-44bb-8001-66f68f8e0687"
},
{
"waf": "operations",
"service": "Azure Machine Learning",
"text": "Simplicity: Use curated environments optimized for Machine Learning, when available.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "d0afa393-bcfd-4e72-8cd2-304a988a6d0a"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Minimize Machine Learning workspace instances: Minimize the number of workspaces, when possible, to reduce maintenance.",
"description": "Limiting the number of workspaces reduces the maintenance effort and cost of operation. For requirements, such as security, you might need multiple separate workspaces. Minimize the number of workspaces when possible.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "89ba4602-237d-4482-ba98-bf25c262c8e8"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Take advantage of model catalogs and registries: Take advantage of Machine Learning model catalogs and registries to store, version, and share machine learning assets.Use Machine Learning model catalogs to help you implement A/B testing and deployment of models.",
"description": "Use Machine Learning model registries to store and version your machine learning models to track changes and maintain lineage with the job and datasets used for training. With Machine Learning model catalogs, your data science teams can discover, evaluate, and fine tune pretrained foundational machine learning models. Storing versioned models in Machine Learning model registries supports deployment strategies such as A/B releases, canary releases, and rollbacks.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "53e64198-939d-4710-bb60-78240890442a"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Monitor model performance: Monitor the performance of your deployed models, and detect data drift on datasets.",
"description": "Monitoring deployed models ensures your models meet the performance requirements.Monitoring data drift helps you detect changes in the input data that can lead to a decline in your model\u2019s performance. Managing data drift helps you ensure that your model provides accurate results over time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2ec618e1-844b-4b7f-bc41-be65bdf537d0"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Monitor infrastructure: If your models are deployed to online endpoints, enable Application Insights to monitor online endpoints and deployments.Monitor training infrastructure to ensure you're meeting your baseline requirements.Ensure you're collecting resource logs for Machine Learning.",
"description": "Monitoring endpoints gives you visibility into metrics such as request latency and requests per minute. You can compare your performance versus your baseline and use this information to make changes to compute resources accordingly. Monitoring metrics such as network bytes can alert you if you're approaching quota limits and prevent throttling.Likewise, monitoring your training environment provides you with the information to make changes to your training environment. Use that information to decide to scale in or out, scale up or down with different performant SKUs, or choose between CPUs or GPUs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "dce862d1-7b48-478a-bc39-39faa56f2531"
},
{
"waf": "Operations",
"service": "Azure Machine Learning",
"text": "Curate model training environments: Use curated environments optimized for Machine Learning, when available.",
"description": "Curated environments are pre-created environments provided by Machine Learning that speed up deployment time and reduce deployment and training latency. Using curated environments improves training and deployment success rates and avoids unnecessary image builds. Curated environments, such as Azure Container for PyTorch, can also be optimized for training large models on Machine Learning.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4addefe4-a8b2-4b05-8483-c8a96ada0ee0"
},
{
"waf": "performance",
"service": "Azure Machine Learning",
"text": "Performance targets: Determine the acceptable training time and retrain frequency for your model. Setting a clear target for training time, along with testing, helps you determine the compute resources, CPU versus GPU, and CPU SKUs required to meet the training time goal.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "2b36442a-e682-4d91-9dac-75d02e6e90bf"
},
{
"waf": "performance",
"service": "Azure Machine Learning",
"text": "Performance targets: Define the acceptable performance targets for your deployed models including response time, requests per second, error rate, and uptime. Performance targets act as a benchmark for your deployed model's efficiency. Targets can help you make CPU versus GPU determinations, CPU SKU choices, and scaling requirements.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "224fccfe-921b-4854-a01c-429988f76fd0"
},
{
"waf": "performance",
"service": "Azure Machine Learning",
"text": "Meet capacity requirements: Choose the right compute resources for model training.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "ff8ee1a1-242e-4f07-b027-41219ea774d8"
},
{
"waf": "performance",
"service": "Azure Machine Learning",
"text": "Meet capacity requirements: Choose the right compute resources for model deployments.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "31f9cf51-136d-4c41-93d3-59f89c253259"
},
{
"waf": "performance",
"service": "Azure Machine Learning",
"text": "Meet capacity requirements: Choose deployment environments with autoscaling capabilities to add and remove capacity as demand fluctuates.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "def7165b-3e46-4bab-b1a1-a24681c4cacc"
},
{
"waf": "performance",
"service": "Azure Machine Learning",
"text": "Achieve and sustain performance: Continuously monitor the performance of your deployed models, review results, and take appropriate actions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "97507b95-fd6d-4784-a678-0327e5427f31"
},
{
"waf": "performance",
"service": "Azure Machine Learning",
"text": "Achieve and sustain performance: Continuously monitor the performance of your infrastructure of deployed models, review results, and take appropriate actions. Monitor training infrastructure to ensure you're meeting your requirements for training time.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-machine-learning.md",
+ "guid": "d5d78692-ab7b-45d0-8c91-93b4f6329f41"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Select appropriate compute services for model training: Consider Machine Learning compute clusters over compute instances for model training if you require autoscaling.Optimize your compute resources based on the training requirements. First choose between CPUs and GPUs. Default to CPUs, but consider GPUs for workloads such as deep learning, image or video processing, or large amounts of data. Next, choose the image SKU that best suits your workload.Use testing to choose the compute option that optimizes cost against training time when determining your baseline.",
"description": "Selecting the right compute is critical as it directly impacts the training time. Choosing the right SKU and CPU versus GPU ensures your model training can meet your requirements and performance targets. Choosing a low-performance SKU that's overused can lead to prohibitively long training times and performance problems. Compute clusters provide the ability to improve performance by scaling out workloads that support horizontal scaling. This method provides flexibility for handling workloads with different demands and lets you add or remove machines as needed.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8c75d7e5-34e6-4a55-85a1-db4c26eb15f2"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Model deployment environment scaling: Use the deployment environment\u2019s autoscale capabilities. For AKS deployment environments, use the cluster autoscaler to scale to meet demand. For online endpoints, automatically scale via integration with the Azure Monitor autoscale feature.",
"description": "Autoscaling adjusts the number of instances of the deployed model to match demand.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bc3729bc-45fd-4ceb-9b5d-2135464eddfb"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Monitor model performance: Monitor the performance of your deployed models.",
"description": "Tracking the performance of models in production alerts you to potential problems such as data drift, prediction drift, data quality, and feature attribution drift.Monitoring data drift helps you detect changes in the input data that can lead to a decline in your model\u2019s performance. Managing data drift helps you ensure that your model provides accurate results over time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ce910d41-2b8b-4685-9e78-5dc683d84bc1"
},
{
"waf": "Performance",
"service": "Azure Machine Learning",
"text": "Monitor infrastructure: Monitor online endpoints and integrate with Monitor to track and monitor the appropriate metrics and logs. Enable Application Insights when creating online deployments.Monitor training infrastructure and review resource usage such as memory and CPU or GPU usage when training models to ensure you're meeting your baseline requirements.",
"description": "Monitoring endpoints gives you visibility into metrics such as request latency and requests per minute. You can compare your performance versus your baseline and use this information to make changes to compute resources accordingly. Monitoring metrics such as network bytes can alert you if you're approaching quota limits and prevent throttling.Likewise, monitoring your training environment provides you with the information to make changes to your training environment. Use that information to decide to scale in or out, scale up or down with different performant SKUs, or choose between CPUs or GPUs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ff1f7368-9980-4cf5-bfe0-31ebae0ebc7e"
},
{
"waf": "reliability",
"service": "Azure Openai",
"text": "Resiliency: Choose the appropriate deployment option of either pay-as-you-go or provisioned throughput based on your use case. Because reserved capacity increases resiliency, choose provisioned throughput for production solutions. The pay-as-you-go approach is ideal for dev/test environments.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "9d3622f2-e644-41df-8909-d30ac168fd6e"
},
{
"waf": "reliability",
"service": "Azure Openai",
"text": "Redundancy: Add the appropriate gateways in front of your Azure OpenAI deployments. The gateway must have the capability to withstand transient failures like throttling and also route to multiple Azure OpenAI instances. Consider routing to instances in different regions to build regional redundancy.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "bb8e46b8-026e-44ed-9218-cc86ac5f82dc"
},
{
"waf": "reliability",
"service": "Azure Openai",
"text": "Resiliency: If you're using provisioned throughput, consider also deploying a pay-as-you-go instance to handle overflow. You can route calls to the pay-as-you-go instance via your gateway when your provisioned throughput model is throttled. You can also use monitoring to predict when the model will be throttled and preemptively route calls to the pay-as-you-go instance.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "9ba430a3-7386-4b44-8e19-26470b015bb8"
},
{
"waf": "reliability",
"service": "Azure Openai",
"text": "Resiliency: Monitor capacity usage to ensure you aren't exceeding throughput limits. Regularly review capacity usage to achieve more accurate forecasting and help prevent service interruptions due to capacity constraints.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "fca027d7-7acf-497a-b915-52872ab724a4"
},
{
"waf": "reliability",
"service": "Azure Openai",
"text": "Resiliency: Follow the guidance for large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "544e8c7d-450b-4e55-aaec-1a75f667db90"
},
{
"waf": "reliability",
"service": "Azure Openai",
"text": "Recovery: Define a recovery strategy that includes a recovery plan for models that are fine-tuned and for training data uploaded to Azure OpenAI. Because Azure OpenAI doesn't have automatic failover, you must design a strategy that encompasses the entire service and all dependencies, such as storage that contains training data.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "8fe970c3-76a2-4c9f-b198-0e6106b17f96"
},
{
"waf": "Reliability",
"service": "Azure Openai",
"text": "Monitor rate limits for pay-as-you-go: If you're using the pay-as-you-go approach, manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM).",
"description": "This important throughput information provides information required to ensure that you assign enough TPM from your quota to meet the demand for your deployments.Assigning enough quota prevents throttling of calls to your deployed models.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b1f8cbf7-e5d5-47cd-b8c6-dcece4ef10bf"
},
{
"waf": "Reliability",
"service": "Azure Openai",
"text": "Monitor provision-managed utilization for provisioned throughput: If you're using the provisioned throughput payment model, monitor provision-managed utilization.",
"description": "It's important to monitor provision-managed utilization to ensure it doesn't exceed 100%, to prevent throttling of calls to your deployed models.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a7585b62-bb9f-4b4f-8491-13e9728a0865"
},
{
"waf": "Reliability",
"service": "Azure Openai",
"text": "Tune content filters: Tune content filters to minimize false positives from overly aggressive filters.",
"description": "Content filters block prompts or completions based on an opaque risk analysis. Ensure content filters are tuned to allow expected usage for your workload.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "3b329988-97cb-40c6-b139-17089897a9a1"
},
{
"waf": "security",
"service": "Azure Openai",
"text": "Protect confidentiality: If you upload training data to Azure OpenAI, use customer-managed keys for data encryption, implement a key-rotation strategy, and delete training, validation, and training results data. If you use an external data store for training data, follow security best practices for that store. For example, for Azure Blob Storage, use customer-managed keys for encryption and implement a key-rotation strategy. Use managed identity-based access, implement a network perimeter by using private endpoints, and enable access logs.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "18050528-bca5-43c3-99c5-4e7035bd9496"
},
{
"waf": "security",
"service": "Azure Openai",
"text": "Protect confidentiality: Guard against data exfiltration by limiting the outbound URLs that Azure OpenAI resources can access.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "da9ce235-e104-401e-b094-59bf983cfa40"
},
{
"waf": "security",
"service": "Azure Openai",
"text": "Protect integrity: Implement access controls to authenticate and authorize user access to the system by using the least-privilege principle and by using individual identities instead of keys.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "f47bab52-1aa2-45c5-b250-b3716716367e"
},
{
"waf": "security",
"service": "Azure Openai",
"text": "Protect integrity: Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "41a12d3c-56b5-4f10-9eea-303af5adcdb6"
},
{
"waf": "security",
"service": "Azure Openai",
"text": "Protect availability: Use security controls to prevent attacks that might exhaust model usage quotas. You might configure controls to isolate the service on a network. If the service must be accessible from the internet, consider using a gateway to block suspected abuse by using routing or throttling.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "a55c7008-6341-44e8-8b8c-089bc61dd193"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Secure keys: If your architecture requires Azure OpenAI key-based authentication, store those keys in Azure Key Vault, not in application code.",
"description": "Separating secrets from code by storing them in Key Vault reduces the chance of leaking secrets. Separation also facilitates central management of secrets, easing responsibilities like key rotation.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8dc95921-66ec-40fa-9e0c-2bcd0de338bc"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Restrict access: Disable public access to Azure OpenAI unless your workload requires it. Create private endpoints if you're connecting from consumers in an Azure virtual network.",
"description": "Controlling access to Azure OpenAI helps prevent attacks from unauthorized users. Using private endpoints ensures network traffic remains private between the application and the platform.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "fb4efdfc-4ccf-4be0-8652-39f3ac82a3a3"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Microsoft Entra ID: Use Microsoft Entra ID for authentication and to authorize access to Azure OpenAI by using role-based access control (RBAC). Disable local authentication in Azure AI Services and set `disableLocalAuth` to `true`. Grant identities that perform completions or image generation the Cognitive Services OpenAI User role. Grant model automation pipelines and ad-hoc data-science access a role like Cognitive Services OpenAI Contributor.",
"description": "Using Microsoft Entra ID centralizes the identity-management component and eliminates the use of API keys. Using RBAC with Microsoft Entra ID ensures that users or groups have exactly the permissions they need to do their job. This kind of fine-grained access control isn't possible with Azure OpenAI API keys.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "a391f8f5-e04e-4285-b756-4e9de162bc10"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Use customer-managed keys: Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI.",
"description": "Using customer-managed keys gives you greater flexibility to create, rotate, disable, and revoke access controls.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "f73c5ae9-9299-48ca-969c-6ac872096e3d"
},
{
"waf": "Security",
"service": "Azure Openai",
"text": "Protect against jailbreak attacks: Use Azure AI Content Safety Studio to detect jailbreak risks.",
"description": "Detect jailbreak attempts to identify and block prompts that try to bypass the safety mechanisms of your Azure OpenAI deployments.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "47f53122-cc5c-4172-901a-cd3cf6d5085f"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Cost management: Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "fb012775-b93d-442c-916c-81ca72d7bc91"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Usage optimization: Start with pay-as-you-go pricing for Azure OpenAI until your token usage is predictable.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "48e39691-9809-4ab1-86fb-857d47e4163e"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Rate optimization: When your token usage is sufficiently high and predictable over a period of time, use the provisioned throughput pricing model for better cost optimization.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "8c51bdd3-d4cb-4742-a323-89917c6ac87e"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Usage optimization: Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks. For more complex tasks like language translation or content understanding, consider using more advanced models. Consider different model capabilities and maximum token usage limits when you choose a model that's appropriate for use cases like text embedding, image generation, or transcription scenarios. By carefully selecting the model that best fits your needs, you can optimize costs while still achieving the desired application performance.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "e65920ea-b7aa-4eda-bfc8-36746c74933a"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Usage optimization: Use the token-limiting constraints offered by the API calls, such as `max_tokens` and `n`, which indicate the number of completions to generate.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "d310e9bc-ae3d-4eff-90a1-8356d72a1376"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Usage optimization: Maximize Azure OpenAI price breakpoints, for example, fine-tuning and model breakpoints like image generation. Because fine-tuning is charged per hour, use as much time as you have available per hour to improve fine-tuning results while avoiding slipping into the next billing period. Similarly, the cost for generating 100 images is the same as the cost for 1 image. Maximize price breakpoints to your advantage.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "73965cc9-1763-43c1-82aa-549b3ea75f4e"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Usage optimization: Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "a1abac7c-cce9-4443-97e8-2faf150559d4"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Adjust usage: Optimize prompt input and response length. Longer prompts raise costs by consuming more tokens. However, prompts that are missing sufficient context don't help the models yield good results. Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "9e2fb33a-0e01-43c6-9de0-2409778ad08d"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Cost efficiency: Batch requests where possible to minimize the per-call overhead, which can reduce overall costs. Ensure that you optimize batch size.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "3100afcf-2db1-4f14-901c-bd5e33bc29ff"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Cost efficiency: Because models have different fine-tuning costs, consider these costs if your solution requires fine-tuning.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "15ea2d47-0659-4906-a1ec-d26a00aa4237"
},
{
"waf": "cost",
"service": "Azure Openai",
"text": "Monitor and optimize: Set up a cost-tracking system that monitors model usage. Use that information to help inform model choices and prompt sizes.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "6ebaa528-2e34-4366-b8cb-6bc3318ec624"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Design client code to set limits: Your custom clients should use the limit features of the Azure OpenAI completions API, such as maximum limit on the number of tokens per model (`max_tokens`) or number of completions to generation (`n`). Setting limits ensures that the server doesn't produce more than the client needs.",
"description": "Using API features to restrict usage aligns service consumption with client needs. This saves money by ensuring the model doesn't generate an overly long response that consumes more tokens than necessary.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "550bf6a6-0fd6-4f5e-a447-fefda36067bc"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Monitor pay-as-you-go usage: If you use the pay-as-you-go approach, monitor usage of TPM and RPM. Use that information to inform architectural design decisions such as what models to use, and to optimize prompt sizes.",
"description": "Continuously monitoring TPM and RPM gives you relevant metrics to optimize the cost of Azure OpenAI models. You can couple this monitoring with model features and model pricing to optimize model usage. You can also use this monitoring to optimize prompt sizes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0d6d5b07-c475-408c-8f6a-fa8c92b96957"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Monitor provisioned throughput usage: If you use provisioned throughput, monitor provision-managed utilization to ensure you're not underutilizing the provisioned throughput you purchased.",
"description": "Continuously monitoring provision-managed utilization gives you the information you need to understand if you're underutilizing your provisioned throughput.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "25a3468e-92d0-4aa3-bb5f-c1214eee958b"
},
{
"waf": "Cost",
"service": "Azure Openai",
"text": "Cost management: Use cost management features with OpenAI to monitor costs, set budgets to manage costs, and create alerts to notify stakeholders of risks or anomalies.",
"description": "Cost monitoring, setting budgets, and setting alerts provides governance with the appropriate accountability processes.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0c5365cb-838b-4dfb-9608-0bcfabe98460"
},
{
"waf": "operations",
"service": "Azure Openai",
"text": "Azure DevOps culture: Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production. Ensure that you have environments to support continuous learning and experimentation throughout the development cycle.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "be37d987-ea7b-4f82-b63a-49384a95b30b"
},
{
"waf": "operations",
"service": "Azure Openai",
"text": "Observability: Monitor, aggregate, and visualize appropriate metrics.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "f9637ddc-7d73-4efd-86f1-75d9d122f943"
},
{
"waf": "operations",
"service": "Azure Openai",
"text": "Observability: If Azure OpenAI diagnostics are insufficient for your needs, consider using a gateway like Azure API Management in front of Azure OpenAI to log both incoming prompts and outgoing responses where permitted. This information can help you understand the effectiveness of the model for incoming prompts.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "eff14512-adda-441e-a2af-7a6589c330d5"
},
{
"waf": "operations",
"service": "Azure Openai",
"text": "Deploy with confidence: Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "79634884-f1b8-4cbb-8583-e0ca1f41dd4d"
},
{
"waf": "operations",
"service": "Azure Openai",
"text": "Deploy with confidence: Follow large language model operations (LLMOps) practices to operationalize the management of your Azure OpenAI LLMs, including deployment, fine-tuning, and prompt engineering.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "8863b916-2b11-4d2f-a468-110900f06f11"
},
{
"waf": "operations",
"service": "Azure Openai",
"text": "Automate for efficiency: If you use key-based authentication, implement an automated key-rotation strategy.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "406ddc6b-7ccc-4262-8c11-e00714f74590"
},
{
"waf": "Operations",
"service": "Azure Openai",
"text": "Enable and configure Azure Diagnostics: Enable and configure Diagnostics for the Azure OpenAI Service.",
"description": "Diagnostics collects and analyzes metrics and logs, helping you monitor the availability, performance, and operation of Azure OpenAI.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c5ac80e5-9b95-4205-a5c7-d8d8702ed00b"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Capacity: Estimate consumers' elasticity demands. Identify high-priority traffic that requires synchronous responses and low-priority traffic that can be asynchronous and batched.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "c8f369bf-bb71-4c71-bec6-a9806f071d66"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Capacity: Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you're using provisioned throughput unit (PTU) deployments.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "1238d615-b520-4de2-a8db-5da3156ea687"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Capacity: Use provisioned throughput for production workloads. Provisioned throughput offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version. The pay-as-you-go offering can suffer from noisy neighbor problems like increased latency and throttling in regions under heavy use. Also, the pay-as-you-go approach doesn't offer guaranteed capacity.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "2b52edf1-c7bc-4108-90c0-d3df81bff610"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Capacity: Add the appropriate gateways in front of your Azure OpenAI deployments. Ensure that the gateway can route to multiple instances in the same or different regions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "39601e61-c985-4ac6-9269-9f7edff4ca1e"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Capacity: Allocate PTUs to cover your predicted usage, and complement these PTUs with a TPM deployment to handle elasticity above that limit. This approach combines base throughput with elastic throughput for efficiency. Like other considerations, this approach requires a custom gateway implementation to route requests to the TPM deployment when the PTU limits are reached.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "2153dc0b-41f7-4470-abd1-c6ac7522537c"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Capacity: Send high-priority requests synchronously. Queue low-priority requests and send them through in batches when demand is low.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "4d0ffbf1-3c3b-4ea3-8a58-05fac3a22e33"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Capacity: Select a model that aligns with your performance requirements, considering the tradeoff between speed and output complexity. Model performance can vary significantly based on the chosen model type. Models designed for speed offer faster response times, which can be beneficial for applications that require quick interactions. Conversely, more sophisticated models might deliver higher-quality outputs at the expense of increased response time.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "6fd43871-d247-42ea-b468-dcf25d2d4e68"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Achieve performance: For applications like chatbots or conversational interfaces, consider implementing streaming. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner, improving the user experience.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "3bbf1b68-e6d6-475b-9406-9271cdee6454"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Achieve performance: Determine when to use fine-tuning before you commit to fine-tuning. Although there are good use cases for fine-tuning, such as when the information needed to steer the model is too long or complex to fit into the prompt, make sure that prompt engineering and retrieval-augmented generation (RAG) approaches don't work or are demonstrably more expensive.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "50fa9db0-6a80-446b-8eca-32b51efb14b5"
},
{
"waf": "performance",
"service": "Azure Openai",
"text": "Achieve performance: Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/azure-openai.md",
+ "guid": "21a63a3a-9e5d-4a7d-9825-636f4012fbcf"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Review Virtual Machines quotas and limits that might pose design restrictions. VMs have specific limits and quotas, which vary based on the type of VM or the region. There might be subscription restrictions, such as the number of VMs per subscription or the number of cores per VM. If other workloads share your subscription, then your ability to consume data might be reduced.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "361c5452-9715-4191-b073-b0331eb90559"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Conduct a failure mode analysis to minimize points of failure by analyzing VM interactions with the network and storage components. Choose configurations like ephemeral operating system (OS) disks to localize disk access and avoid network hops. Add a load balancer to enhance self-preservation by distributing network traffic across multiple VMs, which improves availability and reliability.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "957b7b80-d049-454d-b65b-7bbd967b141b"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Calculate your composite service-level objectives (SLOs) based on Azure service-level agreements (SLAs). Ensure that your SLO isn't higher than the Azure SLAs to avoid unrealistic expectations and potential issues.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "0962db49-c5c0-45b4-9064-c5da949a67b3"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Create state isolation. Workload data should be on a separate data disk to prevent interference with the OS disk. If a VM fails, you can create a new OS disk with the same data disk, which ensures resilience and fault isolation. For more information, see Ephemeral OS disks.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "b2ecdce9-fd21-4784-beb8-6084a166aa12"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Make VMs and their dependencies redundant across zones. If a VM fails, the workload should continue to function because of redundancy. Include dependencies in your redundancy choices. For example, use the built-in redundancy options that are available with disks. Use zone-redundant IPs to ensure data availability and high uptime.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "5aaae165-879c-4ce7-8661-c4a05b0e5074"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Be ready to scale up and scale out to prevent service level degradation and to avoid failures. Virtual Machine Scale Sets have autoscale capabilities that create new instances as required and distribute the load across multiple VMs and availability zones.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "553a3f24-22d8-4c4c-a26a-84063663c613"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Explore the automatic recovery options. Azure supports health degradation monitoring and self-healing features for VMs. For example, scale sets provide automatic instance repairs. In more advanced scenarios, self-healing involves using Azure Site Recovery, having a passive standby to fail over to, or redeploying from infrastructure as code (IaC). The method that you choose should align with the business requirements and your organizational operations. For more information, see VM service disruptions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "9a34544a-d391-485c-8373-e191d47e3fb8"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Rightsize the VMs and their dependencies. Understand your VM's expected work to ensure it's not undersized and can handle the maximum load. Have extra capacity to mitigate failures.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "285a5da3-2741-4f96-b58f-d2a48be2d39d"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Create a comprehensive disaster recovery plan. Disaster preparedness involves creating a comprehensive plan and deciding on a technology for recovery.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "dcaadec2-8bc9-43ce-b13d-51aa5c4db90e"
},
{
"waf": "reliability",
"service": "Virtual Machines",
"text": "Run operations with rigor. Reliability design choices must be supported by effective operations based on the principles of monitoring, resiliency testing in production, automated application VM patches and upgrades, and consistency of deployments. For operational guidance, see Operational Excellence.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "eaff9b97-b18a-4ab7-9307-14cf820eeb5a"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(Scale set) Use Virtual Machine Scale Sets in Flexible orchestration mode to deploy VMs.",
"description": "Future-proof your application for scaling and take advantage of the high availability guarantees that spread VMs across fault domains in a region or an availability zone.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2f3edda7-4225-472e-83d0-265c26367213"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(VMs) Implement heath endpoints that emit instance health statuses on VMs. (Scale set) Enable automatic repairs on the scale set by specifying the preferred repair action. Consider setting a time frame during which automatic repairs pause if the VM's state changes.",
"description": "Maintain availability even if an instance is deemed unhealthy. Automatic repairs initiate recovery by replacing the faulty instance. Setting a time window can prevent inadvertent or premature repair operations.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0bc7ac44-c4e0-4192-a423-09571aae23dc"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(Scale set) Enable overprovisioning on scale sets.",
"description": "Overprovisioning reduces deployment times and has a cost benefit because the extra VMs aren't billed.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "c97c1d86-cef5-435b-9312-c8f41b231afe"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(Scale set) Allow Flexible orchestration to spread the VM instances across as many fault domains as possible.",
"description": "This option isolates fault domains. During maintenance periods, when one fault domain is updated, VM instances are available in the other fault domains.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "18b6cb3c-704e-415c-ac33-a04ce8d33982"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(Scale set) Deploy across availability zones on scale sets. Set up at least two instances in each zone. Zone balancing equally spreads the instances across zones.",
"description": "The VM instances are provisioned in physically separate locations within each Azure region that are tolerant to local failures. Keep in mind that, depending on resource availability, there might be an uneven number of instances across zones. Zone balancing supports availability by making sure that, if one zone is down, the other zones have sufficient instances. Two instances in each zone provide a buffer during upgrades.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "cfcbe692-8d95-414c-855a-2af8530bbee7"
},
{
"waf": "Reliability",
"service": "Virtual Machines",
"text": "(VMs) Take advantage of the capacity reservations feature.",
"description": "Capacity is reserved for your use and is available within the scope of the applicable SLAs. You can delete capacity reservations when you no longer need them, and billing is consumption based.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "640c79fd-8a7f-4824-ba96-ca41034d02e8"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Review the security baselines for Linux and Windows VMs and Virtual Machine Scale Sets.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "fe47919b-9d90-4600-8dad-658568ce94d8"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Ensure timely and automated security patching and upgrades. Make sure updates are automatically rolled out and validated by using a well-defined process. Use a solution like Azure Automation to manage OS updates and maintain security compliance by making critical updates.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "51c32087-d5b8-4be6-9006-786bf12bd94b"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Identify the VMs that hold state. Make sure that data is classified according to the sensitivity labels that your organization provided. Protect data by using security controls like appropriate levels of at-rest and in-transit encryption. If you have high sensitivity requirements, consider using high-security controls like double encryption and Azure confidential computing to protect data-in-use.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "a4ceac6a-ac90-4278-9ad9-706194c2d5c9"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Provide segmentation to the VMs and scale sets by setting network boundaries and access controls. Place VMs in resource groups that share the same lifecycle.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "f90aa688-2018-4e02-9fd9-0c7151dee588"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Apply access controls to the identities that try to reach the VMs and also to the VMs that reach other resources. Use Microsoft Entra ID for authentication and authorization needs. Put strong passwords, multifactor authentication, and role-based access control (RBAC) in place for your VMs and their dependencies, like secrets, to permit allowed identities to perform only the operations that are expected of their roles.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "2e452de7-a327-401b-9ad4-19a42e7b3b2a"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Use network controls to restrict ingress and egress traffic. Isolate VMs and scale sets in Azure Virtual Network and define network security groups to filter traffic. Protect against distributed denial of service (DDoS) attacks. Use load balancers and firewall rules to protect against malicious traffic and data exfiltration attacks.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "51bdfe3f-1460-43ac-860d-d5dcaa69a698"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Reduce the attack surface by hardening OS images and removing unused components. Use smaller images and remove binaries that aren't required to run the workload. Tighten the VM configurations by removing features, like default accounts and ports, that you don't need.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "e4779d30-f938-495f-b9a6-bfed5afa8c38"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Protect secrets such as the certificates that you need to protect data in transit. Consider using the Azure Key Vault extension for Windows or Linux that automatically refreshes the certificates stored in a key vault. When it detects a change in the certificates, the extension retrieves and installs the corresponding certificates.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "08be36ad-0190-4740-b002-9adae9be0cca"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Threat detection. Monitor VMs for threats and misconfigurations. Use Defender for Servers to capture VM and OS changes, and maintain an audit trail of access, new accounts, and changes in permissions.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "9a7f628b-002c-4926-b1fc-d4918b451c30"
},
{
"waf": "security",
"service": "Virtual Machines",
"text": "Threat prevention. Protect against malware attacks and malicious actors by implementing security controls like firewalls, antivirus software, and intrusion detection systems. Determine if a Trusted Execution Environment (TEE) is required.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "ad4792c8-903c-4467-a6c8-90c84a49af47"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(Scale set) Assign a managed identity to scale sets. All VMs in the scale set get the same identity through the specified VM profile. (VMs) You can also assign a managed identity to individual VMs when you create them and then add it to a scale set if needed.",
"description": "When VMs communicate with other resources, they cross a trust boundary. Scale sets and VMs should authenticate their identity before communication is allowed. Microsoft Entra ID handles that authentication by using managed identities.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "22995c7f-8fcf-4986-b139-cc1b8e946c03"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(Scale set) Choose VM SKUs with security features. For example, some SKUs support BitLocker encryption, and confidential computing provides encryption of data-in-use. Review the features to understand the limitations.",
"description": "Azure-provided features are based on signals that are captured across many tenants and can protect resources better than custom controls. You can also use policies to enforce those controls.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b298468d-1c65-4c20-986c-6456d2d99665"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs, scale set) Apply organization-recommended tags in the provisioned resources.",
"description": "Tagging is a common way to segment and organize resources and can be crucial during incident management. For more information, see Purpose of naming and tagging.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "b47b917b-bb94-49a9-9c84-a579d9554f18"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs, scale set) Set a security profile with the security features that you want to enable in the VM configuration. For example, when you specify encryption at host in the profile, the data that's stored on the VM host is encrypted at rest and flows are encrypted to the storage service.",
"description": "The features in the security profile are automatically enabled when the VM is created. For more information, see Azure security baseline for Virtual Machine Scale Sets.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "4529997c-b38f-402e-9bbf-8db5717a74d4"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs) Choose secure networking options for your VM's network profile. Don't directly associate public IP addresses to your VMs and don't enable IP forwarding. Ensure that all virtual network interfaces have an associated network security group.",
"description": "You can set segmentation controls in the networking profile. Attackers scan public IP addresses, which makes VMs vulnerable to threats.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "312f1ab0-131f-4606-ae9b-18956ba60371"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs) Choose secure storage options for your VM's storage profile. Enable disk encryption and data-at-rest encryption by default. Disable public network access to the VM disks.",
"description": "Disabling public network access helps prevent unauthorized access to your data and resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "47c0a03c-627a-4961-96da-9a8c883d0d9f"
},
{
"waf": "Security",
"service": "Virtual Machines",
"text": "(VMs, scale set) Include extensions in your VMs that protect against threats. For example, - Key Vault extension for Windows and Linux - Microsoft Entra ID authentication - Microsoft Antimalware for Azure Cloud Services and Virtual Machines - Azure Disk Encryption extension for Windows and Linux.",
"description": "The extensions are used to bootstrap the VMs with the right software that protects access to and from the VMs. Microsoft-provided extensions are updated frequently to keep up with the evolving security standards.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "01d2e86e-e54e-4e42-87dd-fc09bf9f69a0"
},
{
"waf": "cost",
"service": "Virtual Machines",
"text": "Estimate realistic costs. Use the pricing calculator to estimate the costs of your VMs. Identify the best VM for your workload by using the VM selector. For more information, see Linux and Windows pricing.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "4f730d71-d8da-489b-b609-e9b1962ab07f"
},
{
"waf": "cost",
"service": "Virtual Machines",
"text": "Implement cost guardrails. Use governance policies to restrict resource types, configurations, and locations. Use RBAC to block actions that can lead to overspending.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "389aca19-a7d5-4abb-82f6-66716e25023a"
},
{
"waf": "cost",
"service": "Virtual Machines",
"text": "Choose the right resources. Your selection of VM plan sizes and SKUs directly affect the overall cost. Choose VMs based on workload characteristics. Is the workload CPU intensive or does it run interruptible processes? Each SKU has associated disk options that affect the overall cost.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "fd59590a-44b0-469a-aa57-e04183683d0b"
},
{
"waf": "cost",
"service": "Virtual Machines",
"text": "Choose the right capabilities for dependent resources. Save on backup storage costs for the vault-standard tier by using Azure Backup storage with reserved capacity. It offers a discount when you commit to a reservation for either one year or three years.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "e445d2d7-01a5-428d-9996-7d42b8727ae5"
},
{
"waf": "cost",
"service": "Virtual Machines",
"text": "Choose the right billing model. Evaluate whether commitment-based models for computing optimize costs based on the business requirements of workload. Consider these Azure options:",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "72eb7a10-acdd-47f4-ac63-c2366162dca0"
},
{
"waf": "cost",
"service": "Virtual Machines",
"text": "Monitor usage. Continuously monitor usage patterns and detect unused or underutilized VMs. For those instances, shut down VM instances when they're not in use. Monitoring is a key approach of Operational Excellence. For more information, see the recommendations in Operational Excellence.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "9269756b-3f6f-4066-907b-a24ef20d44c9"
},
{
"waf": "cost",
"service": "Virtual Machines",
"text": "Look for ways to optimize. Some strategies include choosing the most cost-effective approach between increasing resources in an existing system, or scaling up, and adding more instances of that system, or scaling out. You can offload demand by distributing it to other resources, or you can reduce demand by implementing priority queues, gateway offloading, buffering, and rate limiting. For more information, see the recommendations in Performance Efficiency.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "f7fc4792-bc2c-4a9d-98dc-ee637e18badd"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(VMs, scale set) Choose the right VM plan size and SKU. Identify the best VM sizes for your workload. Use the VM selector to identify the best VM for your workload. See Windows and Linux pricing. For workloads like highly parallel batch processing jobs that can tolerate some interruptions, consider using Azure Spot Virtual Machines. Spot virtual machines are good for experimenting, developing, and testing large-scale solutions.",
"description": "SKUs are priced according to the capabilities that they offer. If you don't need advanced capabilities, don't overspend on SKUs. Spot virtual machines take advantage of the surplus capacity in Azure at a lower cost.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "12835f9e-fdcf-4ecd-8d96-22d2a32bbd29"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(VMs, scale set) Evaluate the disk options that are associated with your VM's SKUs. Determine your performance needs while keeping in mind your storage capacity needs and accounting for fluctuating workload patterns. For example, the Azure Premium SSD v2 disk allows you to granularly adjust your performance independent of the disk's size.",
"description": "Some high-performance disk types offer extra cost optimization features and strategies. The Premium SSD v2 disk's adjustment capability can reduce costs because it provides high performance without overprovisioning, which could otherwise lead to underutilized resources.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8e136ca6-91e6-4cd0-8d19-b6cfec2622c1"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(Scale set) Mix regular VMs with spot virtual machines. Flexible orchestration lets you distribute spot virtual machines based on a specified percentage.",
"description": "Reduce compute infrastructure costs by applying the deep discounts of spot virtual machines.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bf114ba8-d145-4e31-9798-fb07277a246d"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(Scale set) Reduce the number of VM instances when demand decreases. Set a scale-in policy based on criteria. Stop VMs during off-hours. You can use the Azure Automation Start/Stop feature and configure it according to your business needs.",
"description": "Scaling in or stopping resources when they're not in use reduces the number of VMs running in the scale set, which saves costs. The Start/Stop feature is a low-cost automation option.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0a6605c5-2e42-4796-b60c-f2ac2a89872c"
},
{
"waf": "Cost",
"service": "Virtual Machines",
"text": "(VMs, scale set) Take advantage of license mobility by using Azure Hybrid Benefit. VMs have a licensing option that allows you to bring your own on-premises Windows Server OS licenses to Azure. Azure Hybrid Benefit also lets you bring certain Linux subscriptions to Azure.",
"description": "You can maximize your on-premises licenses while getting the benefits of the cloud.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2a4a0772-4dab-4123-bdb0-569271e29b63"
},
{
"waf": "operations",
"service": "Virtual Machines",
"text": "Monitor the VM instances. Collect logs and metrics from VM instances to monitor resource usage and measure the health of the instances. Some common metrics include CPU usage, number of requests, and input/output (I/O) latency. Set up Azure Monitor alerts to be notified about issues and to detect configuration changes in your environment.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "7fabd21e-bee0-4264-a4c0-666cb66e9deb"
},
{
"waf": "operations",
"service": "Virtual Machines",
"text": "Monitor the health of the VMs and their dependencies.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "f41eee87-6f25-4471-b482-a186535f468d"
},
{
"waf": "operations",
"service": "Virtual Machines",
"text": "Create a maintenance plan that includes regular system patching as a part of routine operations. Include emergency processes that allow for immediate patch application. You can have custom processes to manage patching or partially delegate the task to Azure.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "f419068c-ec1e-4c73-a7c6-ead478c8b4d6"
},
{
"waf": "operations",
"service": "Virtual Machines",
"text": "Automate processes for bootstrapping, running scripts, and configuring VMs. You can automate processes by using extensions or custom scripts. We recommend the following options:",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "91646a8b-4462-401b-9b10-e600079458fe"
},
{
"waf": "operations",
"service": "Virtual Machines",
"text": "Have processes for installing automatic updates. Consider using Automatic VM guest patching for a timely rollout of critical patches and security patches. Use Azure Update Manager to manage OS updates for your Windows and Linux virtual machines in Azure.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "941dc2bd-3fae-42ce-97e8-2aae24fa414c"
},
{
"waf": "operations",
"service": "Virtual Machines",
"text": "Build a test environment that closely matches your production environment to test updates and changes before you deploy them to production. Have processes in place to test the security updates, performance baselines, and reliability faults. Take advantage of Azure Chaos Studio fault libraries to inject and simulate error conditions. For more information, see Azure Chaos Studio fault and action library.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "bc5e266d-f8ee-4c9d-ba6c-edbb581c9a97"
},
{
"waf": "operations",
"service": "Virtual Machines",
"text": "Manage your quota. Plan what level of quota your workload requires and review that level regularly as the workload evolves. If you need to increase or decrease your quota, request those changes early.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "00d9961c-9d4b-4edd-9c69-45aed5d2172c"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(Scale set) Virtual Machine Scale Sets in Flexible orchestration mode can help simplify the deployment and management of your workload. For example, you can easily manage self-healing by using automatic repairs.",
"description": "Flexible orchestration can manage VM instances at scale. Handing individual VMs adds operational overhead. For example, when you delete VM instances, the associated disks and NICs are also automatically deleted. VM instances are spread across multiple fault domains so that update operations don't disrupt service.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "6ecf127d-151e-41d6-a796-2f1b0502ddd7"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(Scale set) Keep your VMs up to date by setting an upgrade policy. We recommend rolling upgrades. However, if you need granular control, choose to upgrade manually. For Flexible orchestration, you can use Azure Update Manager.",
"description": "Security is the primary reason for upgrades. Security assurances for the instances shouldn't decay over time. Rolling upgrades are done in batches, which ensures all instances aren't down at the same time.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "2adb5980-e146-44a0-b143-b1e618b9af3f"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(VMs, scale set) Automatically deploy VM applications from the Azure Compute Gallery by defining the applications in the profile.",
"description": "The VMs in the scale set are created and the specified apps are preinstalled, which makes management easier.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "77a59c87-2e77-4070-8823-def10424362e"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "Install prebuilt software components as extensions as part of bootstrapping. Azure supports many extensions that can be used to configure, monitor, secure, and provide utility applications for your VMs. Enable automatic upgrades on extensions.",
"description": "Extensions can help simplify the software installation at scale without you having to manually install, configure, or upgrade it on each VM.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "bb8b2ac8-e277-4172-996b-a366a00321d3"
},
{
"waf": "Operations",
"service": "Virtual Machines",
"text": "(VMs, scale set) Monitor and measure the health of the VM instances. Deploy the Monitor agent extension to your VMs to collect monitoring data from the guest OS with OS-specific data collection rules. Enable VM insights to monitor health and performance and to view trends from the collected data. Use boot diagnostics to get information as VMs boot. Boot diagnostics also diagnose boot failures.",
"description": "Monitoring data is at the core of incident resolution. A comprehensive monitoring stack provides information about how the VMs are performing and their health. By continuously monitoring the instances, you can be ready for or prevent failures like performance overload and reliability issues.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "eb4dbee8-3513-472d-a1da-f27afda1e7d2"
},
{
"waf": "performance",
"service": "Virtual Machines",
"text": "Define performance targets. Identify VM metrics to track and measure against performance indicators as response time, CPU utilization, and memory utilization, as well as workload metrics such as transactions per second, concurrent users, and availability and health.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "9ea20a53-3560-42fd-b9c2-e0554d262a5f"
},
{
"waf": "performance",
"service": "Virtual Machines",
"text": "Factor in the performance profile of VMs, scale sets, and disk configuration in your capacity planning. Each SKU has a different profile of memory and CPU and behaves differently depending on the type of workload. Conduct pilots and proofs of concept to understand performance behavior under the specific workload.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "5739c739-7af2-4f47-8c0a-a38cce9f64af"
},
{
"waf": "performance",
"service": "Virtual Machines",
"text": "VM performance tuning. Take advantage of performance optimization and enhancing features as required by the workload. For example, use locally attached Non-Volatile Memory Express (NVMe) for high performance use cases and accelerated networking, and use Premium SSD v2 for better performance and scalability.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "d7ea0eb8-7505-4e2b-9be1-380fad934a96"
},
{
"waf": "performance",
"service": "Virtual Machines",
"text": "Take the dependent services into account. Workload dependencies, like caching, network traffic, and content delivery networks, that interact with the VMs can affect performance. Also, consider geographical distribution, like zones and regions, which can add latency.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "b255b907-9f43-4998-ad40-ef60a225fe43"
},
{
"waf": "performance",
"service": "Virtual Machines",
"text": "Collect performance data. Follow the Operational Excellence best practices for monitoring and deploy the appropriate extensions to view metrics that track against performance indicators.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "fd304fa2-0694-4952-b53a-6161a4e21099"
},
{
"waf": "performance",
"service": "Virtual Machines",
"text": "Proximity placement groups. Use proximity placement groups in workloads where low latency is required to ensure that VMs are physically located close to each other.",
"description": "",
- "type": "checklist"
+ "type": "checklist",
+ "sourceType": "wafsg",
+ "timestamp": "July 24, 2024",
+ "sourceFile": "well-architected/service-guides/virtual-machines.md",
+ "guid": "e2a34493-c121-47fe-aa04-d9897feeca73"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Choose SKUs for VMs that align with your capacity planning. Have a good understanding of your workload requirements, including the number of cores, memory, storage, and network bandwidth so that you can filter out unsuitable SKUs.",
"description": "Rightsizing your VMs is a fundamental decision that significantly affects the performance of your workload. Without the right set of VMs, you might experience performance issues and accrue unnecessary costs.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "0278dc83-3a7e-4439-b706-1bdc45e0ecd0"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Deploy latency-sensitive workload VMs in proximity placement groups.",
"description": "Proximity placement groups reduce the physical distance between Azure compute resources, which can improve performance and reduce network latency between stand-alone VMs, VMs in multiple availability sets, or VMs in multiple scale sets.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "d69311a8-15b4-4509-928a-0dd369babed3"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Set the storage profile by analyzing the disk performance of existing workloads and the VM SKU. Use Premium SSDs for production VMs. Adjust the performance of disks with Premium SSD v2. Use locally attached NVMe devices.",
"description": "Premium SSDs deliver high-performance and low-latency disk support VMs with I/O-intensive workloads. Premium SSD v2 doesn't require disk resizing, which enables high performance without excessive over-provisioning and minimizes the cost of unused capacity. When available on VM SKUs, locally attached NVMe or similar devices can offer high performance, especially for use cases that require high input/output operations per second (IOPS) and low latency.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "633df150-cf95-4992-853f-72b1d599395b"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs) Consider enabling accelerated networking.",
"description": "It enables single root I/O virtualization (SR-IOV) to a VM, which greatly improves its networking performance.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "8b4677c6-aed0-4e08-9736-6710010b142b"
},
{
"waf": "Performance",
"service": "Virtual Machines",
"text": "(VMs, scale set) Set autoscale rules to increase or decrease the number of VM instances in your scale set based on demand.",
"description": "If your application demand increases, the load on the VM instances in your scale set increases. Autoscale rules ensure that you have enough resources to meet the demand.",
- "type": "recommendation"
+ "type": "recommendation",
+ "guid": "ac6b7b0d-63b8-4c6f-b7ed-f0bd175ba810"
}
],
"categories": [],
"waf": [
{
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Cost"
+ "name": "Operations"
},
{
- "name": "reliability"
+ "name": "operations"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
- "name": "operations"
+ "name": "Reliability"
},
{
- "name": "Operations"
+ "name": "reliability"
},
{
- "name": "Reliability"
+ "name": "cost"
},
{
- "name": "Performance"
+ "name": "security"
},
{
"name": "performance"
},
{
- "name": "security"
+ "name": "Security"
}
],
"yesno": [
@@ -4920,6 +6714,6 @@
"name": "WAF Service Guides",
"waf": "all",
"state": "preview",
- "timestamp": "July 07, 2024"
+ "timestamp": "July 24, 2024"
}
}
\ No newline at end of file
diff --git a/scripts/cl.py b/scripts/cl.py
new file mode 100644
index 000000000..69e9a8232
--- /dev/null
+++ b/scripts/cl.py
@@ -0,0 +1,768 @@
+#################################################################################
+#
+# This is the checklists CLI. It is a command-line interface that allows users to
+# perform various operations on checklists.
+#
+# Supported commands:
+# - analyze-v1: Analyze a checklist
+# - analyze-v2: Analyze a folder structure containing v2 recommendations
+# - list-recos: List recommendations from a folder structure containing v2 recommendations
+# - show-reco: Show a specific recommendation
+# - v1tov2: Convert a v1 checklist to v2
+# - run-arg: Run Azure Resource Graph queries stored in v2 recommendations
+#
+# Usage examples for v1-to-v2 conversion (use the --max-items parameter to limit the number of items to convert):
+# python3 ./scripts/cl.py v1tov2 --input-file ./checklists/aks_checklist.en.json --service-dictionary ./scripts/service_dictionary.json --output-folder ./v2/recos --text-analytics-endpoint $text_endpoint --text-analytics-key $text_key --overwrite --source-type revcl --verbose
+# python3 ./scripts/cl.py v1tov2 --input-file ./checklists/alz_checklist.en.json --service-dictionary ./scripts/service_dictionary.json --output-folder ./v2/recos --output-format yaml --text-analytics-endpoint $text_endpoint --text-analytics-key $text_key --overwrite --source-type revcl --verbose
+# python3 ./scripts/cl.py v1tov2 --input-file ./checklists/waf_checklist.en.json --service-dictionary ./scripts/service_dictionary.json --output-folder ./v2/recos --output-format yaml --text-analytics-endpoint $text_endpoint --text-analytics-key $text_key --overwrite --source-type revcl --verbose
+# python3 ./scripts/cl.py v1tov2 --input-file ./checklists-ext/aprl_checklist.en.json --service-dictionary ./scripts/service_dictionary.json --output-folder ./v2/recos --text-analytics-endpoint $text_endpoint --text-analytics-key $text_key --overwrite --source-type aprl --verbose
+# python3 ./scripts/cl.py v1tov2 --input-file ./checklists-ext/wafsg_checklist.en.json --service-dictionary ./scripts/service_dictionary.json --output-folder ./v2/recos --text-analytics-endpoint $text_endpoint --text-analytics-key $text_key --overwrite --source-type wafsg --verbose
+#
+# Usage examples for v2 analysis:
+# python3 ./scripts/cl.py analyze-v2 --input-folder ./v2/recos --format yaml
+# python3 ./scripts/cl.py analyze-v2 --input-folder ./v2/recos --format yaml --show-sources
+# python3 ./scripts/cl.py analyze-v2 --input-folder ./v2/recos --format yaml --show-sources --source-selector revcl
+# python3 ./scripts/cl.py analyze-v2 --input-folder ./v2/recos --format yaml --delete-assistant
+# python3 ./scripts/cl.py analyze-v2 --input-folder ./v2/recos --format yaml --show-resource-types
+#
+# Usage examples for specific reco inspection:
+# python3 ./scripts/cl.py show-reco --input-folder ./v2/recos --guid 1b1b1b1b-1b1b-1b1b-1b1b-1b1b1b1b1b1b
+# python3 ./scripts/cl.py show-reco --input-folder ./v2/recos --name revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService
+# python3 ./scripts/cl.py open-reco --input-folder ./v2/recos --guid 1b1b1b1b-1b1b-1b1b-1b1b-1b1b1b1b1b1b
+# python3 ./scripts/cl.py open-reco --input-folder ./v2/recos --name revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService
+#
+# Validate reco files
+# python3 ./scripts/cl.py validate-recos --input-folder ./v2/recos --schema ./v2/schema/recommendation.schema.json --verbose --max-items 10
+# python3 ./scripts/cl.py validate-recos --input-folder ./v2/recos --schema ./v2/schema/recommendation.schema.json --verbose --max-findings 1
+# python3 ./scripts/cl.py validate-recos --input-folder ./v2/recos --schema ./v2/schema/recommendation.schema.json --verbose
+#
+# Validate checklist files
+# python3 ./scripts/cl.py validate-checklists --input-folder ./v2/checklists --schema ./v2/schema/checklist.schema.json --verbose
+#
+# Disambiguate names
+# python3 ./scripts/cl.py disambiguate-names --input-folder ./v2/recos --verbose
+#
+# Usage examples for v2 reco listing:
+# python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --format yaml --label-selector '{"checklist": "alz"}' --show-labels
+# python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --format yaml --source-selector 'aprl'
+# python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --format yaml --with-arg
+# python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --checklist-file ./v2/checklists/alz.yaml --verbose
+# python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --checklist-file ./v2/checklists/alz.yaml --only-filenames
+#
+# Usage examples for renaming:
+# python3 ./scripts/cl.py rename-reco --input-folder ./v2/recos --guid 1b1b1b1b-1b1b-1b1b-1b1b-1b1b1b1b1b1b
+#
+# Usage examples for updating recos:
+# python3 ./scripts/cl.py update-recos --input-folder ./v2/recos --reviewed --verbose
+# python3 ./scripts/cl.py update-recos --input-folder ./v2/recos --default-severity 1 --verbose
+#
+# Create a v2 checklist file out of a v1 checklist file:
+# python3 ./scripts/cl.py checklist-to-v2 --checklist-file .\checklists\alz_checklist.en.json --output-file .\v2\checklists\alz.yaml --input-folder .\v2\recos --verbose
+#
+# Usage examples for analysis of checklist files:
+# Analyze a single checklist file:
+# python3 ./scripts/cl.py analyze-v2 --input-folder ./v2/recos --checklist-file ./v2/checklists/alz.yaml --verbose
+# python3 ./scripts/cl.py analyze-v2 --input-folder ./v2/recos --checklist-file ./v2/checklists/alz.yaml --show-areas --verbose
+# python3 ./scripts/cl.py list-recos --input-folder ./v2/recos --checklist-file ./v2/checklists/alz.yaml --verbose
+#
+# Export v2 checklist to v1 JSON format:
+# python3 ./scripts/cl.py export-checklist --input-folder ./v2/recos --service-dictionary ./scripts/service_dictionary.json --checklist-file ./v2/checklists/alz.yaml --output-file ./v2/checklists/alz.json
+# python3 ./scripts/cl.py export-checklist --input-folder ./v2/recos --service-dictionary ./scripts/service_dictionary.json --checklist-file ./v2/checklists/app_delivery.yaml --output-file ./v2/checklists/app_delivery.json
+#
+# Appendix: importing latest rules from APRL and WAF service guides (maybe useful before using v1-to-v2):
+# python3 ./.github/actions/get_aprl/entrypoint.py './checklists-ext/aprl_checklist.en.json' 'true'
+# python3 ./.github/actions/get_service_guides/entrypoint.py 'Azure Kubernetes Service, Azure Firewall, Azure ExpressRoute, Azure Application Gateway, Azure Front Door, App Service Web Apps, Azure Blob Storage, Azure Cosmos DB, Azure Files, Azure Machine Learning, Azure OpenAI, Virtual Machines' './checklists-ext' 'true'
+# Last updated: July 2024
+#
+#################################################################################
+
+import json
+import yaml
+import argparse
+import sys
+import glob
+import os
+import jsonschema
+from modules import cl_analyze_v1
+from modules import cl_v1tov2
+from modules import cl_analyze_v2
+from modules import cl_arg
+from modules import cl_v2tov1
+
+# Get input arguments
+parser = argparse.ArgumentParser(description='Checklists CLI', prog='checklists')
+subparsers = parser.add_subparsers(dest='command', help='Command help')
+# Define common shared arguments
+base_subparser = argparse.ArgumentParser(add_help=False)
+base_subparser.add_argument('--verbose', dest='verbose', action='store_true',
+ default=False,
+ help='run in verbose mode (default: False)')
+# Create the 'analyze-v1' command
+analyze_parser = subparsers.add_parser('analyze-v1', help='Analyze a v1 checklist', parents=[base_subparser])
+analyze_parser.add_argument('--input-file', dest='analyze_input_file', metavar= 'INPUT_FILE', action='store',
+ help='name of the JSON file with the checklist to be analyzed')
+analyze_parser.add_argument('--compare-file', dest='analyze_compare_file', metavar='COMPARE_FILE', action='store',
+ help='you can optionally supply the name of the JSON file with a second checklist to be compared against the first one')
+analyze_parser.add_argument('--input-folder', dest='analyze_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='if no input file has been specified, input folder where the checklists to verify are stored')
+# Create the 'analyze-v2' command
+analyzev2_parser = subparsers.add_parser('analyze-v2', help='Analyze a folder structure containing v2 recos', parents=[base_subparser])
+analyzev2_parser.add_argument('--input-folder', dest='analyzev2_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='folder where the recommendations to verify are stored')
+analyzev2_parser.add_argument('--format', dest='analyzev2_format', metavar='FORMAT', action='store',
+ default='yaml',
+ help='format of the v2 checklist items (default: yaml)')
+analyzev2_parser.add_argument('--show-labels', dest='analyzev2_show_labels', action='store_true',
+ default=False,
+ help='show all labels and its number of items (default: False)')
+analyzev2_parser.add_argument('--show-services', dest='analyzev2_show_services', action='store_true',
+ default=False,
+ help='show all services and its number of items (default: False)')
+analyzev2_parser.add_argument('--show-waf', dest='analyzev2_show_waf', action='store_true',
+ default=False,
+ help='show all services and its number of items (default: False)')
+analyzev2_parser.add_argument('--show-sources', dest='analyzev2_show_sources', action='store_true',
+ default=False,
+ help='show all source types and its number of items (default: False)')
+analyzev2_parser.add_argument('--show-severities', dest='analyzev2_show_severities', action='store_true',
+ default=False,
+ help='show all severities and its number of items (default: False)')
+analyzev2_parser.add_argument('--show-resource-types', dest='analyzev2_show_resourceTypes', action='store_true',
+ default=False,
+ help='show all resource types and its number of items (default: False)')
+analyzev2_parser.add_argument('--show-areas', dest='analyzev2_show_areas', action='store_true',
+ default=False,
+ help='show areas and subareas and its number of items (default: False)')
+analyzev2_parser.add_argument('--label-selector', dest='analyzev2_labels', metavar='LABELS', action='store',
+ help='label selector for the items to analyze, for example {"mykey1": "myvalue1", "mykey2": "myvalue2"}')
+analyzev2_parser.add_argument('--service-selector', dest='analyzev2_services', metavar='SERVICES', action='store',
+ help='comma-separated services for the items to analyze, for example "AKS,firewall"')
+analyzev2_parser.add_argument('--waf-selector', dest='analyzev2_waf_pillars', metavar='WAF_PILLARS', action='store',
+ help='comma-separated WAF pillars for the items to analyze, for example "cost,reliability"')
+analyzev2_parser.add_argument('--source-selector', dest='analyzev2_sources', metavar='SOURCE', action='store',
+ help='comma-separated source types for the items to analyze, for example "aprl,internal,wafsg"')
+analyzev2_parser.add_argument('--checklist-file', dest='analyzev2_checklist_file', metavar='CHECKLIST_FILE', action='store',
+ help='YAML file with a checklist definition that can include label-selectors, service-selectors and WAF-selectors as well as other metadata')
+analyzev2_parser.add_argument('--delete-assistant', dest='analyzev2_delete_assistant', action='store_true',
+ default=False,
+ help='run delete assistant to delete duplicate recos (default: False)')
+# Create the 'list-recos' command
+getrecos_parser = subparsers.add_parser('list-recos', help='List recommendations from a folder structure containing v2 recos', parents=[base_subparser])
+getrecos_parser.add_argument('--input-folder', dest='getrecos_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='folder where the recommendations to verify are stored')
+getrecos_parser.add_argument('--format', dest='getrecos_format', metavar='FORMAT', action='store',
+ default='yaml',
+ help='format of the v2 checklist items (default: yaml)')
+getrecos_parser.add_argument('--label-selector', dest='getrecos_labels', metavar='LABELS', action='store',
+ help='label selector for the items to retrieve, for example {"mykey1": "myvalue1", "mykey2": "myvalue2"}')
+getrecos_parser.add_argument('--service-selector', dest='getrecos_services', metavar='SERVICES', action='store',
+ help='comma-separated services for the items to retrieve, for example "AKS,firewall"')
+getrecos_parser.add_argument('--waf-selector', dest='getrecos_waf_pillars', metavar='WAF_PILLARS', action='store',
+ help='comma-separated WAF pillars for the items to retrieve, for example "cost,reliability"')
+getrecos_parser.add_argument('--source-selector', dest='getrecos_sources', metavar='SOURCE', action='store',
+ help='comma-separated source types for the items to retrieve, for example "aprl,internal,wafsg"')
+getrecos_parser.add_argument('--show-labels', dest='getrecos_show_labels', action='store_true',
+ default=False, help='show labels (default: False)')
+getrecos_parser.add_argument('--show-arg', dest='getrecos_show_arg', action='store_true',
+ default=False, help='show Azure Resource Graph queries (default: False)')
+getrecos_parser.add_argument('--with-arg', dest='getrecos_arg', action='store_true',
+ default=False, help='only return queries with ARG queries (default: False)')
+getrecos_parser.add_argument('--checklist-file', dest='getrecos_checklist_file', metavar='CHECKLIST_FILE', action='store',
+ help='YAML file with a checklist definition that can include label-selectors, service-selectors and WAF-selectors as well as other metadata')
+getrecos_parser.add_argument('--only-filenames', dest='getrecos_only_filenames', action='store_true',
+ default=False, help='only show the reco filenames (default: False)')
+# Create the 'update-recos' command
+updaterecos_parser = subparsers.add_parser('update-recos', help='Update recommendations from a folder structure containing v2 recos', parents=[base_subparser])
+updaterecos_parser.add_argument('--input-folder', dest='updaterecos_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='folder where the recommendations to update are stored')
+updaterecos_parser.add_argument('--service-dictionary', dest='updaterecos_service_dictionary', metavar='SERVICE_DICTIONARY', action='store',
+ help='JSON file with dictionary to map services to standard names and to ARM services')
+updaterecos_parser.add_argument('--format', dest='updaterecos_format', metavar='FORMAT', action='store',
+ default='yaml',
+ help='format of the v2 checklist items (default: yaml)')
+updaterecos_parser.add_argument('--reviewed', dest='updaterecos_reviewed', action='store_true',
+ default=False, help='Set the reviewed field to the current date (default: False)')
+updaterecos_parser.add_argument('--default-severity', dest='updaterecos_default_severity', metavar='DEFAULT_SEVERITY', action='store',
+ default='yaml', type=int,
+ help='Set any missing severity to the default value (default: None)')
+# Create the 'validate-recos' command
+validaterecos_parser = subparsers.add_parser('validate-recos', help='Validate recommendations to the reco schema', parents=[base_subparser])
+validaterecos_parser.add_argument('--input-folder', dest='validaterecos_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='folder where the recommendations to update are stored')
+validaterecos_parser.add_argument('--schema', dest='validaterecos_schema_file', metavar='SCHEMA_FILE', action='store',
+ help='file with validation schema')
+validaterecos_parser.add_argument('--max-items', dest='validaterecos_max_items', metavar='MAX_ITEMS', action='store',
+ default=0, type=int,
+ help='Maximum number of items to validate, default is 0 (all items)')
+validaterecos_parser.add_argument('--max-findings', dest='validaterecos_max_findings', metavar='MAX_FINDINGS', action='store',
+ default=0, type=int,
+ help='Maximum number of non-compliances to find, default is 0 (all non-compliances)')
+# Create the 'validate-checklists' command
+validatechecklists_parser = subparsers.add_parser('validate-checklists', help='Validate checklists to the reco schema', parents=[base_subparser])
+validatechecklists_parser.add_argument('--input-folder', dest='validatechecklists_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='folder where the recommendations to update are stored')
+validatechecklists_parser.add_argument('--schema', dest='validatechecklists_schema_file', metavar='SCHEMA_FILE', action='store',
+ help='file with validation schema')
+validatechecklists_parser.add_argument('--max-items', dest='validatechecklists_max_items', metavar='MAX_ITEMS', action='store',
+ default=0, type=int,
+ help='Maximum number of items to validate, default is 0 (all items)')
+validatechecklists_parser.add_argument('--max-findings', dest='validatechecklists_max_findings', metavar='MAX_FINDINGS', action='store',
+ default=0, type=int,
+ help='Maximum number of non-compliances to find, default is 0 (all non-compliances)')
+# Create the 'show-reco' command
+showreco_parser = subparsers.add_parser('show-reco', help='Show a specific recommendation', parents=[base_subparser])
+showreco_parser.add_argument('--input-folder', dest='showreco_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='input folder where the recommendations to show are stored')
+showreco_parser.add_argument('--guid', dest='showreco_guid', metavar='GUID', action='store',
+ help='GUID of the recommendation to show')
+showreco_parser.add_argument('--name', dest='showreco_name', metavar='NAME', action='store',
+ help='Name of the recommendation to show')
+# Create the 'rename-reco' command
+showreco_parser = subparsers.add_parser('rename-reco', help='Show a specific recommendation', parents=[base_subparser])
+showreco_parser.add_argument('--input-folder', dest='renamereco_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='input folder where the recommendations to rename are stored')
+showreco_parser.add_argument('--guid', dest='renamereco_guid', metavar='GUID', action='store',
+ help='GUID of the recommendation to rename')
+showreco_parser.add_argument('--new-name', dest='renamereco_newname', metavar='NEW_NAME', action='store',
+ help='new name for the recommendation. If not specified, you need to specify text analytics endpoint and key')
+showreco_parser.add_argument('--text-analytics-endpoint', dest='renamereco_endpoint', metavar='ENDPOINT', action='store',
+ help='Text analytics endpoint to use for renaming')
+showreco_parser.add_argument('--text-analytics-key', dest='renamereco_key', metavar='KEY', action='store',
+ help='Text analytics key to use for renaming')
+# Create the 'open-reco' command
+openreco_parser = subparsers.add_parser('open-reco', help='Open with a text editor a specific recommendation', parents=[base_subparser])
+openreco_parser.add_argument('--input-folder', dest='openreco_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='input folder where the recommendations to verify are stored')
+openreco_parser.add_argument('--guid', dest='openreco_guid', metavar='GUID', action='store',
+ help='GUID of the recommendation to open')
+openreco_parser.add_argument('--name', dest='openreco_name', metavar='NAME', action='store',
+ help='NAME of the recommendation to open')
+openreco_parser.add_argument('--text-editor', dest='openreco_editor', metavar='GUID', action='store',
+ help='Text editor to use, for example "code" or "notepad"')
+# Create the 'v1tov2' command
+v12_parser = subparsers.add_parser('v1tov2', help='Convert v1 to v2', parents=[base_subparser])
+v12_parser.add_argument('--input-file', dest='v12_input_file', metavar='INPUT_FILE', action='store',
+ help='name of the JSON file with the v1 checklist to be converted to v2'),
+v12_parser.add_argument('--service-dictionary', dest='v12_service_dictionary', metavar='SERVICE_DICTIONARY', action='store',
+ help='JSON file with dictionary to map services to standard names and to ARM services')
+v12_parser.add_argument('--output-folder', dest='v12_output_folder', metavar='OUTPUT_FOLDER', action='store',
+ help='output folder where the v2 checklist items will be stored')
+v12_parser.add_argument('--output-format', dest='v12_output_format', metavar='OUTPUT_FORMAT', action='store',
+ default='yaml',
+ help='output format of the v12 checklist items (default: yaml)')
+v12_parser.add_argument('--source-type', dest='v12_source_type', metavar='SOURCE_TYPE', action='store',
+ default=None,
+ help='Override source type with a specific value (default: None, possible options: revcl, wafsg, aprl)')
+v12_parser.add_argument('--labels', dest='v12_labels', metavar='LABELS', action='store',
+ help='additional labels to add to the items, for example {"mykey1": "myvalue1", "mykey2": "myvalue2"}')
+v12_parser.add_argument('--id-label', dest='v12_id_label', metavar='ID_LABEL', action='store',
+ help='label to use for the checklist ID, for example "alzId".')
+v12_parser.add_argument('--category-label', dest='v12_cat_label', metavar='CATEGORY_LABEL', action='store',
+ help='label to use for the checklist categories, for example "alzArea".')
+v12_parser.add_argument('--subcategory-label', dest='v12_subcat_label', metavar='SUBCATEGORY_LABEL', action='store',
+ help='label to use for the checklist subcategories, for example "alzSubarea".')
+v12_parser.add_argument('--text-analytics-endpoint', dest='v12_text_endpoint', metavar='TEXT_ANALYTICS_ENDPOINT', action='store',
+ help='Text analytics endpoint to use for deriving missing reco names')
+v12_parser.add_argument('--text-analytics-key', dest='v12_text_key', metavar='TEXT_ANALYTICS_KEY', action='store',
+ help='Text analytics key to use for deriving missing reco names')
+v12_parser.add_argument('--overwrite', dest='v12_overwrite', action='store_true',
+ default=False,
+ help='overwrite existing reco files with the same GUID (default: False)')
+v12_parser.add_argument('--max-items', dest='v12_max_items', metavar='SCHEMA_FILE', action='store',
+ default=0, type=int,
+ help='Maximum number of v1 recos to convert to v2, default is 0 (all items)')
+# Create the 'run-arg' command
+runarg_parser = subparsers.add_parser('run-arg', help='Run Azure Resource Graph queries stored in v2 recommendations', parents=[base_subparser])
+runarg_parser.add_argument('--input-folder', dest='runarg_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='input folder where the checks to run are stored')
+runarg_parser.add_argument('--format', dest='runarg_format', metavar='FORMAT', action='store',
+ default='yaml',
+ help='format of the v2 checklist items (default: yaml)')
+runarg_parser.add_argument('--label-selector', dest='runarg_labels', metavar='LABELS', action='store',
+ help='label selector for the items to run the queries from, for example {"mykey1": "myvalue1", "mykey2": "myvalue2"}')
+runarg_parser.add_argument('--service-selector', dest='runarg_services', metavar='SERVICES', action='store',
+ help='comma-separated services for the items to run the queries from, for example "AKS,firewall"')
+runarg_parser.add_argument('--waf-selector', dest='runarg_waf_pillars', metavar='WAF_PILLARS', action='store',
+ help='comma-separated WAF pillars for the items to run the queries from, for example "cost,reliability"')
+runarg_parser.add_argument('--guid', dest='runarg_guid', metavar='GUID', action='store',
+ help='GUID of the recommendation to run the queries from')
+runarg_parser.add_argument('--subscription-id', dest='runarg_subscription_id', metavar='SUBSCRIPTION_ID', action='store',
+ help='Azure subscription ID where to run the queries')
+# Create the 'export-checklist' command
+export_parser = subparsers.add_parser('export-checklist', help='Exports a v2 checklist file (YAML) to a v1 format (JSON)', parents=[base_subparser])
+export_parser.add_argument('--checklist-file', dest='export_checklist_file', metavar='CHECKLIST_FILE', action='store',
+ help='YAML file with a checklist definition that can include label-selectors, service-selectors and WAF-selectors as well as other metadata')
+export_parser.add_argument('--input-folder', dest='export_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='input folder where the recommendations are stored')
+export_parser.add_argument('--output-file', dest='export_output_file', metavar='OUTPUT_FILE', action='store',
+ help='output file where the v1 checklist will be stored')
+export_parser.add_argument('--service-dictionary', dest='export_service_dictionary', metavar='SERVICE_DICTIONARY', action='store',
+ help='JSON file with dictionary to map services to standard names and to ARM services')
+# Create the 'checklist-v1tov2' command
+checklist_v12_parser = subparsers.add_parser('checklist-to-v2', help='Exports a v1 checklist file (JSON) to a checklist v2 format (YAML) including the required areas and selectors', parents=[base_subparser])
+checklist_v12_parser.add_argument('--checklist-file', dest='checklist_v12_checklist_file', metavar='CHECKLIST_FILE', action='store',
+ help='JSON file with a v1 checklist definition')
+checklist_v12_parser.add_argument('--output-file', dest='checklist_v12_output_file', metavar='OUTPUT_FILE', action='store',
+ help='output file where the v2 checklist will be stored')
+checklist_v12_parser.add_argument('--use-names', dest='checklist_v12_use_names', action='store_true',
+ default=True,
+ help='use names instead of GUIDs (default: True)')
+checklist_v12_parser.add_argument('--input-folder', dest='checklist_v12_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='input folder where the recommendations are stored. This parameter is required if using names instead of GUIDs.')
+# Create the 'disambiguate-names' command
+disambiguate_names_parser = subparsers.add_parser('disambiguate-names', help='Exports a v1 checklist file (JSON) to a checklist v2 format (YAML) including the required areas and selectors', parents=[base_subparser])
+disambiguate_names_parser.add_argument('--input-folder', dest='disambiguate_names_input_folder', metavar='INPUT_FOLDER', action='store',
+ help='input folder where the recommendations are stored.')
+
+# Parse the command-line arguments
+args = parser.parse_args()
+
+# Handle the parsed arguments based on the command and sub-command
+if args.command == 'analyze-v1':
+ guids = []
+ # We need an input file or an input folder
+ if args.analyze_input_file:
+ file_stats, guids = cl_analyze_v1.verify_file(args.analyze_input_file, guids=[], verbose=args.verbose)
+ if args.analyze_compare_file:
+ compare_stats, guids = cl_analyze_v1.verify_file(args.analyze_compare_file, guids=[], verbose=args.verbose)
+ # Print the differences between the two checklists stats in a table format
+ print("INFO: Comparing the two checklists...")
+ print("INFO: {0: <40} {1: <40} {2: <40}".format("Item", os.path.basename(args.analyze_input_file), os.path.basename(args.analyze_compare_file)))
+ print("INFO: {0: <40} {1: <40} {2: <40}".format("----", "-" * len(os.path.basename(args.analyze_input_file)), "-" * len(os.path.basename(args.analyze_compare_file))))
+ print("INFO: {0: <40} {1: <40} {2: <40}".format("Total items", file_stats['item_count'], compare_stats['item_count']))
+ for key in file_stats['inconsistencies']:
+ print("INFO: {0: <40} {1: <40} {2: <40}".format(key, file_stats['inconsistencies'][key], compare_stats['inconsistencies'][key]))
+ # Otherwise, there should be an input folder
+ elif args.analyze_input_folder:
+ language = "en" # This could be changed to a parameter
+ if args.verbose:
+ print("DEBUG: looking for JSON files in folder", args.analyze_input_folder, "with pattern *.", language + ".json...")
+ checklist_files = glob.glob(args.analyze_input_folder + "/*." + language + ".json")
+ if len(checklist_files) > 0:
+ if args.verbose:
+ print("DEBUG: found", len(checklist_files), "JSON files, analyzing correctness...")
+ for file in checklist_files:
+ if file:
+ file_stats, guids = cl_analyze_v1.verify_file(file, guids=[], verbose=args.verbose)
+ else:
+ print("ERROR: no input file found, not doing anything")
+ # If no input file or folder has been specified, show an error message
+ else:
+ print("ERROR: you need to use the parameters `--input-file` or `--input-folder` to specify the file or folder to analyze")
+elif args.command == 'v1tov2':
+ # We need an input file and an output folder
+ if args.v12_input_file and args.v12_output_folder:
+ # Load service dictionary if provided
+ if args.v12_service_dictionary:
+ try:
+ if args.verbose: print("DEBUG: Loading service dictionary from", args.v12_service_dictionary)
+ with open(args.v12_service_dictionary) as f:
+ service_dictionary = json.load(f)
+ if args.verbose: print("DEBUG: service dictionary loaded successfully with {0} elements".format(len(service_dictionary)))
+ except Exception as e:
+ service_dictionary = None
+ print("ERROR: Error when loading service dictionary from", args.v12_service_dictionary, "-", str(e))
+ else:
+ service_dictionary = None
+ # Convert labels argument to object if specified
+ if args.v12_labels:
+ try:
+ labels = json.loads(args.v12_labels)
+ if isinstance(labels, dict):
+ if args.verbose: print("DEBUG: Loaded {0} labels".format(len(labels)))
+ else:
+ print("ERROR: Labels should be a dictionary, not a", type(labels))
+ labels = None
+ except Exception as e:
+ print("ERROR: Error when loading labels from", args.v12_labels, "-", str(e))
+ labels = None
+ else:
+ labels = None
+ # Create an array with the existing recos in the output folder
+ existing_v2recos = cl_analyze_v2.load_v2_files(args.v12_output_folder, import_filepaths=True, verbose=False)
+ if args.verbose: print("DEBUG: Found {0} existing v2 objects in folder {1}".format(len(existing_v2recos), args.v12_output_folder))
+ # Generate v2 objects and store them in the output folder
+ new_v2recos = cl_v1tov2.generate_v2(args.v12_input_file, service_dictionary=service_dictionary,
+ text_analytics_endpoint=args.v12_text_endpoint, text_analytics_key=args.v12_text_key,
+ labels=labels, id_label=args.v12_id_label, cat_label=args.v12_cat_label, subcat_label=args.v12_subcat_label,
+ source_type=args.v12_source_type,
+ existing_v2recos=existing_v2recos, max_items=args.v12_max_items,
+ verbose=args.verbose)
+ if new_v2recos:
+ if args.verbose: print("DEBUG: Storing {0} v2 objects in folder {1}...".format(len(new_v2recos), args.v12_output_folder))
+ cl_v1tov2.store_v2(args.v12_output_folder, new_v2recos, existing_v2recos=existing_v2recos, output_format=args.v12_output_format, overwrite=args.v12_overwrite, verbose=args.verbose)
+ else:
+ print("ERROR: No v2 objects generated, not storing anything.")
+ else:
+ print("ERROR: you need to use the parameters `--input-file` and `--output-folder` to specify the file to convert and the output folder")
+elif args.command == 'analyze-v2':
+ # We need an input folder
+ if args.analyzev2_input_folder:
+ # If a checklist file is specified, load the selectors from it
+ if args.analyzev2_checklist_file:
+ if (not (args.analyzev2_labels or args.analyzev2_services or args.analyzev2_waf_pillars)):
+ v2_stats = cl_analyze_v2.v2_stats_from_checklist(args.analyzev2_checklist_file, args.analyzev2_input_folder, format=args.analyzev2_format, verbose=args.verbose)
+ else:
+ print("ERROR: You should either specify a checklist file or individual selectors, but not both.")
+ sys.exit(1)
+ else:
+ # Convert label selectors argument to an object if specified
+ if args.analyzev2_labels:
+ try:
+ labels = json.loads(args.analyzev2_labels)
+ except Exception as e:
+ print("ERROR: Error when loading labels from", args.analyzev2_labels, "-", str(e))
+ labels = None
+ else:
+ labels = None
+ if args.analyzev2_services:
+ services = args.analyzev2_services.lower().split(",")
+ else:
+ services = None
+ if args.analyzev2_waf_pillars:
+ waf_pillars = args.analyzev2_waf_pillars.lower().split(",")
+ else:
+ waf_pillars = None
+ if args.analyzev2_sources:
+ sources = args.analyzev2_sources.lower().split(",")
+ else:
+ sources = None
+ # Retrieve stats (with verbosity disabled)
+ v2_stats = cl_analyze_v2.v2_stats_from_folder(args.analyzev2_input_folder, format=args.analyzev2_format,
+ labels=labels, services=services, waf_pillars=waf_pillars, sources=sources,
+ verbose=False)
+ if v2_stats:
+ # Print stats
+ print("INFO: Total items found =", v2_stats['total_items'])
+ print("INFO: Duplicate GUIDs =", str(v2_stats['duplicate_guids']))
+ print("INFO: Duplicate Names =", str(v2_stats['duplicate_names']))
+ print("INFO: Recos with ARG queries =", str(v2_stats['arg']))
+ if args.analyzev2_show_severities:
+ print("INFO: Items per severity:")
+ for key in v2_stats['severity']:
+ print("INFO: - {0} = {1}".format(key, v2_stats['severity'][key]))
+ if args.analyzev2_show_labels:
+ print("INFO: Items per label:")
+ for key in v2_stats['labels']:
+ print("INFO: - {0} = {1}".format(key, v2_stats['labels'][key]))
+ if args.analyzev2_show_services:
+ print("INFO: Items per service:")
+ for key in v2_stats['services']:
+ print("INFO: - {0} = {1}".format(key, v2_stats['services'][key]))
+ if args.analyzev2_show_waf:
+ print("INFO: Items per WAF pillar:")
+ for key in v2_stats['waf']:
+ print("INFO: - {0} = {1}".format(key, v2_stats['waf'][key]))
+ if args.analyzev2_show_sources:
+ print("INFO: Items per source:")
+ for key in v2_stats['sources']:
+ print("INFO: - {0} = {1}".format(key, v2_stats['sources'][key]))
+ if args.analyzev2_show_resourceTypes:
+ print("INFO: Items per resource type:")
+ for key in v2_stats['resourceTypes']:
+ print("INFO: - {0} = {1}".format(key, v2_stats['resourceTypes'][key]))
+ if args.analyzev2_show_areas:
+ print("INFO: Items per area | subarea:")
+ for key in v2_stats['areas']:
+ print("INFO: - {0} = {1}".format(key, v2_stats['areas'][key]))
+ else:
+ print("ERROR: No v2 objects found.")
+ if args.analyzev2_delete_assistant:
+ print('WARNING: WIP!!')
+ if args.verbose: print("DEBUG: Running delete assistant and loading up recos...")
+ v2_recos = cl_analyze_v2.load_v2_files(args.analyzev2_input_folder, import_filepaths=True, verbose=False)
+ for reco_name in v2_stats['duplicate_names']:
+ recos = [x for x in v2_recos if x['name'].lower() == reco_name.lower()]
+ if len(recos) > 1:
+ print("INFO: Found", len(recos), "duplicates for reco {0}:".format(reco_name))
+ for reco in recos:
+ print(json.dumps(reco, indent=2))
+ print("QUESTION: which reco do you want to delete? (0-{0}/none) ".format(len(recos)-1), end='')
+ answer = input()
+ if answer.isnumeric():
+ reco_to_delete = recos[int(answer)]
+ print("INFO: Deleting reco {0} in file {1}...".format(reco_to_delete['name'], reco_to_delete['filepath']))
+ try:
+ os.remove(reco_to_delete['filepath'])
+ except Exception as e:
+ print("ERROR: Error deleting file", reco_to_delete['filepath'], "-", str(e))
+ else:
+ print("ERROR: you need to use the parameter `--input-folder` to specify the folder to analyze")
+elif args.command == 'list-recos':
+ # We need an input folder
+ if args.getrecos_input_folder:
+ if args.getrecos_checklist_file:
+ # Get recos from the checklist file
+ v2recos = cl_analyze_v2.get_recos_from_checklist( args.getrecos_checklist_file, args.getrecos_input_folder, verbose=args.verbose, import_filepaths=True)
+ else:
+ # Convert label selectors argument to an object if specified
+ if args.getrecos_labels:
+ try:
+ labels = json.loads(args.getrecos_labels)
+ except Exception as e:
+ print("ERROR: Error when loading labels from", args.getrecos_labels, "-", str(e))
+ labels = None
+ else:
+ labels = None
+ if args.getrecos_services:
+ services = args.getrecos_services.lower().split(",")
+ else:
+ services = None
+ if args.getrecos_waf_pillars:
+ waf_pillars = args.getrecos_waf_pillars.lower().split(",")
+ else:
+ waf_pillars = None
+ if args.getrecos_sources:
+ sources = args.getrecos_sources.lower().split(",")
+ else:
+ sources = None
+ # Retrieve recos
+ v2recos = cl_analyze_v2.get_recos(args.getrecos_input_folder,
+ labels=labels, services=services, waf_pillars=waf_pillars, sources=sources, format=args.getrecos_format,
+ arg=args.getrecos_arg, verbose=args.verbose)
+ # Print recos
+ if v2recos:
+ if args.getrecos_only_filenames:
+ for reco in v2recos:
+ print(reco['filepath'])
+ else:
+ cl_analyze_v2.print_recos(v2recos, show_labels=args.getrecos_show_labels, show_arg=args.getrecos_show_arg)
+ else:
+ print("ERROR: No v2 objects found satisfying the criteria.")
+ else:
+ print("ERROR: you need to use the parameter `--input-folder` to specify the folder to analyze")
+elif args.command == 'update-recos':
+ # We need an input folder
+ if args.updaterecos_input_folder:
+ # Retrieve recos
+ if args.verbose: print("DEBUG: Retrieving recos from", args.updaterecos_input_folder)
+ v2recos = cl_analyze_v2.get_recos(args.updaterecos_input_folder, format=args.updaterecos_format, import_filepaths=True, verbose=False)
+ if v2recos and len(v2recos) > 0:
+ updated_v2recos = []
+ if args.updaterecos_reviewed:
+ answer = input("\nDo you want to refresh the reviewed field in {0} recommendations? (Y/n) ".format(len(v2recos)))
+ if (answer == "") or (answer.lower() == "y"):
+ updated_v2recos = cl_analyze_v2.refresh_reviewed(v2recos, verbose=args.verbose)
+ if args.updaterecos_default_severity:
+ for reco in v2recos:
+ if 'severity' not in reco:
+ if args.verbose: print("DEBUG: Setting default severity to {0} for reco {1}".format(args.updaterecos_default_severity, reco['name']))
+ reco['severity'] = args.updaterecos_default_severity
+ updated_v2recos.append(reco)
+ if updated_v2recos and len(updated_v2recos) > 0:
+ if args.verbose: print("DEBUG: Storing {0} updated v2 objects in folder {1}...".format(len(updated_v2recos), args.updaterecos_input_folder))
+ cl_v1tov2.store_v2(args.updaterecos_input_folder, updated_v2recos, existing_v2recos=v2recos, overwrite=True, output_format=args.updaterecos_format, verbose=args.verbose)
+ else:
+ print("INFO: No v2 objects updated.")
+ else:
+ print("ERROR: No v2 objects found.")
+ else:
+ print("ERROR: you need to use the parameter `--input-folder` to specify the folder to analyze")
+elif args.command == 'validate-recos':
+ # We need an input folder and a schema file
+ if args.validaterecos_input_folder and args.validaterecos_schema_file:
+ # Retrieve recos and schema
+ if args.verbose: print("DEBUG: Loading schema from", args.validaterecos_schema_file)
+ with open(args.validaterecos_schema_file, 'r') as stream:
+ try:
+ reco_schema = json.load(stream)
+ except:
+ print("ERROR: Error loading JSON schema from", args.validaterecos_schema_file)
+ sys.exit(1)
+ # To Do: validate that the schema is valid
+ if reco_schema:
+ if args.verbose: print("DEBUG: Retrieving recos from", args.validaterecos_input_folder)
+ v2recos = cl_analyze_v2.get_recos(args.validaterecos_input_folder, verbose=False)
+ if args.verbose: print("DEBUG: Starting validation with schema {0}...".format(args.validaterecos_schema_file))
+ reco_counter = 0
+ finding_counter = 0
+ for reco in v2recos:
+ reco_counter +=1
+ if (args.validaterecos_max_items == 0) or (reco_counter <= args.validaterecos_max_items):
+ try:
+ jsonschema.validate(reco, reco_schema)
+ if args.verbose: print("INFO: Reco", reco['name'], "validates correctly against the schema.")
+ except jsonschema.exceptions.ValidationError as e:
+ print("ERROR: Reco", reco['name'], "does not validate against the schema.")
+ if args.verbose: print("DEBUG: -", str(e))
+ finding_counter += 1
+ if (args.validaterecos_max_findings > 0) and (finding_counter >= args.validaterecos_max_findings):
+ print("INFO: Maximum number of non-compliances reached, stopping validation.")
+ break
+ except jsonschema.exceptions.SchemaError as e:
+ print("ERROR: Schema", args.validaterecos_schema_file, "does not seem to be valid.")
+ if args.verbose: print("DEBUG: -", str(e))
+ sys.exit(1)
+ except Exception as e:
+ print("ERROR: Unknown error validating reco", reco['name'], "against the schema", args.validaterecos_schema_file, "-", str(e))
+ print("INFO: {0} recos validated, {1} non-compliances found.".format(reco_counter, finding_counter))
+ else:
+ print("ERROR: Schema could not be loaded.")
+ else:
+ print("ERROR: you need to use the parameters `--input-folder` and `--schema` to specify the recos folder and their schema")
+elif args.command == 'validate-checklists':
+ # We need an input folder and a schema file
+ if args.validatechecklists_input_folder and args.validatechecklists_schema_file:
+ # Retrieve checklists schema
+ if args.verbose: print("DEBUG: Loading schema from", args.validatechecklists_schema_file)
+ with open(args.validatechecklists_schema_file, 'r') as stream:
+ try:
+ cl_schema = json.load(stream)
+ except:
+ print("ERROR: Error loading JSON schema from", args.validatechecklists_schema_file)
+ sys.exit(1)
+ # Load checklists (every yaml in the folder)
+ if cl_schema:
+ if args.verbose: print("DEBUG: Retrieving checklists from", args.validatechecklists_input_folder)
+ v2cls = cl_analyze_v2.get_checklists(args.validatechecklists_input_folder, verbose=False)
+ if args.verbose: print("DEBUG: Starting validation with schema {0}...".format(args.validatechecklists_schema_file))
+ cl_counter = 0
+ finding_counter = 0
+ for cl in v2cls:
+ cl_counter +=1
+ if (args.validatechecklists_max_items == 0) or (cl_counter <= args.validatechecklists_max_items):
+ try:
+ jsonschema.validate(cl, cl_schema)
+ if args.verbose: print("INFO: Checklist {0} validates correctly against the schema.".format(cl['name']))
+ except jsonschema.exceptions.ValidationError as e:
+ print("ERROR: Checklist '{0}' does not validate against the schema.".format(cl['name']))
+ if args.verbose: print("DEBUG: -", str(e))
+ finding_counter += 1
+ if (args.validatechecklists_max_findings > 0) and (finding_counter >= args.validatechecklists_max_findings):
+ print("INFO: Maximum number of non-compliances reached, stopping validation.")
+ break
+ except jsonschema.exceptions.SchemaError as e:
+ print("ERROR: Schema", args.validatechecklists_schema_file, "does not seem to be valid.")
+ if args.verbose: print("DEBUG: -", str(e))
+ sys.exit(1)
+ except Exception as e:
+ print("ERROR: Unknown error validating checklist '{0}' against the schema {1}: {2}".format(cl['name'], args.validatechecklists_schema_file,str(e)))
+ print("INFO: {0} recos validated, {1} non-compliances found.".format(cl_counter, finding_counter))
+ else:
+ print("ERROR: Schema could not be loaded.")
+ else:
+ print("ERROR: you need to use the parameters `--input-folder` and `--schema` to specify the recos folder and their schema")
+elif args.command == 'show-reco':
+ # We need an input folder and a GUID or a name
+ if args.showreco_input_folder and args.showreco_guid:
+ recos = cl_analyze_v2.get_reco_from_guid(args.showreco_input_folder, args.showreco_guid, verbose=args.verbose)
+ elif args.showreco_input_folder and args.showreco_name:
+ recos = cl_analyze_v2.get_reco_from_name(args.showreco_input_folder, args.showreco_name, verbose=args.verbose)
+ else:
+ print("ERROR: you need to use the parameters `--input-folder` and `--guid` or `--name` to specify the folder and GUID/name to retrieve")
+ if recos:
+ if len(recos) > 1:
+ print("WARNING: {0} recos found".format(len(recos)))
+ for reco in recos:
+ cl_analyze_v2.print_reco(reco)
+ print("---")
+ else:
+ print("ERROR: No reco found with GUID", args.showreco_guid)
+elif args.command == 'rename-reco':
+ # We need an input folder and a GUID
+ if args.renamereco_input_folder and args.renamereco_guid:
+ recos = cl_analyze_v2.get_reco(args.renamereco_input_folder, args.renamereco_guid, verbose=args.verbose)
+ if recos:
+ if len(recos) > 1:
+ print("ERROR: {0} recos found with GUID {1}".format(len(recos), args.showreco_guid))
+ else:
+ for reco in recos:
+ if args.renamereco_newname:
+ # WIP!!!
+ new_name = args.renamereco_newname
+ else:
+ new_name = cl_v1tov2.guess_reco_name(reco, cognitive_services_endpoint=args.renamereco_endpoint, cognitive_services_key=args.renamereco_key , verbose=args.verbose)
+ reco['name'] = new_name
+ cl_v1tov2.store_v2(args.renamereco_input_folder, [reco], output_format='yaml', verbose=args.verbose)
+ print("---")
+ else:
+ print("ERROR: No reco found with GUID", args.showreco_guid)
+ else:
+ print("ERROR: you need to use the parameters `--input-folder` and `--guid` to specify the folder and GUID to analyze")
+elif args.command == 'open-reco':
+ # We need an input folder and a GUID
+ if args.openreco_input_folder and args.openreco_guid:
+ cl_analyze_v2.load_v2_files(args.openreco_input_folder, guids=[ args.openreco_guid ], open_editor=True, text_editor=args.openreco_editor, verbose=args.verbose)
+ elif args.openreco_input_folder and args.openreco_name:
+ cl_analyze_v2.load_v2_files(args.openreco_input_folder, names=[ args.openreco_name ], open_editor=True, text_editor=args.openreco_editor, verbose=args.verbose)
+ else:
+ print("ERROR: you need to use the parameters `--input-folder` and `--guid` to specify the folder and GUID to open")
+elif args.command == 'run-arg':
+ if args.runarg_input_folder:
+ # Convert label selectors argument to an object if specified
+ if args.runarg_labels:
+ try:
+ labels = json.loads(args.runarg_labels)
+ except Exception as e:
+ print("ERROR: Error when loading labels from", args.runarg_labels, "-", str(e))
+ labels = None
+ else:
+ labels = None
+ if args.runarg_services:
+ services = args.runarg_services.lower().split(",")
+ else:
+ services = None
+ if args.runarg_waf_pillars:
+ waf_pillars = args.runarg_waf_pillars.lower().split(",")
+ else:
+ waf_pillars = None
+ v2recos = cl_analyze_v2.get_recos(args.runarg_input_folder, labels=labels, services=services, waf_pillars=waf_pillars, guid=args.runarg_guid, format=args.runarg_format, verbose=args.verbose)
+ if v2recos:
+ arg_results = cl_arg.run_arg_queries(v2recos, subscription_id=args.runarg_subscription_id, verbose=args.verbose)
+ for result in arg_results:
+ print("INFO: ARG query result for reco with GUID", result['guid'])
+ print("INFO: - {0}".format(result['argResult']))
+ else:
+ print("ERROR: No v2 objects found.")
+elif args.command == "export-checklist":
+ if args.export_checklist_file and args.export_input_folder:
+ if args.export_service_dictionary:
+ try:
+ if args.verbose: print("DEBUG: Loading service dictionary from", args.export_service_dictionary)
+ with open(args.export_service_dictionary) as f:
+ service_dictionary = json.load(f)
+ if args.verbose: print("DEBUG: service dictionary loaded successfully with {0} elements".format(len(service_dictionary)))
+ except Exception as e:
+ service_dictionary = None
+ print("ERROR: Error when loading service dictionary from", args.export_service_dictionary, "-", str(e))
+ sys.exit(1)
+ else:
+ print("WARNING: you may want to use the parameter `--service-dictionary` to extract human-readable service names from ARM resource types.")
+ service_dictionary = None
+ cl_v2tov1.generate_v1(args.export_checklist_file, args.export_input_folder, args.export_output_file, service_dictionary=service_dictionary, verbose=args.verbose)
+ else:
+ print("ERROR: you need to use the parameters `--checklist-file` and `--input-folder` to specify the checklist file and the input folder")
+elif args.command == "checklist-to-v2":
+ if args.checklist_v12_checklist_file and args.checklist_v12_output_file:
+ cl_v1tov2.checklist_v1_to_v2(args.checklist_v12_checklist_file, args.checklist_v12_output_file,
+ use_names=args.checklist_v12_use_names, v2recos_folder=args.checklist_v12_input_folder,
+ verbose=args.verbose)
+ else:
+ print("ERROR: you need to use the parameters `--checklist-file` and `--output-file` to specify the v1 checklist file and the v2 output file")
+elif args.command == 'disambiguate-names':
+ # We need an input folder
+ if args.disambiguate_names_input_folder:
+ if args.verbose: print("DEBUG: loading up recos from folder", args.disambiguate_names_input_folder)
+ v2_recos = cl_analyze_v2.get_recos(args.disambiguate_names_input_folder, verbose=False)
+ if args.verbose: print("DEBUG: getting statistics", args.disambiguate_names_input_folder)
+ v2_stats = cl_analyze_v2.v2_stats_from_object(v2_recos, verbose=args.verbose)
+ if 'duplicate_names' in v2_stats:
+ if args.verbose: print("DEBUG: Disambiguating {0} duplicate names".format(len(v2_stats['duplicate_names'])))
+ print("INFO: Found {0} duplicate names".format(len(v2_stats['duplicate_names'])))
+ for name in v2_stats['duplicate_names']:
+ matching_recos = [reco for reco in v2_recos if reco['name'] == name]
+ suffix = 1
+ if len(matching_recos) > 1:
+ if args.verbose: print("DEBUG: Found {0} recos with name {1}".format(len(matching_recos), name))
+ for reco in matching_recos:
+ reco['name'] = name + "-" + str(suffix)
+ suffix += 1
+ # Store new recos
+ cl_v1tov2.store_v2(args.disambiguate_names_input_folder, matching_recos, overwrite=True, output_format='yaml', verbose=args.verbose)
+ else:
+ print("ERROR: Found only {0} reco with name {1}".format(len(matching_recos), name))
+ else:
+ print("ERROR: You need to specify an input folder.")
+ sys.exit(1)
+else:
+ print("ERROR: unknown command, please verify the command syntax with {0} --help".format(sys.argv[0]))
diff --git a/scripts/modules/__pycache__/cl_analyze.cpython-311.pyc b/scripts/modules/__pycache__/cl_analyze.cpython-311.pyc
new file mode 100644
index 000000000..9588f077a
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze.cpython-311.pyc differ
diff --git a/scripts/modules/__pycache__/cl_analyze.cpython-312.pyc b/scripts/modules/__pycache__/cl_analyze.cpython-312.pyc
new file mode 100644
index 000000000..def3db6e6
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze.cpython-312.pyc differ
diff --git a/scripts/modules/__pycache__/cl_analyze.cpython-38.pyc b/scripts/modules/__pycache__/cl_analyze.cpython-38.pyc
new file mode 100644
index 000000000..7fea57fe8
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze.cpython-38.pyc differ
diff --git a/scripts/modules/__pycache__/cl_analyze_v1.cpython-311.pyc b/scripts/modules/__pycache__/cl_analyze_v1.cpython-311.pyc
new file mode 100644
index 000000000..737482ae2
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze_v1.cpython-311.pyc differ
diff --git a/scripts/modules/__pycache__/cl_analyze_v1.cpython-312.pyc b/scripts/modules/__pycache__/cl_analyze_v1.cpython-312.pyc
new file mode 100644
index 000000000..35066bfcc
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze_v1.cpython-312.pyc differ
diff --git a/scripts/modules/__pycache__/cl_analyze_v2.cpython-311.pyc b/scripts/modules/__pycache__/cl_analyze_v2.cpython-311.pyc
new file mode 100644
index 000000000..3db875396
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze_v2.cpython-311.pyc differ
diff --git a/scripts/modules/__pycache__/cl_analyze_v2.cpython-312.pyc b/scripts/modules/__pycache__/cl_analyze_v2.cpython-312.pyc
new file mode 100644
index 000000000..ab5ec5fb3
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze_v2.cpython-312.pyc differ
diff --git a/scripts/modules/__pycache__/cl_analyze_v2.cpython-38.pyc b/scripts/modules/__pycache__/cl_analyze_v2.cpython-38.pyc
new file mode 100644
index 000000000..702ef1f8b
Binary files /dev/null and b/scripts/modules/__pycache__/cl_analyze_v2.cpython-38.pyc differ
diff --git a/scripts/modules/__pycache__/cl_arg.cpython-311.pyc b/scripts/modules/__pycache__/cl_arg.cpython-311.pyc
new file mode 100644
index 000000000..e83429988
Binary files /dev/null and b/scripts/modules/__pycache__/cl_arg.cpython-311.pyc differ
diff --git a/scripts/modules/__pycache__/cl_arg.cpython-312.pyc b/scripts/modules/__pycache__/cl_arg.cpython-312.pyc
new file mode 100644
index 000000000..5c758000c
Binary files /dev/null and b/scripts/modules/__pycache__/cl_arg.cpython-312.pyc differ
diff --git a/scripts/modules/__pycache__/cl_arg.cpython-38.pyc b/scripts/modules/__pycache__/cl_arg.cpython-38.pyc
new file mode 100644
index 000000000..6072ad14b
Binary files /dev/null and b/scripts/modules/__pycache__/cl_arg.cpython-38.pyc differ
diff --git a/scripts/modules/__pycache__/cl_v1tov2.cpython-311.pyc b/scripts/modules/__pycache__/cl_v1tov2.cpython-311.pyc
new file mode 100644
index 000000000..346cb42fd
Binary files /dev/null and b/scripts/modules/__pycache__/cl_v1tov2.cpython-311.pyc differ
diff --git a/scripts/modules/__pycache__/cl_v1tov2.cpython-312.pyc b/scripts/modules/__pycache__/cl_v1tov2.cpython-312.pyc
new file mode 100644
index 000000000..ed072a1de
Binary files /dev/null and b/scripts/modules/__pycache__/cl_v1tov2.cpython-312.pyc differ
diff --git a/scripts/modules/__pycache__/cl_v1tov2.cpython-38.pyc b/scripts/modules/__pycache__/cl_v1tov2.cpython-38.pyc
new file mode 100644
index 000000000..ae4ce533a
Binary files /dev/null and b/scripts/modules/__pycache__/cl_v1tov2.cpython-38.pyc differ
diff --git a/scripts/modules/__pycache__/cl_v2tov1.cpython-311.pyc b/scripts/modules/__pycache__/cl_v2tov1.cpython-311.pyc
new file mode 100644
index 000000000..cf4329146
Binary files /dev/null and b/scripts/modules/__pycache__/cl_v2tov1.cpython-311.pyc differ
diff --git a/scripts/modules/__pycache__/cl_v2tov1.cpython-312.pyc b/scripts/modules/__pycache__/cl_v2tov1.cpython-312.pyc
new file mode 100644
index 000000000..2a30c6dc5
Binary files /dev/null and b/scripts/modules/__pycache__/cl_v2tov1.cpython-312.pyc differ
diff --git a/scripts/modules/cl_analyze_v1.py b/scripts/modules/cl_analyze_v1.py
new file mode 100644
index 000000000..e69987bae
--- /dev/null
+++ b/scripts/modules/cl_analyze_v1.py
@@ -0,0 +1,150 @@
+#######################################
+#
+# Module to analyze checklist files
+#
+#######################################
+
+# Dependencies
+import sys
+import json
+import os
+
+# Function that verifies the correctness of a single checklist
+def verify_file(input_file, guids=[], verbose=False):
+ # Banner
+ if verbose:
+ print("DEBUG: ======================================================================")
+ print("DEBUG: Verifying file", input_file)
+ # Look for non-unicode characters in the file
+ if verbose:
+ print("DEBUG: Verifying all characters are Unicode-8...")
+ f1 = open (input_file, "r")
+ text = f1.read()
+ for line in text:
+ for character in line:
+ if ord(character) > 127:
+ print("ERROR: Non-unicode character found in file", input_file, ":", character)
+ sys.exit(1)
+ # if verbose:
+ # print("DEBUG: All characters are Unicode-8")
+
+ # Reading into JSON
+ if verbose:
+ print("DEBUG: Verifying JSON can be loaded up...")
+ try:
+ with open(input_file) as f:
+ checklist = json.load(f)
+ if 'items' in checklist:
+ if verbose:
+ print("DEBUG: {0} items found in JSON file {1}".format(len(checklist['items']), input_file))
+ except Exception as e:
+ print("ERROR: Error when processing JSON file, nothing changed", input_file, ":", str(e))
+ sys.exit(1)
+ # if verbose:
+ # print("DEBUG: JSON can be loaded up correctly")
+
+ # Verify the required keys are present
+ if verbose:
+ print("DEBUG: Verifying the required keys are present...")
+ required_keys = ['items', 'metadata', 'categories', 'status', 'severities', 'yesno']
+ for key in required_keys:
+ if key not in checklist:
+ print("ERROR: Required key missing from JSON file", input_file, ":", key)
+
+ # Verify the metadata keys are present
+ if 'metadata' in checklist:
+ if verbose:
+ print("DEBUG: Verifying the metadata keys are present...")
+ required_keys = ['name', 'timestamp', 'state', 'waf']
+ for key in required_keys:
+ if key not in checklist['metadata']:
+ print("ERROR: Required key missing from metadata in JSON file", input_file, ":", key)
+ else:
+ if verbose:
+ print("WARNING: skipping metadata verification, no metadata in JSON file", input_file)
+
+ # Verify the metadata waf key has a valid value
+ if 'metadata' in checklist:
+ if 'waf' in checklist['metadata']:
+ if checklist['metadata']['waf'].lower() not in ['none', 'all', 'reliability', 'security', 'performance', 'cost', 'operations']:
+ print("ERROR: Invalid WAF value in metadata in JSON file", input_file, ":", checklist['metadata']['waf'])
+
+ # Verify the items have all required keys
+ if verbose:
+ print("DEBUG: Verifying the items have all required keys...")
+ # Counter dictionary for inconsistencies
+ item_count = 0
+ inconsistencies = {
+ 'missing_graph': 0,
+ 'missing_description': 0,
+ 'wrong_cat': 0,
+ 'missing_cat': 0,
+ 'missing_subcat': 0,
+ 'missing_waf': 0,
+ 'wrong_waf': 0,
+ 'missing_svc': 0,
+ 'missing_link': 0,
+ 'missing_sev': 0,
+ 'missing_guid': 0,
+ 'localized_link': 0
+ }
+ # Load categories to verify whether the items have the correct category
+ if 'categories' in checklist:
+ categories = [x['name'] for x in checklist['categories']]
+ if verbose:
+ print("DEBUG: Categories found in JSON file", input_file, ":", str(categories))
+ else:
+ categories = []
+ if 'items' in checklist:
+ for item in checklist['items']:
+ item_count += 1
+ if 'category' not in item:
+ inconsistencies['missing_cat'] += 1
+ elif item['category'] not in categories:
+ inconsistencies['wrong_cat'] += 1
+ if 'subcategory' not in item:
+ inconsistencies['missing_subcat'] += 1
+ if 'waf' not in item:
+ inconsistencies['missing_waf'] += 1
+ elif item['waf'].lower() not in ['reliability', 'security', 'performance', 'cost', 'operations']:
+ inconsistencies['wrong_waf'] += 1
+ if 'service' not in item:
+ inconsistencies['missing_svc'] += 1
+ if 'guid' not in item:
+ inconsistencies['missing_guid'] += 1
+ elif item['guid'] in guids:
+ print("ERROR: Duplicated GUID in JSON file", input_file, ":", item['guid'])
+ else:
+ guids.append(item['guid'])
+ if 'link' not in item:
+ inconsistencies['missing_link'] += 1
+ elif 'en-us' in item['link']:
+ inconsistencies['localized_link'] += 1
+ if 'severity' not in item:
+ inconsistencies['missing_sev'] += 1
+ if 'graph' not in item:
+ inconsistencies['missing_graph'] += 1
+ if 'description' not in item:
+ inconsistencies['missing_description'] += 1
+ if inconsistencies['missing_cat'] > 0:
+ print("ERROR: Items with missing category in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_cat'], round(inconsistencies['missing_cat'] / item_count * 100, 2)))
+ if inconsistencies['wrong_cat'] > 0:
+ print("WARNING: Items with wrong category in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['wrong_cat'], round(inconsistencies['wrong_cat'] / item_count * 100, 2)))
+ if inconsistencies['missing_subcat'] > 0:
+ print("ERROR: Items with missing subcategory in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_subcat'], round(inconsistencies['missing_subcat'] / item_count * 100, 2)))
+ if inconsistencies['missing_waf'] > 0:
+ print("WARNING: Items with missing WAF in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_waf'], round(inconsistencies['missing_waf'] / item_count * 100, 2)))
+ if inconsistencies['wrong_waf'] > 0:
+ print("ERROR: Items with wrong WAF in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['wrong_waf'], round(inconsistencies['wrong_waf'] / item_count * 100, 2)))
+ if inconsistencies['missing_svc'] > 0:
+ print("WARNING: Items with missing service in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_svc'], round(inconsistencies['missing_svc'] / item_count * 100, 2)))
+ if inconsistencies['missing_link'] > 0:
+ print("WARNING: Items with missing link in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_link'], round(inconsistencies['missing_link'] / item_count * 100, 2)))
+ if inconsistencies['missing_sev'] > 0:
+ print("ERROR: Items with missing severity in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_sev'], round(inconsistencies['missing_sev'] / item_count * 100, 2)))
+ if inconsistencies['localized_link'] > 0:
+ print("WARNING: Items with localized link in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['localized_link'], round(inconsistencies['localized_link'] / item_count * 100, 2)))
+ return {
+ 'item_count': item_count,
+ 'inconsistencies': inconsistencies
+ }, guids
diff --git a/scripts/modules/cl_analyze_v2.py b/scripts/modules/cl_analyze_v2.py
new file mode 100644
index 000000000..265bcf6f5
--- /dev/null
+++ b/scripts/modules/cl_analyze_v2.py
@@ -0,0 +1,639 @@
+#######################################
+#
+# Module to analyze v2 checklist
+# folder structures.
+#
+#######################################
+
+# Dependencies
+import sys
+import yaml
+import json
+import os
+import datetime
+from pathlib import Path
+from collections import Counter
+
+# Function that returns true if a given reco matches the criteria specified by a label selector, a service selector and a WAF selector
+def reco_matches_criteria(reco, labels=None, services=None, resource_types=None, waf_pillars=None, sources=None, guids=None, names=None, arg=False):
+ # Check if the reco fulfills the criteria
+ # GUID
+ if guids:
+ guid_match = False
+ guids_lower = [x.lower() for x in guids]
+ if 'guid' in reco:
+ if reco['guid'].lower() in guids_lower:
+ return True
+ elif 'labels' in reco and 'guid' in reco['labels']:
+ if reco['labels']['guid'].lower() in guids_lower:
+ return True
+ else:
+ guid_match = True
+ # Names
+ if names:
+ name_match = False
+ names_lower = [x.lower() for x in names]
+ if 'name' in reco:
+ if reco['name'].lower() in names_lower:
+ return True
+ else:
+ name_match = True
+ # Labels
+ if labels:
+ label_match = False
+ if 'labels' in reco:
+ for key in labels.keys():
+ if key in reco['labels']:
+ if labels[key] == reco['labels'][key]:
+ label_match = True
+ else:
+ label_match = True
+ # Services
+ if services:
+ service_match = False
+ services = [x.lower() for x in services] # Transform to lower case for case-insensitive comparison
+ if 'none' in services:
+ service_match = ('services' not in reco)
+ if 'services' in reco:
+ for reco_service in reco['services']:
+ if reco_service.lower() in services:
+ service_match = True
+ else:
+ service_match = True
+ # Resource Types
+ if resource_types:
+ resource_type_match = False
+ resource_types = [x.lower() for x in resource_types] # Transform to lower case for case-insensitive comparison
+ if 'none' in resource_types:
+ resource_type_match = ('resourceTypes' not in reco)
+ if 'resourceTypes' in reco:
+ for reco_resource_type in reco['resourceTypes']:
+ if reco_resource_type.lower() in resource_types:
+ resource_type_match = True
+ else:
+ resource_type_match = True
+ # WAF
+ if waf_pillars:
+ waf_match = False
+ if 'none' in waf_pillars:
+ waf_match = ('waf' not in reco)
+ if 'waf' in reco:
+ if reco['waf'].lower() in waf_pillars:
+ waf_match = True
+ else:
+ waf_match = True
+ # Sources
+ if sources:
+ src_match = False
+ if 'none' in sources:
+ src_match = ('source' not in reco)
+ if 'source' in reco:
+ if 'type' in reco['source']:
+ if reco['source']['type'].lower() in sources:
+ src_match = True
+ else:
+ src_match = True
+ arg_match = ((not arg) or ('queries' in reco and 'arg' in reco['queries']))
+ # If no selector was provided, add all recos to the list
+ return (guid_match and name_match and label_match and service_match and resource_type_match and waf_match and arg_match and src_match)
+
+# Extracts certain recos based on include and optionally exclude selectors
+def filter_v2_recos(input_recos, include=None, exclude=None):
+ # The include/exclude parameters are dictionaries provided by the function get_object_selectors
+ if include:
+ waf_pillars = include['waf']
+ services = include['service']
+ resource_types = include['resourceType']
+ guids = include['guid']
+ names = include['name']
+ labels = include['label']
+ sources = include['source']
+ output_recos_include = [x for x in input_recos if reco_matches_criteria(x, waf_pillars=waf_pillars, services=services, resource_types=resource_types, guids=guids, names=names, sources=sources, labels=labels)]
+ # There might be exclude selectors too
+ if exclude:
+ waf_pillars = exclude['waf']
+ services = exclude['service']
+ resource_types = exclude['resourceType']
+ guids = exclude['guid']
+ names = include['name']
+ labels = exclude['label']
+ sources = exclude['source']
+ output_recos = [x for x in output_recos_include if not reco_matches_criteria(x, waf_pillars=waf_pillars, services=services, resource_types=resource_types, guids=guids, names=names, sources=sources, labels=labels)]
+ else:
+ output_recos = output_recos_include
+ return output_recos
+ else:
+ # If no include selectors specified, return nothing
+ return None
+
+# Opens a file with a text editor
+def open_file_with_editor(file, text_editor=None, verbose=False):
+ if text_editor:
+ if verbose: print("DEBUG: Opening file", file.resolve(), "with text editor", text_editor)
+ os.system(text_editor + ' ' + str(file.resolve()))
+ else:
+ if os.name == 'nt':
+ if verbose: print("DEBUG: Opening file", file.resolve(), "with default Windows text editor")
+ os.system(str(file.resolve()))
+ elif os.name == 'posix':
+ if os.getenv('EDITOR'):
+ if verbose: print("DEBUG: Opening file", file, "with default Linux text editor")
+ os.system('%s %s' % (os.getenv('EDITOR'), str(file.resolve())))
+ else:
+ print("ERROR: No text editor found in the EDITOR environment variable")
+ else:
+ print("ERROR: Unsupported OS", os.name)
+
+# Function that loads all of the found v2 YAML/JSON files into a single object
+# labels, services and waf_pillars are selectors with object structure
+# import_filepaths adds a new key to each reco with the file where it was found
+def load_v2_files(input_folder, format='yaml', labels=None, services=None, waf_pillars=None, sources=None, guids=None, names=None, arg=False, open_editor=False, text_editor=None, import_filepaths=False, verbose=False):
+ # Banner
+ if verbose: print("DEBUG: Loading v2 files from folder", input_folder)
+ # Look for files in the input folder
+ v2recos = []
+ # If the input folder exists
+ if os.path.exists(input_folder):
+ files = list(Path(input_folder).rglob( '*.*' ))
+ for file in files:
+ # JSON
+ if format == 'json':
+ if file.suffix == '.json':
+ # if verbose: print("DEBUG: Loading file", file)
+ try:
+ with open(file.resolve()) as f:
+ v2reco = json.safe_load(f)
+ except Exception as e:
+ print("ERROR: Error when loading JSON reco file {0} - {1}". format(file, str(e)))
+ if import_filepaths:
+ v2reco['filepath'] = str(file.resolve())
+ if reco_matches_criteria(v2reco, labels=labels, services=services, waf_pillars=waf_pillars, sources=sources, guids=guids, names=names, arg=arg):
+ if verbose: print("DEBUG: reco in file", file, "matches criteria.")
+ v2recos.append(v2reco)
+ if open_editor:
+ open_file_with_editor(file, text_editor=text_editor, verbose=verbose)
+ # YAML
+ if format == 'yaml' or format == 'yml':
+ if (file.suffix == '.yaml') or (file.suffix == '.yml'):
+ # if verbose: print("DEBUG: Loading file", file)
+ try:
+ with open(file.resolve()) as f:
+ v2reco = yaml.safe_load(f)
+ except Exception as e:
+ print("ERROR: Error when loading YAML reco file {0} - {1}". format(file, str(e)))
+ if import_filepaths:
+ v2reco['filepath'] = str(file.resolve())
+ if reco_matches_criteria(v2reco, labels=labels, services=services, waf_pillars=waf_pillars, sources=sources, guids=guids, names=names, arg=arg):
+ if verbose: print("DEBUG: reco in file", file, "matches criteria.")
+ v2recos.append(v2reco)
+ if open_editor:
+ open_file_with_editor(file, text_editor=text_editor, verbose=verbose)
+ # Return the object with all the v2 objects
+ return v2recos
+ else:
+ print("ERROR: Input folder", input_folder, "does not exist.")
+ return None
+
+# Return an object with some statistics about the v2 objects
+def v2_stats_from_object(v2recos, verbose=False):
+ # Banner
+ if verbose: print("DEBUG: Analyzing v2 objects...")
+ # Create a dictionary with the stats
+ stats = {}
+ if v2recos:
+ stats['total_items'] = len(v2recos)
+ else:
+ stats['total_items'] = 0
+ stats['severity'] = {}
+ stats['labels'] = {}
+ stats['services'] = {}
+ stats['waf'] = {}
+ stats['sources'] = {}
+ stats['resourceTypes'] = {}
+ stats['areas'] = {}
+
+ if v2recos:
+ # Find GUID and name duplicates
+ guid_list = [reco['labels']['guid'] for reco in v2recos if 'labels' in reco and 'guid' in reco['labels']]
+ guid_counts = Counter(guid_list)
+ stats['duplicate_guids'] = [item for item, count in guid_counts.items() if count > 1]
+ name_list = [reco['name'] for reco in v2recos if 'name' in reco]
+ name_counts = Counter(name_list)
+ stats['duplicate_names'] = [item for item, count in name_counts.items() if count > 1]
+ stats['arg'] = len([x for x in v2recos if 'queries' in x and 'arg' in x['queries']])
+ for reco in v2recos:
+ # Count the number of items per severity
+ if 'severity' in reco:
+ if reco['severity'] in stats['severity']:
+ stats['severity'][reco['severity']] += 1
+ else:
+ stats['severity'][reco['severity']] = 1
+ else:
+ if 'undefined' in stats['severity']:
+ stats['severity']['undefined'] += 1
+ else:
+ stats['severity']['undefined'] = 1
+ # Count the number of items per area
+ if 'labels' in reco:
+ for thislabelkey in reco['labels'].keys():
+ labeltext = thislabelkey + ":" + reco['labels'][thislabelkey]
+ if labeltext in stats['labels']:
+ stats['labels'][labeltext] += 1
+ else:
+ stats['labels'][labeltext] = 1
+ # Count the number of items per service
+ if 'services' in reco:
+ for service in reco['services']:
+ if service in stats['services']:
+ stats['services'][service] += 1
+ else:
+ stats['services'][service] = 1
+ else:
+ if 'undefined' in stats['services']:
+ stats['services']['undefined'] += 1
+ else:
+ stats['services']['undefined'] = 1
+ # Count the number of items per WAF pillar
+ if 'waf' in reco:
+ if reco['waf'] in stats['waf']:
+ stats['waf'][reco['waf']] += 1
+ else:
+ stats['waf'][reco['waf']] = 1
+ else:
+ if 'undefined' in stats['waf']:
+ stats['waf']['undefined'] += 1
+ else:
+ stats['waf']['undefined'] = 1
+ # Count the number of items per source
+ if 'source' in reco:
+ if 'type' in reco['source']:
+ if reco['source']['type'] in stats['sources']:
+ stats['sources'][reco['source']['type']] += 1
+ else:
+ stats['sources'][reco['source']['type']] = 1
+ # Resource types
+ if 'resourceTypes' in reco:
+ for resourceType in reco['resourceTypes']:
+ if resourceType in stats['resourceTypes']:
+ stats['resourceTypes'][resourceType] += 1
+ else:
+ stats['resourceTypes'][resourceType] = 1
+ # Areas / subareas
+ if 'area' in reco:
+ if 'subarea' in reco:
+ if reco['area'] + ' | ' + reco['subarea'] in stats['areas']:
+ stats['areas'][reco['area'] + ' | ' + reco['subarea']] += 1
+ else:
+ stats['areas'][reco['area'] + ' | ' + reco['subarea']] = 1
+ else:
+ if reco['area'] in stats['areas']:
+ stats['areas'][reco['area']] += 1
+ else:
+ stats['areas'][reco['area']] = 1
+ else:
+ if 'undefined' in stats['areas']:
+ stats['areas']['undefined'] += 1
+ else:
+ stats['areas']['undefined'] = 1
+ # Return the stats object
+ return stats
+ else:
+ print("ERROR: no recos to analyze for statistics.")
+ return stats
+
+# Return an object with some statistics about the v2 objects in a checklist
+def v2_stats_from_checklist(checklist_file, input_folder, format='yaml', verbose=False):
+ # Load the v2 objects from the checklist
+ v2recos = get_recos_from_checklist(checklist_file, input_folder, verbose)
+ if v2recos:
+ if verbose: print("DEBUG: {0} v2 objects extracted, calculating stats...".format(len(v2recos)))
+ # Get the stats from the v2 objects
+ stats = v2_stats_from_object(v2recos, verbose=verbose)
+ # Return the stats object
+ return stats
+ else:
+ print("ERROR: no recos could be loaded from checklist", checklist_file)
+ return None
+
+# Return an object with some statistics about the v2 objects in a folder
+def v2_stats_from_folder(input_folder, format='yaml', labels=None, services=None, waf_pillars=None, sources=None, verbose=False):
+ # Load the v2 objects from the folder
+ v2recos = load_v2_files(input_folder, format=format, labels=labels, services=services, waf_pillars=waf_pillars, sources=sources, verbose=verbose)
+ # Get the stats from the v2 objects
+ stats = v2_stats_from_object(v2recos, verbose=verbose)
+ # Return the stats object
+ return stats
+
+# Return an object with the recos fulfilling the specified criteria
+# ToDo: the parameter guid should be an array, to support a list of guids
+def get_recos(input_folder, labels=None, services=None, waf_pillars=None, sources=None, guids=None, names=None, arg=False, format='yaml', import_filepaths=False, verbose=False):
+ # Load the v2 objects from the folder
+ v2recos = load_v2_files(input_folder, format=format, import_filepaths=import_filepaths, verbose=verbose)
+ if v2recos:
+ # Create a list of recos that fulfill the criteria
+ recos = []
+ for reco in v2recos:
+ if reco_matches_criteria(reco, labels=labels, services=services, waf_pillars=waf_pillars, sources=sources, guids=guids, names=names, arg=arg):
+ recos.append(reco)
+ # Return the recos object
+ return recos
+ else:
+ print("ERROR: no recos could be loaded from folder", input_folder)
+
+def get_checklists(input_folder, verbose=False):
+ # Banner
+ if verbose: print("DEBUG: Loading v2 checklist files from folder", input_folder)
+ # Look for files in the input folder
+ v2cls = []
+ # If the input folder exists
+ if os.path.exists(input_folder):
+ files = list(Path(input_folder).rglob( '*.*' ))
+ for file in files:
+ if (file.suffix == '.yaml') or (file.suffix == '.yml'):
+ if verbose: print("DEBUG: Loading file", file)
+ try:
+ with open(file.resolve()) as f:
+ v2cl = yaml.safe_load(f)
+ except Exception as e:
+ print("ERROR: Error when loading YAML checklist file {0} - {1}". format(file, str(e)))
+ v2cls.append(v2cl)
+ # Return the object with all the v2 objects
+ return v2cls
+ else:
+ print("ERROR: Input folder", input_folder, "does not exist.")
+ return None
+
+# Return a single reco per GUID from a list of recos. The file can be identified by the file name
+# We could look for a file with the GUID in the name, but Linux file systems are case sensitive, plus
+# errors where the file name is incorrect would be hard to debug
+def get_reco_from_guid(input_folder, guid, verbose=False):
+ # Load the v2 objects from the folder
+ v2recos = load_v2_files(input_folder, guids=[guid], format='yaml', import_filepaths=True, verbose=verbose)
+ if v2recos:
+ # Return the reco object
+ return v2recos
+ else:
+ print("ERROR: no reco could be loaded from folder", input_folder)
+ return None
+
+# Return a single reco per GUID from a list of recos. The file can be identified by the file name
+# We could look for a file with the GUID in the name, but Linux file systems are case sensitive, plus
+# errors where the file name is incorrect would be hard to debug
+def get_reco_from_name(input_folder, reco_name, verbose=False):
+ # Load the v2 objects from the folder
+ v2recos = load_v2_files(input_folder, names=[reco_name], format='yaml', import_filepaths=True, verbose=verbose)
+ if v2recos:
+ # Return the reco object
+ return v2recos
+ else:
+ print("ERROR: no reco could be loaded from folder", input_folder)
+ return None
+
+
+# Update recommendations refreshing the reviewed date to the current date
+# Only updates recommendations with source type 'revcl'
+def refresh_reviewed(recos, verbose=False):
+ for reco in recos:
+ if 'source' in reco:
+ if 'type' in reco['source']:
+ if reco['source']['type'] == 'revcl':
+ if verbose: print("DEBUG: Refreshing reviewed date for reco", reco['guid'], "to current date", datetime.date.today().strftime("%B %d, %Y"))
+ reco['reviewed'] = datetime.date.today().strftime("%B %d, %Y")
+ return recos
+
+# Function to modify yaml.dump for multiline strings, see https://github.com/yaml/pyyaml/issues/240
+def str_presenter(dumper, data):
+ if data.count('\n') > 0:
+ data = "\n".join([line.rstrip() for line in data.splitlines()]) # Remove any trailing spaces, then put it back together again
+ return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|')
+ return dumper.represent_scalar('tag:yaml.org,2002:str', data)
+
+# Print in screen a single v2 recommendation
+def print_reco(reco):
+ # Add representer to yaml for multiline strings, see https://github.com/yaml/pyyaml/issues/240
+ yaml.add_representer(str, str_presenter)
+ yaml.representer.SafeRepresenter.add_representer(str, str_presenter) # to use with safe_dum
+ print(yaml.safe_dump(reco, default_flow_style=False, sort_keys=False))
+
+# Print in screen a v2 recommendation in one line with fixed width columns
+def print_recos(recos, show_labels=False, show_arg=False):
+ print("{0:<37} {1:<80} {2:<30} {3:<15}".format('NAME', 'TITLE', 'RESOURCE TYPE', 'WAF'), end="")
+ if show_labels:
+ print("{0:<40}".format("LABELS"), end="")
+ if show_arg:
+ print("{0:<40}".format("AZURE RESOURCE GRAPH QUERY"), end="")
+ print()
+ print("{0:<37} {1:<80} {2:<30} {3:<15}".format('====', '=====', '=============', '==='), end="")
+ if show_labels:
+ print("{0:<40}".format("======"), end="")
+ if show_arg:
+ print("{0:<40}".format("=========================="), end="")
+ print()
+ for reco in recos:
+ name=reco['name'] if 'name' in reco else ''
+ title=reco['title'] if 'title' in reco else ''
+ resource_type=reco['resourceTypes'][0] if 'resourceTypes' in reco and len(reco['resourceTypes']) > 0 else ''
+ waf=reco['waf'] if 'waf' in reco else ''
+ print("{0:<37} {1:<80} {2:<30} {3:<15}".format(name[:37], title[:79], resource_type[:29], waf), end="")
+ if show_labels:
+ if 'labels' in reco:
+ print("{0:<40}".format(str(reco['labels'])), end="")
+ if show_arg:
+ if 'queries' in reco and 'arg' in reco['queries']:
+ print("{0:<40}".format(reco['queries']['arg'][:39]), end="")
+ print()
+ print(" {0} recommendations listed".format(len(recos)))
+
+# Get selectors from a checklist file in YAML format
+# Returns the label, service and WAF selectors, and the variables, in this order
+def get_object_selectors(checklist_object, verbose=False):
+ # Label
+ if 'labelSelector' in checklist_object:
+ labelSelector = checklist_object['labelSelector']
+ for key in labelSelector.keys():
+ if verbose: print ("DEBUG: Label selector found:", key + ":" + labelSelector[key])
+ else:
+ labelSelector = None
+ # Service
+ if 'serviceSelector' in checklist_object:
+ serviceSelector = checklist_object['serviceSelector']
+ for service in serviceSelector:
+ if verbose: print ("DEBUG: Service selector found:", service)
+ else:
+ serviceSelector = None
+ # ResourceType
+ if 'resourceTypeSelector' in checklist_object:
+ resourceTypeSelector = checklist_object['resourceTypeSelector']
+ for resourceType in resourceTypeSelector:
+ if verbose: print ("DEBUG: resourceType selector found:", resourceType)
+ else:
+ resourceTypeSelector = None
+ # WAF
+ if 'wafSelector' in checklist_object:
+ wafSelector = checklist_object['wafSelector']
+ for waf in wafSelector:
+ if verbose: print ("DEBUG: WAF selector found:", waf)
+ else:
+ wafSelector = None
+ # GUID
+ if 'guidSelector' in checklist_object:
+ guidSelector = checklist_object['guidSelector']
+ for guid in guidSelector:
+ if verbose: print ("DEBUG: GUID selector found:", guid)
+ else:
+ guidSelector = None
+ # Names
+ if 'nameSelector' in checklist_object:
+ nameSelector = checklist_object['nameSelector']
+ for name in nameSelector:
+ if verbose: print ("DEBUG: name selector found:", name)
+ else:
+ nameSelector = None
+ # Source
+ if 'sourceSelector' in checklist_object:
+ sourceSelector = checklist_object['sourceSelector']
+ for source in sourceSelector:
+ if verbose: print ("DEBUG: source selector found:", source)
+ else:
+ sourceSelector = None
+ # Return the selectors
+ return {
+ 'label': labelSelector,
+ 'source': sourceSelector,
+ 'service': serviceSelector,
+ 'waf': wafSelector,
+ 'resourceType': resourceTypeSelector,
+ 'guid': guidSelector,
+ 'name': nameSelector
+ }
+
+# Loads a checklist file in YAML format
+def get_checklist_object(checklist_file, verbose=False):
+ # Load the checklist file
+ try:
+ if verbose: print("DEBUG: Loading checklist file", checklist_file)
+ with open(checklist_file) as f:
+ checklist = yaml.safe_load(f)
+ return checklist
+ except Exception as e:
+ print("ERROR: Error when loading checklist file {0} - {1}". format(checklist_file, str(e)))
+ return None
+
+# Return v2 recos that match the selectors included in a checklist file
+def get_recos_from_checklist(checklist_file, input_folder, import_filepaths=False, verbose=False):
+ # Get checklist object and full reco list
+ checklist_v2 = get_checklist_object(checklist_file, verbose)
+ if not checklist_v2:
+ print("ERROR: Checklist file could not be loaded.")
+ return None
+ if verbose: print("DEBUG: Loading recos from folder", input_folder)
+ recos_v2_full = get_recos(input_folder, import_filepaths=import_filepaths, verbose=False) # Loading all recos, verbose not needed
+ recos_v2 = []
+ # Selectors can be at the checklist root, in an area, or a subarea
+ if 'include' in checklist_v2:
+ root_include_selectors = get_object_selectors(checklist_v2['include'])
+ if 'exclude' in checklist_v2:
+ root_exclude_selectors = get_object_selectors(checklist_v2['exclude'])
+ else:
+ root_exclude_selectors = None
+ # Filter all recos according to the selectors
+ root_recos_v2 = filter_v2_recos(recos_v2_full, include=root_include_selectors, exclude=root_exclude_selectors)
+ recos_v2 += root_recos_v2
+ if verbose: print("DEBUG: {0} recos extracted at root level, reco list at {1} elements".format(len(root_recos_v2), len(recos_v2)))
+ if 'areas' in checklist_v2:
+ for area in checklist_v2['areas']:
+ if 'name' in area:
+ if 'include' in area:
+ area_include_selectors = get_object_selectors(area['include'])
+ if 'exclude' in area:
+ area_exclude_selectors = get_object_selectors(area['exclude'])
+ else:
+ area_exclude_selectors = None
+ # Filter all recos according to the selectors
+ area_recos_v2 = filter_v2_recos(recos_v2_full, include=area_include_selectors, exclude=area_exclude_selectors)
+ recos_v2 += [x | {'area': area['name']} for x in area_recos_v2]
+ if verbose: print("DEBUG: {0} recos extracted at area {1}, reco list at {2} elements".format(len(area_recos_v2), area['name'], len(recos_v2)))
+ if 'subareas' in area:
+ for subarea in area['subareas']:
+ if 'name' in subarea:
+ if 'include' in subarea:
+ subarea_include_selectors = get_object_selectors(subarea['include'])
+ if 'exclude' in subarea:
+ subarea_exclude_selectors = get_object_selectors(subarea['exclude'])
+ else:
+ subarea_exclude_selectors = None
+ # Filter all recos according to the selectors
+ subarea_recos_v2 = filter_v2_recos(recos_v2_full, include=subarea_include_selectors, exclude=subarea_exclude_selectors)
+ recos_v2 += [x | {'area': area['name'], 'subarea': subarea['name']} for x in subarea_recos_v2]
+ if verbose: print("DEBUG: {0} recos extracted at area '{1}', subarea '{2}', reco list at {3} elements".format(len(subarea_recos_v2), area['name'], subarea['name'], len(recos_v2)))
+ else:
+ if verbose: print("WARNING: skipping subarea '{0}' in area '{1}, no include specified.".format(subarea['name'], area['name']))
+ else:
+ if verbose: print("WARNING: Skipping subarea in area {0}, no name specified.".format(area['name']))
+ else:
+ if verbose: print("WARNING: Skipping area, no name specified.")
+ # Return the recos object
+ return recos_v2
+
+# Function that finds the file with a specific name and deletes it
+def delete_v2_reco(input_folder, reco_name, format='yaml', verbose=False):
+ # Whether the reco was found
+ reco_found = False
+ # If the input folder exists
+ if os.path.exists(input_folder):
+ files = list(Path(input_folder).rglob( '*.*' ))
+ for file in files:
+ # JSON
+ if format == 'json':
+ if file.suffix == '.json':
+ # if verbose: print("DEBUG: Loading file", file)
+ try:
+ with open(file.resolve()) as f:
+ v2reco = json.safe_load(f)
+ f.close()
+ if 'name' in v2reco:
+ if v2reco['name'].lower() == reco_name.lower():
+ if verbose: print('DEBUG: Deleting reco', reco_name, 'in file', file)
+ os.remove(file)
+ reco_found = True
+ except Exception as e:
+ print("ERROR: Error when loading reco file {0} - {1}". format(file, str(e)))
+ # YAML
+ if format == 'yaml' or format == 'yml':
+ if (file.suffix == '.yaml') or (file.suffix == '.yml'):
+ # if verbose: print("DEBUG: Loading file", file)
+ try:
+ with open(file.resolve()) as f:
+ v2reco = yaml.safe_load(f)
+ f.close()
+ if 'name' in v2reco:
+ if v2reco['name'].lower() == reco_name.lower():
+ if verbose: print('DEBUG: deleting reco', reco_name, 'in file', file)
+ os.remove(file)
+ reco_found = True
+ except Exception as e:
+ print("ERROR: Error when loading reco file {0} - {1}". format(file, str(e)))
+ # Return the object with all the v2 objects
+ return reco_found
+
+# Function that finds the file with a specific name and deletes it
+def delete_file(file_name, verbose=False):
+ if os.path.exists(file_name):
+ if verbose: print("DEBUG: Deleting file", file_name)
+ try:
+ os.remove(file_name)
+ except Exception as e:
+ print("ERROR: Error when deleting file {0} - {1}". format(file_name, str(e)))
+ else:
+ print("ERROR: File", file_name, "does not exist.")
+
+# Function that returns a reco name provided its GUID. It takes as argument an object with the full list of recos
+def get_reco_name_from_guid(recos, guid):
+ for reco in recos:
+ if 'labels' in reco and 'guid' in reco['labels']:
+ if reco['labels']['guid'].lower() == guid.lower():
+ if 'name' in reco:
+ return reco['name']
+ else:
+ return None
+ return None
diff --git a/scripts/modules/cl_arg.py b/scripts/modules/cl_arg.py
new file mode 100644
index 000000000..606905a06
--- /dev/null
+++ b/scripts/modules/cl_arg.py
@@ -0,0 +1,50 @@
+#######################################
+#
+# Module to run ARG queries
+#
+#######################################
+
+# Dependencies
+import os
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.resourcegraph import ResourceGraphClient
+from azure.mgmt.resource import ResourceManagementClient
+from azure.mgmt.resourcegraph.models import *
+
+
+# Function that takes an array of recos as argument and runs the ARG query specified in each of the elements (if existing)
+# Code from https://github.com/Azure-Samples/azure-samples-python-management/blob/main/samples/resourcegraph/resources_query.py
+# ToDo: add mgmt group support
+def run_arg_queries(reco_array, subscription_id=None, verbose=False):
+ # Initialize the ARG client
+ if not subscription_id:
+ subscription_id = os.environ.get("SUBSCRIPTION_ID", None)
+ # Create client. For other authentication approaches, please see: https://pypi.org/project/azure-identity/
+ if verbose: print("DEBUG: Running ARG queries for subscription {0}".format(subscription_id))
+ arg_client = ResourceGraphClient(
+ credential=DefaultAzureCredential(),
+ subscription_id=subscription_id
+ )
+ # Initialize the list of results
+ results = []
+ # Iterate over all recos
+ for reco in reco_array:
+ # If the reco has a query, run it
+ if 'queries' in reco:
+ if 'arg' in reco['queries']:
+ # Run the query
+ if verbose:
+ print("DEBUG: Running ARG query for reco {0}: {1}".format(reco['guid'], reco['queries']['arg']))
+ query = QueryRequest(
+ query=reco['queries']['arg'],
+ subscriptions=[subscription_id],
+ options=QueryRequestOptions(
+ result_format=ResultFormat.object_array
+ )
+ )
+ result = arg_client.resources(query)
+ # Append the result to the list
+ if 'data' in result:
+ results.append({"guid": reco['guid'], "title": reco['title'], "argResult": result['data']})
+ # Return the list of results
+ return results
\ No newline at end of file
diff --git a/scripts/modules/cl_v1tov2.py b/scripts/modules/cl_v1tov2.py
new file mode 100644
index 000000000..510623792
--- /dev/null
+++ b/scripts/modules/cl_v1tov2.py
@@ -0,0 +1,469 @@
+#######################################
+#
+# Module to convert v1 checklist files
+# to v2.
+#
+#######################################
+
+# Dependencies
+import sys
+import yaml
+import json
+import os
+from pathlib import Path
+from . import cl_analyze_v2
+
+# Get the standard service name from the service dictionary
+def get_standard_service_name(service_name, service_dictionary=None):
+ svc_match_found = False
+ if service_dictionary:
+ for svc in service_dictionary:
+ if 'names' in svc and len(svc['names']) > 0:
+ svc_names = [x.lower() for x in svc['names']] # Case insensitive comparison
+ if service_name.lower() in svc_names:
+ svc_match_found = True
+ return svc['service']
+ else:
+ print("WARNING: service dictionary entry without names field:", str(svc))
+ if not svc_match_found:
+ return service_name
+ else:
+ return service_name
+
+# Get the resource type from the service dictionary
+# Return None if no match
+def get_resource_type_name(service_name, service_dictionary=None):
+ svc_match_found = False
+ if service_dictionary:
+ for svc in service_dictionary:
+ if service_name in svc['names']:
+ svc_match_found = True
+ if 'arm' in svc:
+ return svc['arm']
+ if not svc_match_found:
+ return None
+ else:
+ return None
+
+# Function to modify yaml.dump for multiline strings, see https://github.com/yaml/pyyaml/issues/240
+def str_presenter(dumper, data):
+ if data.count('\n') > 0:
+ data = "\n".join([line.rstrip() for line in data.splitlines()]) # Remove any trailing spaces, then put it back together again
+ return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|')
+ return dumper.represent_scalar('tag:yaml.org,2002:str', data)
+
+# Function that returns a data structure with the objects in v2 format
+def generate_v2(input_file, text_analytics_endpoint=None, text_analytics_key=None, service_dictionary=None, source_type=None, labels=None, id_label=None, cat_label=None, subcat_label=None, existing_v2recos=None, max_items=0, default_severity=1, verbose=False):
+ if verbose: print("DEBUG: Converting file", input_file)
+ if verbose and not service_dictionary: print("DEBUG: unless a service dictionary is supplied, no service or resource type mappings will be done.")
+ # Default values for non-mandatory labels
+ if not id_label: id_label = 'id'
+ if not cat_label: cat_label = 'area'
+ if not subcat_label: subcat_label = 'subarea'
+ # If existing v2 reco folder specified, load them up (will be used to prevent duplicate names)
+ if not existing_v2recos:
+ print("WARNING: No existing v2 recos provided, duplicate reco names might be generated.")
+ # Load v1 recos
+ try:
+ with open(input_file) as f:
+ checklist = json.load(f)
+ except Exception as e:
+ print("ERROR: Error when processing JSON file, nothing changed", input_file, ":", str(e))
+ return None
+ # Process the v1 recos
+ if 'items' in checklist:
+ if verbose: print("DEBUG: {0} items found in JSON file {1}".format(len(checklist['items']), input_file))
+ # Create a list of objects in v2 format
+ v2recos = []
+ reco_counter = 0
+ for item in checklist['items']:
+ # Check if we reached the maximum number of items
+ reco_counter += 1
+ if max_items > 0 and reco_counter > max_items:
+ if verbose: print("DEBUG: Maximum number of items reached, stopping.")
+ break
+ # Note that the order in which items are added to the dictionary is important, since yaml.dump is configured to not sort the keys
+ v2reco = {}
+ # Source (subfields file, type and timestamp). First we add the information to the original v1 reco, later we will add it to the new v2 reco
+ if 'source' in item:
+ if item['source'].lower() == 'aprl' or item['source'].lower() == 'wafsg':
+ item['source'] = {'type': item['source'].lower()}
+ elif '.yaml' in item['source']: # If it was imported from YAML it is coming from APRL
+ item['source'] = {'type': 'aprl'}
+ elif '.md' in item['source']: # If it was imported from Markdown it is coming from a WAF service guide
+ item['source'] = {'type': 'wafsg'}
+ elif 'sourceType' in item:
+ item['source'] = {'type': item['sourceType'].lower()}
+ if 'sourceFile' in item:
+ item['source']['file'] = item['sourceFile']
+ else:
+ item['source'] = {'type': 'revcl', 'file': input_file}
+ # If the source type was specified as a parameter, use it
+ if source_type:
+ item['source']['type'] = source_type
+ # Timestamp
+ if 'timestamp' in item:
+ item['source']['timestamp'] = item['timestamp']
+ # If text analytics endpoint and key were supplied, try to guess a reco name
+ if text_analytics_endpoint and text_analytics_key:
+ v2reco['name'] = guess_reco_name(item, text_analytics_endpoint, text_analytics_key, version=1, key_phrase_no=2, verbose=verbose)
+ else:
+ v2reco['name'] = ''
+ # If we have existing v2 recos, append an integer identifier until the name is unique
+ if v2reco['name'] and existing_v2recos:
+ i = 0
+ while True:
+ # We look for recos with the same name and different GUID
+ existing_v2recos_same_name = [x['name'].lower() for x in existing_v2recos if ((x['name'].lower() == v2reco['name'].lower()) and (('labels' in x) and ('guid' in x['labels']) and ('guid' in item) and (x['labels']['guid'] != item['guid'])))]
+ if len(existing_v2recos_same_name) > 0:
+ i += 1
+ v2reco['name'] = v2reco['name'] + '-' + str(i)
+ else:
+ break
+ # Title/description
+ if 'text' in item:
+ v2reco['title'] = item['text']
+ if 'description' in item:
+ v2reco['description'] = item['description']
+ # Source
+ v2reco['source'] = item['source']
+ # Services
+ # if 'service' in item:
+ # v2reco['services'] = []
+ # v2reco['services'].append(get_standard_service_name(item['service'], service_dictionary=service_dictionary))
+ # Resource types
+ v2reco['resourceTypes'] = []
+ if 'recommendationResourceType' in item:
+ v2reco['resourceTypes'].append(item['recommendationResourceType'])
+ else: # Else try to get the resourceType from the service dictionary
+ if 'service' in item:
+ resource_type = get_resource_type_name(item['service'], service_dictionary=service_dictionary)
+ if resource_type:
+ v2reco['resourceTypes'].append(resource_type.lower())
+ if verbose: print("DEBUG: resource type {0} identified for service {1}.".format(resource_type, item['service']))
+ else:
+ if verbose: print("WARNING: not able to get resource type from service", item['service'])
+ # WAF
+ if 'waf' in item:
+ # Normalize WAF
+ if 'operation' in item['waf'].lower():
+ v2reco['waf'] = 'Operations'
+ elif 'reliability' in item['waf'].lower() or 'resiliency' in item['waf'].lower():
+ v2reco['waf'] = 'Reliability'
+ elif 'cost' in item['waf'].lower():
+ v2reco['waf'] = 'Cost'
+ elif 'performance' in item['waf'].lower():
+ v2reco['waf'] = 'Performance'
+ elif 'security' in item['waf'].lower():
+ v2reco['waf'] = 'Security'
+ else:
+ if verbose: print("DEBUG: WAF value {0} in file {1} unknown".format(input_file, item['waf']))
+ # Severity
+ if 'severity' in item:
+ if item['severity'].lower() == 'high':
+ v2reco['severity'] = 0
+ elif item['severity'].lower() == 'medium':
+ v2reco['severity'] = 1
+ elif item['severity'].lower() == 'low':
+ v2reco['severity'] = 2
+ else:
+ v2reco['severity'] = default_severity
+ # Labels
+ v2reco['labels'] = {}
+ # GUID (we put it in a label)
+ if 'guid' in item:
+ v2reco['labels']['guid'] = item['guid']
+ # else:
+ # print("ERROR: No GUID found for reco in file", input_file)
+ # continue
+ # Categories, Subcategories, IDs
+ if 'category' in item:
+ v2reco['labels'][cat_label] = item['category']
+ if 'subcategory' in item:
+ v2reco['labels'][subcat_label] = item['subcategory']
+ if 'id' in item:
+ v2reco['labels'][id_label] = item['id']
+ # Links
+ v2reco['links'] = []
+ if 'link' in item:
+ v2reco['links'].append({'type': 'docs', 'url': item['link']})
+ if 'training' in item:
+ v2reco['links'].append({'type': 'docs', 'url': item['training']})
+ # If additional labels were specified as parameter, add them to the object
+ if labels:
+ for key in labels.keys():
+ v2reco['labels'][key] = labels[key]
+ # Queries
+ v2reco['queries'] = {}
+ if 'graph' in item:
+ v2reco['queries'] = {}
+ v2reco['queries']['arg'] = item['graph']
+ # Add to the list of v2 objects
+ v2recos.append(v2reco)
+ existing_v2recos.append(v2reco) # Add to the list of existing v2 recos to prevent duplicate names
+ return v2recos
+ else:
+ print("ERROR: No items found in JSON file", input_file)
+ return None
+
+# Function that removes empty directories
+def remove_empty_dirs(path):
+ for root, dirnames, filenames in os.walk(path, topdown=False):
+ for dirname in dirnames:
+ remove_empty_dirs(os.path.realpath(os.path.join(root, dirname)))
+
+# Function that stores an object generated by generate_v2 in files in the output folder
+def store_v2(output_folder, checklist, output_format='yaml', existing_v2recos=None, overwrite=False, verbose=False):
+ # If parameter existing_v2recos is not provided, show warning
+ if not existing_v2recos:
+ print("WARNING: No existing v2 recos provided, duplicate reco names might be generated.")
+ # Folder fo the services-related recos (set to None for no subfolder)
+ services_folder = 'Services'
+ if verbose: print("DEBUG: Storing v2 objects in folder", output_folder)
+ # Create the output folder if it doesn't exist
+ if not os.path.exists(output_folder):
+ os.makedirs(output_folder)
+ # Add representer to yaml for multiline strings, see https://github.com/yaml/pyyaml/issues/240
+ yaml.add_representer(str, str_presenter)
+ yaml.representer.SafeRepresenter.add_representer(str, str_presenter) # to use with safe_dum
+ # Store each object in a separate YAML file
+ item_count = 0
+ for item in checklist:
+ # Use the reco's name as the file name, otherwise the guid
+ item_count += 1
+ if 'name' in item:
+ file_name = item['name']
+ elif 'guid' in item:
+ file_name = item['guid']
+ elif 'labels' in item and 'guid' in item['labels']:
+ file_name = item['labels']['guid']
+ else:
+ file_name = None
+ if file_name:
+ # Append resource type (pick the first one) and WAF pillar to output folder if available
+ this_output_folder = output_folder
+ if 'resourceTypes' in item:
+ if len(item['resourceTypes']) > 0:
+ service_folder_name = item['resourceTypes'][0].replace(" ", "")
+ service_folder_name = service_folder_name.replace(".", "")
+ service_folder_name = service_folder_name.replace('"', "")
+ service_folder_name = service_folder_name.replace("'", "")
+ service_folder_name = service_folder_name.replace("/", "-")
+ if services_folder:
+ this_output_folder = os.path.join(output_folder, services_folder, service_folder_name)
+ else:
+ this_output_folder = os.path.join(output_folder, service_folder_name)
+ else:
+ this_output_folder = os.path.join(output_folder, "Practices")
+ if verbose: print("DEBUG: No services found for reco", item['name'])
+ else:
+ this_output_folder = os.path.join(output_folder, "Practices")
+ if verbose: print("DEBUG: 'resourceTypes' field missing from reco", item['name'])
+ if 'waf' in item:
+ this_output_folder = os.path.join(this_output_folder, item['waf'].replace(" ", ""))
+ # Create the output folder if it doesn't exist
+ if not os.path.exists(this_output_folder):
+ os.makedirs(this_output_folder)
+ # Delete any existing file with the same GUID (if we have a GUID)
+ if existing_v2recos and 'labels' in item and 'guid' in item['labels']:
+ recos_with_same_guid = [x for x in existing_v2recos if 'filepath' in x and 'labels' in x and 'guid' in x['labels'] and x['labels']['guid'] == item['labels']['guid']]
+ if verbose:
+ print("DEBUG: Deleting {0} existing recos with GUID {1}".format(len(recos_with_same_guid), item['labels']['guid']))
+ for existing_reco in recos_with_same_guid:
+ # Delete filename specified in the filepath attribute
+ if 'filepath' in existing_reco:
+ if os.path.exists(existing_reco['filepath']):
+ if verbose:
+ print("DEBUG: Deleting existing reco at", existing_reco['filepath'])
+ os.remove(existing_reco['filepath'])
+ else:
+ print("WARNING: reco not found at", existing_reco['filepath'])
+ # Delete any existing file for the same name (it might be in a different folder)
+ # We can do this because the name is unique
+ if overwrite and existing_v2recos and 'name' in item:
+ # cl_analyze_v2.delete_v2_reco(output_folder, item['name'], output_format, verbose=verbose)
+ recos_with_same_name = [x for x in existing_v2recos if x['name'] == item['name'] and 'filepath' in x]
+ if verbose:
+ print("DEBUG: Deleting {0} existing recos with name {1}".format(len(recos_with_same_name), item['name']))
+ for existing_reco in recos_with_same_name:
+ # Delete filename specified in the filepath attribute
+ if 'filepath' in existing_reco:
+ if os.path.exists(existing_reco['filepath']):
+ if verbose:
+ print("DEBUG: Deleting existing reco at", existing_reco['filepath'])
+ os.remove(existing_reco['filepath'])
+ # Export JSON or YAML, depending on the output format
+ if output_format in ['yaml', 'yml']:
+ output_file = os.path.join(this_output_folder, file_name + ".yaml")
+ # If the new file exists, append a number to the name
+ i = 1
+ while os.path.exists(output_file):
+ output_file = os.path.join(this_output_folder, file_name + "-" + str(i) + ".yaml")
+ i += 1
+ # Create the new file
+ try:
+ with open(output_file, 'w') as f:
+ yaml.dump(item, f, sort_keys=False)
+ if verbose: print("DEBUG: Stored YAML recommendation {0}/{1} in file {2}.".format(item_count, len(checklist), output_file))
+ except Exception as e:
+ print("ERROR: Error when writing YAML file", output_file, ":", str(e))
+ # JSON not finished (not using JSON for now)
+ elif output_format == 'json':
+ output_file = os.path.join(this_output_folder, file_name + ".json")
+ # If the new file exists, append a number to the name
+ i = 1
+ while os.path.exists(output_file):
+ output_file = os.path.join(this_output_folder, file_name + "-" + str(i) + ".json")
+ i += 1
+ # Create the new file
+ with open(output_file, 'w') as f:
+ json.dump(item, f, sort_keys=False)
+ else:
+ print("ERROR: Unsupported output format", output_format)
+ sys.exit(1)
+ else:
+ print("ERROR: No file name could be derived for recommendation '{0}' (missing name and GUID), skipping. Full reco object: '{1}'".format(item['title'], str(item)))
+ continue
+ # Clean up all empty folders that might exist in the output folder, recursively
+ if overwrite:
+ try:
+ if verbose: print("DEBUG: Removing empty directories in output folder", output_folder)
+ [os.removedirs(p) for p in Path(output_folder).glob('**/*') if p.is_dir() and len(list(p.iterdir())) == 0]
+ except Exception as e:
+ print("ERROR: Error when removing empty directories in output folder", output_folder, ":", str(e))
+
+# Function that guesses a reco name from a reco v2 object by querying Azure Cognitive Services for key phrases
+# The guessed name will be a concatenation of key phrases. The parameter key_phrase_no specifies how many key phrases to use (default is 1)
+def guess_reco_name(reco, cognitive_services_endpoint, cognitive_services_key, key_phrase_no=1, version=2, verbose=False):
+ # Dependencies
+ from azure.ai.textanalytics import TextAnalyticsClient
+ from azure.core.credentials import AzureKeyCredential
+ # Put the reco's GUID in a variable
+ if 'guid' in reco:
+ reco_guid = reco['guid']
+ elif 'labels' in reco and 'guid' in reco['labels']:
+ reco_guid = reco['labels']['guid']
+ else:
+ reco_guid = None
+ # Authenticate
+ ta_credential = AzureKeyCredential(cognitive_services_key)
+ text_analytics_client = TextAnalyticsClient(
+ endpoint=cognitive_services_endpoint,
+ credential=ta_credential)
+ # Prepare the document (either the title, the description or both), depending on the version being used (the field names vary)
+ if version == 1:
+ if 'text' in reco and 'description' in reco:
+ documents = [reco['text'] + '. ' + reco['description']]
+ elif 'text' in reco:
+ documents = [reco['text']]
+ elif 'description' in reco:
+ documents = [reco['description']]
+ else:
+ if verbose: print("ERROR: No title or description found for reco {0} that can be used to derive name".format(reco_guid))
+ return ''
+ elif version == 2:
+ if 'title' in reco and 'description' in reco:
+ documents = [reco['title'] + '. ' + reco['description']]
+ elif 'title' in reco:
+ documents = [reco['title']]
+ elif 'description' in reco:
+ documents = [reco['description']]
+ else:
+ if verbose: print("ERROR: No title or description found for reco {0} that can be used to derive name".format(reco_guid))
+ return ''
+ else:
+ print("ERROR: Unsupported version for name guessing", version)
+ # Extract key phrases
+ if verbose: print("DEBUG: Guessing recommendation name for reco '{0}'. Using endpoint {2} and string '{1}'...".format(reco_guid, documents[0], cognitive_services_endpoint))
+ try:
+ response = text_analytics_client.extract_key_phrases(documents = documents)[0]
+ except Exception as err:
+ print("Encountered exception. {}".format(err))
+ return None
+ # Return first key phrase(s) as the guessed name formated without blanks
+ if not response.is_error:
+ # Concatenate the first n key phrases
+ i = 0
+ guessed_name = ''
+ while i < key_phrase_no and i < len(response.key_phrases):
+ guessed_name += response.key_phrases[i].title()
+ i += 1
+ # Remove non alphanumeric characters
+ guessed_name = ''.join(c for c in guessed_name if c.isalpha())
+ # Remove non-ASCII characters
+ guessed_name = ''.join(c for c in guessed_name if c.isascii())
+ # The source is used as prefix, if there is one
+ if 'source' in reco and 'type' in reco['source']:
+ guessed_name = reco['source']['type'].lower() + '-' + guessed_name
+ else:
+ if verbose:
+ print("WARNING: No source type found for reco", reco_guid)
+ if verbose:
+ print("DEBUG: Key Phrases for reco:", str(response.key_phrases), '- Guessed name:', guessed_name)
+ return guessed_name
+ else:
+ print(response.id, response.error)
+ return None
+
+# Load a v1 checklist and generate a v2 checklist YAML file
+# If use_names = True, it will add a name selector instead of a GUID selector. Recos folder needs to be specified
+# Try to match the subarea sections with services if possible, if not use a guid selector
+def checklist_v1_to_v2(input_file, output_file, use_names=False, v2recos_folder=None, verbose=None):
+ # Load the v1 checklist
+ try:
+ if verbose: print("DEBUG: Loading v1 checklist from file", input_file)
+ with open(input_file) as f:
+ checklist_v1 = json.load(f)
+ except Exception as e:
+ print("ERROR: Error when processing JSON file", input_file, ":", str(e))
+ return None
+ # If use_names is True, load the v2 recos
+ if use_names:
+ if not v2recos_folder:
+ print("ERROR: Recos folder needs to be specified when using names")
+ return None
+ if verbose: print("DEBUG: Loading v2 recos from folder {0}, since using names...".format(v2recos_folder))
+ v2recos = cl_analyze_v2.load_v2_files(v2recos_folder, verbose=False)
+ if verbose: print("DEBUG: {0} v2 recos loaded.".format(len(v2recos)))
+ # Create the v2 checklist
+ checklist_v2 = {}
+ # Add the metadata
+ if 'metadata' in checklist_v1:
+ if 'name' in checklist_v1['metadata']:
+ checklist_v2['name'] = checklist_v1['metadata']['name']
+ else:
+ checklist_v2['name'] = 'Name missing from checklist YAML file'
+ else:
+ checklist_v2['name'] = 'Name missing from checklist YAML file'
+ # Create a dictionary with areas/subareas
+ area_list = list(set([x['category'] for x in checklist_v1['items'] if 'category' in x]))
+ if verbose: print("DEBUG: {0} areas found in v1 checklist.".format(len(area_list)))
+ area_dict = {}
+ for area in area_list:
+ area_dict[area] = list(set([x['subcategory'] for x in checklist_v1['items'] if ('subcategory' in x) and ('category' in x) and (x['category'] == area)]))
+ if verbose: print("DEBUG: {0} subareas found in area {1}.".format(len(area_dict[area]), area))
+ # For each area/subarea, add a guid selector
+ checklist_v2['areas'] = []
+ for area in area_dict.keys():
+ checklist_v2_area_object = {'name': area, 'subareas': []}
+ for subarea in area_dict[area]:
+ guids = [x['guid'] for x in checklist_v1['items'] if ('guid' in x) and ('category' in x) and (x['category'] == area) and ('subcategory' in x) and (x['subcategory'] == subarea)]
+ if verbose: print("DEBUG: {0} GUIDs found in area {1} and subarea {2}.".format(len(guids), area, subarea))
+ if use_names:
+ names = [cl_analyze_v2.get_reco_name_from_guid(v2recos, x) for x in guids]
+ names = [x for x in names if x] # Remove empty names
+ if verbose: print("DEBUG: {0} names found in area {1} and subarea {2}.".format(len(names), area, subarea))
+ if names and len(names) > 0:
+ checklist_v2_subarea_object = {'name': subarea, 'include': {'nameSelector': names}}
+ checklist_v2_area_object['subareas'].append(checklist_v2_subarea_object)
+ else:
+ if guids and len(guids) > 0:
+ checklist_v2_subarea_object = {'name': subarea, 'include': {'guidSelector': guids}}
+ checklist_v2_area_object['subareas'].append(checklist_v2_subarea_object)
+ checklist_v2['areas'].append(checklist_v2_area_object)
+ # Write the output file
+ if verbose: print("DEBUG: Writing v2 checklist to file", output_file)
+ with open(output_file, 'w') as f:
+ yaml.dump(checklist_v2, f, indent=4, sort_keys=False)
+ return checklist_v2
+
diff --git a/scripts/modules/cl_v2tov1.py b/scripts/modules/cl_v2tov1.py
new file mode 100644
index 000000000..78a193eb2
--- /dev/null
+++ b/scripts/modules/cl_v2tov1.py
@@ -0,0 +1,144 @@
+#######################################
+#
+# Module to generate v1-formatted checklists
+# from v2-formatted recommendations.
+#
+#######################################
+
+# Dependencies
+import sys
+import yaml
+import json
+import os
+from pathlib import Path
+from . import cl_analyze_v2
+from . import cl_v1tov2
+import datetime
+
+
+# Function that returns a data structure with the objects in v1 format
+def generate_v1(checklist_file, input_folder, output_file, service_dictionary=None, verbose=False):
+ # Get checklist object and full reco list
+ checklist_v2 = cl_analyze_v2.get_checklist_object(checklist_file)
+ recos_v2_full = cl_analyze_v2.get_recos(input_folder, verbose=False)
+ recos_v1 = []
+ area_index = 0
+ subarea_index = 0
+ reco_index = 0
+ # Selectors can be at the checklist root, in an area, or a subarea
+ if 'include' in checklist_v2:
+ root_include_selectors = cl_analyze_v2.get_object_selectors(checklist_v2['include'])
+ if 'exclude' in checklist_v2:
+ root_exclude_selectors = cl_analyze_v2.get_object_selectors(checklist_v2['exclude'])
+ else:
+ root_exclude_selectors = None
+ # Filter all recos according to the selectors
+ root_recos_v2 = cl_analyze_v2.filter_v2_recos(recos_v2_full, include=root_include_selectors, exclude=root_exclude_selectors)
+ if verbose: print("{0} recos extracted at root level".format(len(root_recos_v2)))
+ recos_v1 += [get_v1_from_v2(x, service_dictionary=service_dictionary) | {'id': i+1} for i, x in enumerate(root_recos_v2)]
+ if 'areas' in checklist_v2:
+ for area in checklist_v2['areas']:
+ if 'name' in area:
+ area_index += 1
+ subarea_index = 0
+ if 'include' in area:
+ area_include_selectors = cl_analyze_v2.get_object_selectors(area['include'])
+ if 'exclude' in area:
+ area_exclude_selectors = cl_analyze_v2.get_object_selectors(area['exclude'])
+ else:
+ area_exclude_selectors = None
+ # Filter all recos according to the selectors
+ area_recos_v2 = cl_analyze_v2.filter_v2_recos(recos_v2_full, include=area_include_selectors, exclude=area_exclude_selectors)
+ if verbose: print("{0} recos extracted at area {1}".format(len(area_recos_v2), area['name']))
+ recos_v1 += [get_v1_from_v2(x, service_dictionary=service_dictionary) | {'category': area['name'], 'id': get_reco_id(i+1, subarea_index=None, area_index=area_index)} for i, x in enumerate(area_recos_v2)]
+ else:
+ if verbose: print("WARNING: skipping area '{0}', no include specified.".format(area['name']))
+ if 'subareas' in area:
+ for subarea in area['subareas']:
+ if 'name' in subarea:
+ subarea_index += 1
+ if 'include' in subarea:
+ subarea_include_selectors = cl_analyze_v2.get_object_selectors(subarea['include'])
+ if 'exclude' in subarea:
+ subarea_exclude_selectors = cl_analyze_v2.get_object_selectors(subarea['exclude'])
+ else:
+ subarea_exclude_selectors = None
+ # Filter all recos according to the selectors
+ subarea_recos_v2 = cl_analyze_v2.filter_v2_recos(recos_v2_full, include=subarea_include_selectors, exclude=subarea_exclude_selectors)
+ if verbose: print("{0} recos extracted at area '{1}', subarea '{2}'".format(len(subarea_recos_v2), area['name'], subarea['name']))
+ recos_v1 += [get_v1_from_v2(x, service_dictionary=service_dictionary) | {'category': area['name'], 'subcategory': subarea['name'], 'id': get_reco_id(i+1, subarea_index=subarea_index, area_index=area_index)} for i, x in enumerate(subarea_recos_v2)]
+ else:
+ if verbose: print("WARNING: skipping subarea '{0}' in area '{1}, no include specified.".format(subarea['name'], area['name']))
+ else:
+ if verbose: print("WARNING: Skipping subarea in area {0}, no name specified.".format(area['name']))
+ else:
+ if verbose: print("WARNING: Skipping area, no name specified.")
+ # Build the rest of the checklist structure
+ categories = list(set([x['category'] for x in recos_v1 if 'category' in x]))
+ cat_object = [{'name': x.title()} for x in categories]
+ waf_pillars = list(set([x['waf'] for x in recos_v1 if 'waf' in x]))
+ waf_pillars_object = [{'name': x} for x in waf_pillars]
+ checklist_v1 = {
+ 'items': recos_v1,
+ 'yesno': ({'name': 'Yes'}, {'name': 'No'}),
+ 'waf': waf_pillars_object,
+ 'categories': cat_object,
+ 'metadata': {'timestamp': datetime.date.today().strftime("%B %d, %Y")}
+ }
+ if 'name' in checklist_v2:
+ checklist_v1['metadata']['name'] = checklist_v2['name']
+ else:
+ checklist_v1['metadata']['name'] = 'Name missing from checklist YAML file'
+ # Write the output file
+ if verbose: print("DEBUG: Dumping v1 checklist to file", output_file)
+ if output_file:
+ try:
+ with open(output_file, 'w') as f:
+ json.dump(checklist_v1, f, indent=4)
+ except Exception as e:
+ print("ERROR: Error writing output file {0} - {1}".format(output_file, str(e)))
+ sys.exit(1)
+
+# Function that returns a string ID for a reco of the format A01.01
+# Area and subarea are optional, but the reco_index is mandatory
+def get_reco_id (reco_index, subarea_index=None, area_index=None):
+ if reco_index:
+ reco_id = str(reco_index).zfill(2)
+ if subarea_index:
+ reco_id = str(subarea_index).zfill(2) + '.' + reco_id
+ if area_index:
+ reco_id = chr(area_index + 64) + reco_id
+ return reco_id
+ else:
+ return None
+
+# Function that returns a single v1 reco out of a single v2 reco:
+def get_v1_from_v2(reco_v2, service_dictionary=None):
+ reco_v1 = {}
+ # GUID (not mandatory in v2)
+ if 'guid' in reco_v2:
+ reco_v1['guid'] = reco_v2['guid']
+ elif 'labels' in reco_v2 and 'guid' in reco_v2['labels']:
+ reco_v1['guid'] = reco_v2['labels']['guid']
+ # Mandatory fields
+ if 'title' in reco_v2:
+ reco_v1['text'] = reco_v2['title']
+ elif 'text' in reco_v2: # Legacy
+ reco_v1['text'] = reco_v2['text']
+ if 'description' in reco_v2:
+ reco_v1['description'] = reco_v2['description']
+ if 'severity' in reco_v2:
+ if reco_v2['severity'] == 0:
+ reco_v1['severity'] = 'High'
+ elif reco_v2['severity'] == 1:
+ reco_v1['severity'] = 'Medium'
+ elif reco_v2['severity'] == 2:
+ reco_v1['severity'] = 'Low'
+ # Services not there in v2
+ if 'services' in reco_v2:
+ reco_v1['service'] = reco_v2['service'][0]
+ elif 'resourceTypes' in reco_v2 and len(reco_v2['resourceTypes']) > 0:
+ reco_v1['service'] = cl_v1tov2.get_standard_service_name(reco_v2['resourceTypes'][0], service_dictionary=service_dictionary)
+ if 'waf' in reco_v2:
+ reco_v1['waf'] = reco_v2['waf']
+ return reco_v1
\ No newline at end of file
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
new file mode 100644
index 000000000..f78ba5b80
--- /dev/null
+++ b/scripts/requirements.txt
@@ -0,0 +1,7 @@
+pyyaml
+requests
+azure-identity
+azure-mgmt-resource
+azure-mgmt-resourcegraph
+azure-ai-textanalytics
+jsonschema
\ No newline at end of file
diff --git a/scripts/service_dictionary.json b/scripts/service_dictionary.json
index a8f87dab4..568fc6f26 100644
--- a/scripts/service_dictionary.json
+++ b/scripts/service_dictionary.json
@@ -15,7 +15,7 @@
"service": "ExpressRoute Traffic Collector"
},
{
- "names": ["VPN Gateway", "Azure VPN Gateway", "VPN", "microsoft.network/vpnGateways", "microsoft.network/virtualNetworkGateways", "Microsoft.Network/virtualNetworkGateways"],
+ "names": ["VPN Gateway", "Azure VPN Gateway", "VPN", "microsoft.network/vpnGateways", "microsoft.network/virtualNetworkGateways", "Microsoft.Network/virtualNetworkGateways", "Microsoft.Network/connections"],
"arm": "microsoft.network/virtualNetworkGateways",
"service": "VPN"
},
@@ -95,7 +95,7 @@
"service": "Backup"
},
{
- "names": ["Azure Monitor", "Monitor", "Microsoft.Insights/components"],
+ "names": ["Azure Monitor", "Monitor", "Microsoft.Insights/components", "Microsoft.Insights/activityLogAlerts", "Microsoft.OperationalInsights/workspaces"],
"arm": "Microsoft.Insights/components",
"service": "Monitor"
},
@@ -155,7 +155,7 @@
"service": "VNet"
},
{
- "names": ["Virtual Machines", "Azure Virtual Machine", "VM", "Microsoft.Compute/virtualMachines", "Microsoft.VirtualMachineImages/imageTemplates"],
+ "names": ["Virtual Machines", "Azure Virtual Machine", "VM", "Microsoft.Compute/virtualMachines", "Microsoft.VirtualMachineImages/imageTemplates", "Microsoft.Compute/galleries"],
"arm": "Microsoft.Compute/virtualMachines",
"service": "VM"
},
@@ -180,7 +180,7 @@
"service": "ACR"
},
{
- "names": ["Redis Cache", "Azure Redis Cache", "Redis"],
+ "names": ["Redis Cache", "Azure Redis Cache", "Redis", "Microsoft.Cache/Redis", "Microsoft.Cache/redis"],
"arm": "microsoft.cache/redis",
"service": "Redis"
},
@@ -305,8 +305,48 @@
"service": "Policy"
},
{
- "names": ["Azure Virtual Desktop", "AVD", "Microsoft.DesktopVirtualization/hostPools"],
+ "names": ["Azure Virtual Desktop", "AVD", "Microsoft.DesktopVirtualization/hostPools", "Microsoft.DesktopVirtualization/scalingPlans"],
"arm": "Microsoft.DesktopVirtualization/hostPools",
"service": "AVD"
+ },
+ {
+ "names": ["Microsoft.Batch/batchAccounts", "Batch", "Azure Batch"],
+ "arm": "Microsoft.Batch/batchAccounts",
+ "service": "Batch"
+ },
+ {
+ "names": ["Microsoft.AAD/domainServices", "Entra", "AADDS", "Azure Active Directory Domain Services"],
+ "arm": "Microsoft.AAD/domainServices",
+ "service": "Entra"
+ },
+ {
+ "names": ["Microsoft.Resources/resourceGroups"],
+ "arm": "Microsoft.Resources/resourceGroups",
+ "service": "Resource Group"
+ },
+ {
+ "names": ["Microsoft.Subscription/Subscriptions"],
+ "arm": "Microsoft.Subscription/Subscriptions",
+ "service": "Subscription"
+ },
+ {
+ "names": ["Microsoft.App/managedenvironments"],
+ "arm": "Microsoft.App/managedenvironments",
+ "service": "Container Apps"
+ },
+ {
+ "names": ["Microsoft.AppConfiguration/configurationStores"],
+ "arm": "Microsoft.AppConfiguration/configurationStores",
+ "service": "App Configuration"
+ },
+ {
+ "names": ["Microsoft.Automation/automationAccounts"],
+ "arm": "Microsoft.Automation/automationAccounts",
+ "service": "Automation"
+ },
+ {
+ "names": ["Microsoft.SignalRService/SignalR"],
+ "arm": "Microsoft.SignalRService/SignalR",
+ "service": "SignalR"
}
]
\ No newline at end of file
diff --git a/scripts/verify_checklist.py b/scripts/verify_checklist.py
index e577edced..56d93a9df 100644
--- a/scripts/verify_checklist.py
+++ b/scripts/verify_checklist.py
@@ -11,6 +11,7 @@
import sys
import glob
import os
+from scripts.modules import cl_analyze_v1
# Get input arguments
parser = argparse.ArgumentParser(description='Verify a JSON checklist for correctness')
@@ -25,154 +26,12 @@
help='run in verbose mode (default: False)')
args = parser.parse_args()
-# Global variables
-guids = []
-
-# Function that verifies the correctness of a single checklist
-def verify_file(input_file):
- # Banner
- if args.verbose:
- print("DEBUG: ======================================================================")
- print("DEBUG: Verifying file", input_file)
- # Look for non-unicode characters in the file
- if args.verbose:
- print("DEBUG: Verifying all characters are Unicode-8...")
- f1 = open (input_file, "r")
- text = f1.read()
- for line in text:
- for character in line:
- if ord(character) > 127:
- print("ERROR: Non-unicode character found in file", input_file, ":", character)
- sys.exit(1)
- # if args.verbose:
- # print("DEBUG: All characters are Unicode-8")
-
- # Reading into JSON
- if args.verbose:
- print("DEBUG: Verifying JSON can be loaded up...")
- try:
- with open(input_file) as f:
- checklist = json.load(f)
- if 'items' in checklist:
- if args.verbose:
- print("DEBUG: {0} items found in JSON file {1}".format(len(checklist['items']), input_file))
- except Exception as e:
- print("ERROR: Error when processing JSON file, nothing changed", input_file, ":", str(e))
- sys.exit(1)
- # if args.verbose:
- # print("DEBUG: JSON can be loaded up correctly")
-
- # Verify the required keys are present
- if args.verbose:
- print("DEBUG: Verifying the required keys are present...")
- required_keys = ['items', 'metadata', 'categories', 'status', 'severities', 'yesno']
- for key in required_keys:
- if key not in checklist:
- print("ERROR: Required key missing from JSON file", input_file, ":", key)
-
- # Verify the metadata keys are present
- if 'metadata' in checklist:
- if args.verbose:
- print("DEBUG: Verifying the metadata keys are present...")
- required_keys = ['name', 'timestamp', 'state', 'waf']
- for key in required_keys:
- if key not in checklist['metadata']:
- print("ERROR: Required key missing from metadata in JSON file", input_file, ":", key)
- else:
- if args.verbose:
- print("WARNING: skipping metadata verification, no metadata in JSON file", input_file)
-
- # Verify the metadata waf key has a valid value
- if 'metadata' in checklist:
- if 'waf' in checklist['metadata']:
- if checklist['metadata']['waf'].lower() not in ['none', 'all', 'reliability', 'security', 'performance', 'cost', 'operations']:
- print("ERROR: Invalid WAF value in metadata in JSON file", input_file, ":", checklist['metadata']['waf'])
-
- # Verify the items have all required keys
- if args.verbose:
- print("DEBUG: Verifying the items have all required keys...")
- # Counter dictionary for inconsistencies
- item_count = 0
- inconsistencies = {
- 'missing_graph': 0,
- 'missing_description': 0,
- 'wrong_cat': 0,
- 'missing_cat': 0,
- 'missing_subcat': 0,
- 'missing_waf': 0,
- 'wrong_waf': 0,
- 'missing_svc': 0,
- 'missing_link': 0,
- 'missing_sev': 0,
- 'missing_guid': 0,
- 'localized_link': 0
- }
- # Load categories to verify whether the items have the correct category
- if 'categories' in checklist:
- categories = [x['name'] for x in checklist['categories']]
- if args.verbose:
- print("DEBUG: Categories found in JSON file", input_file, ":", str(categories))
- else:
- categories = []
- if 'items' in checklist:
- for item in checklist['items']:
- item_count += 1
- if 'category' not in item:
- inconsistencies['missing_cat'] += 1
- elif item['category'] not in categories:
- inconsistencies['wrong_cat'] += 1
- if 'subcategory' not in item:
- inconsistencies['missing_subcat'] += 1
- if 'waf' not in item:
- inconsistencies['missing_waf'] += 1
- elif item['waf'].lower() not in ['reliability', 'security', 'performance', 'cost', 'operations']:
- inconsistencies['wrong_waf'] += 1
- if 'service' not in item:
- inconsistencies['missing_svc'] += 1
- if 'guid' not in item:
- inconsistencies['missing_guid'] += 1
- elif item['guid'] in guids:
- print("ERROR: Duplicated GUID in JSON file", input_file, ":", item['guid'])
- else:
- guids.append(item['guid'])
- if 'link' not in item:
- inconsistencies['missing_link'] += 1
- elif 'en-us' in item['link']:
- inconsistencies['localized_link'] += 1
- if 'severity' not in item:
- inconsistencies['missing_sev'] += 1
- if 'graph' not in item:
- inconsistencies['missing_graph'] += 1
- if 'description' not in item:
- inconsistencies['missing_description'] += 1
- if inconsistencies['missing_cat'] > 0:
- print("ERROR: Items with missing category in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_cat'], round(inconsistencies['missing_cat'] / item_count * 100, 2)))
- if inconsistencies['wrong_cat'] > 0:
- print("WARNING: Items with wrong category in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['wrong_cat'], round(inconsistencies['wrong_cat'] / item_count * 100, 2)))
- if inconsistencies['missing_subcat'] > 0:
- print("ERROR: Items with missing subcategory in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_subcat'], round(inconsistencies['missing_subcat'] / item_count * 100, 2)))
- if inconsistencies['missing_waf'] > 0:
- print("WARNING: Items with missing WAF in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_waf'], round(inconsistencies['missing_waf'] / item_count * 100, 2)))
- if inconsistencies['wrong_waf'] > 0:
- print("ERROR: Items with wrong WAF in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['wrong_waf'], round(inconsistencies['wrong_waf'] / item_count * 100, 2)))
- if inconsistencies['missing_svc'] > 0:
- print("WARNING: Items with missing service in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_svc'], round(inconsistencies['missing_svc'] / item_count * 100, 2)))
- if inconsistencies['missing_link'] > 0:
- print("WARNING: Items with missing link in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_link'], round(inconsistencies['missing_link'] / item_count * 100, 2)))
- if inconsistencies['missing_sev'] > 0:
- print("ERROR: Items with missing severity in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['missing_sev'], round(inconsistencies['missing_sev'] / item_count * 100, 2)))
- if inconsistencies['localized_link'] > 0:
- print("WARNING: Items with localized link in JSON file {0}: {1} ({2}%)".format(input_file, inconsistencies['localized_link'], round(inconsistencies['localized_link'] / item_count * 100, 2)))
- return {
- 'item_count': item_count,
- 'inconsistencies': inconsistencies
- }
-
# We need an input file
if args.input_file:
- file_stats = verify_file(args.input_file)
+ guids = []
+ file_stats, guids = cl_analyze_v1.verify_file(args.input_file, guids=guids, verbose=args.verbose)
if args.compare_file:
- compare_stats = verify_file(args.compare_file)
+ compare_stats, guids = cl_analyze_v1.verify_file(args.compare_file, guids=guids, verbose=args.verbose)
# Print the differences between the two checklists stats in a table format
print("INFO: Comparing the two checklists...")
print("INFO: {0: <40} {1: <40} {2: <40}".format("Item", os.path.basename(args.input_file), os.path.basename(args.compare_file)))
@@ -182,6 +41,7 @@ def verify_file(input_file):
print("INFO: {0: <40} {1: <40} {2: <40}".format(key, file_stats['inconsistencies'][key], compare_stats['inconsistencies'][key]))
else:
if args.input_folder:
+ guids = []
language = "en" # This could be changed to a parameter
if args.verbose:
print("DEBUG: looking for JSON files in folder", args.input_folder, "with pattern *.", language + ".json...")
@@ -191,7 +51,7 @@ def verify_file(input_file):
print("DEBUG: found", len(checklist_files), "JSON files, analyzing correctness...")
for file in checklist_files:
if file:
- file_stats = verify_file(file)
+ file_stats, guids = cl_analyze_v1.verify_file(file, guids=guids, verbose=args.verbose)
else:
print("ERROR: no input file found, not doing anything")
else:
diff --git a/v2/checklists/all_recos.yaml b/v2/checklists/all_recos.yaml
new file mode 100644
index 000000000..abfdc872c
--- /dev/null
+++ b/v2/checklists/all_recos.yaml
@@ -0,0 +1,6 @@
+name: 'All recommendations'
+include:
+ sourceSelector:
+ - aprl
+ - revcl
+ - wafsg
\ No newline at end of file
diff --git a/v2/checklists/alz.json b/v2/checklists/alz.json
new file mode 100644
index 000000000..af0df6f4c
--- /dev/null
+++ b/v2/checklists/alz.json
@@ -0,0 +1,2348 @@
+{
+ "items": [
+ {
+ "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c",
+ "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.01"
+ },
+ {
+ "guid": "6cc0ea22-42bb-441e-a345-804ab0a09666",
+ "text": "For Sovereign Landing Zone, have a 'confidential corp' and 'confidential online' management group directly under the 'landing zones' MG.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.02"
+ },
+ {
+ "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40",
+ "text": "Enforce a process for cost management",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.03"
+ },
+ {
+ "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3",
+ "text": "Ensure tags are used for billing and cost management",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.04"
+ },
+ {
+ "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de",
+ "text": "If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the identity management group, to host these services. Make sure that resources are set to use the domain controllers available in their region.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.05"
+ },
+ {
+ "guid": "2df27ee4-12e7-4f98-9f63-04722dd69c5b",
+ "text": "Enforce reasonably flat management group hierarchy with no more than four levels.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.06"
+ },
+ {
+ "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8",
+ "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.07"
+ },
+ {
+ "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19",
+ "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.08"
+ },
+ {
+ "guid": "61623a76-5a91-47e1-b348-ef254c27d42e",
+ "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.09"
+ },
+ {
+ "guid": "c68e1d76-6673-413b-9f56-64b5e984a859",
+ "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enforce the use of purchased Reserved Instance VM SKUs via Azure Policy.",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.10"
+ },
+ {
+ "guid": "49b82111-2df2-47ee-912e-7f983f630472",
+ "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.11"
+ },
+ {
+ "guid": "92481607-d5d1-4e4e-9146-58d3558fd772",
+ "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.12"
+ },
+ {
+ "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34",
+ "text": "Enforce no subscriptions are placed under the root management group",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.13"
+ },
+ {
+ "guid": "667313b4-f566-44b5-b984-a859c773e7d2",
+ "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.14"
+ },
+ {
+ "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25",
+ "text": "Establish dashboards and/or visualizations to monitor compute and storage capacity metrics. (i.e. CPU, memory, disk space)",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Subscriptions",
+ "id": "A01.15"
+ },
+ {
+ "guid": "19ca3f89-397d-44b1-b5b6-5e18661372ac",
+ "text": "Consider a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint",
+ "severity": "Medium",
+ "waf": "Reliability",
+ "category": "Resource Organization",
+ "subcategory": "Regions",
+ "id": "A02.01"
+ },
+ {
+ "guid": "250d81ce-8bbe-4f85-9051-6a18a8221e50",
+ "text": "Select the right Azure region/s for your deployment. Azure is a global-scale cloud platform that provide global coverage through many regions and geographies. Different Azure regions have different characteristics, access and availability models, costs, capacity, and services offered, then it is important to consider all criteria and requirements",
+ "severity": "High",
+ "waf": "Reliability",
+ "category": "Resource Organization",
+ "subcategory": "Regions",
+ "id": "A02.02"
+ },
+ {
+ "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908",
+ "text": "Ensure required services and features are available within the chosen deployment regions",
+ "severity": "Medium",
+ "waf": "Reliability",
+ "category": "Resource Organization",
+ "subcategory": "Regions",
+ "id": "A02.03"
+ },
+ {
+ "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a",
+ "text": "It is recommended to follow Microsoft Best Practice Naming Standards",
+ "description": "Consider using the Azure naming tool available at https://aka.ms/azurenamingtool",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Resource Organization",
+ "subcategory": "Naming and tagging",
+ "id": "A03.01"
+ },
+ {
+ "guid": "29fd366b-a180-452b-9bd7-954b7700c667",
+ "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.",
+ "severity": "Medium",
+ "waf": "Cost",
+ "category": "Governance",
+ "subcategory": "Optimize your cloud investment",
+ "id": "B01.01"
+ },
+ {
+ "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+ "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.01"
+ },
+ {
+ "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+ "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.02"
+ },
+ {
+ "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+ "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.03"
+ },
+ {
+ "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+ "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.04"
+ },
+ {
+ "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+ "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
+ "severity": "High",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.05"
+ },
+ {
+ "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+ "text": "Use built-in policies where possible to minimize operational overhead.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.06"
+ },
+ {
+ "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+ "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
+ "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.07"
+ },
+ {
+ "guid": "19048384-5c98-46cb-8913-156a12476e49",
+ "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.08"
+ },
+ {
+ "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+ "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.09"
+ },
+ {
+ "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+ "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.10"
+ },
+ {
+ "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+ "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
+ "severity": "Medium",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.11"
+ },
+ {
+ "guid": "43334f24-9116-4341-a2ba-527526944008",
+ "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
+ "severity": "Low",
+ "service": "Policy",
+ "waf": "Security",
+ "category": "Governance",
+ "subcategory": "Governance",
+ "id": "B02.12"
+ },
+ {
+ "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f",
+ "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.",
+ "severity": "High",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "Security",
+ "id": "C01.01"
+ },
+ {
+ "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73",
+ "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to build and maintain your Azure Landing Zone architecture. Both from a Platform and Application workload perspective.",
+ "severity": "High",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "Development Strategy",
+ "id": "C02.01"
+ },
+ {
+ "guid": "634146bf-7085-4419-a7b5-f96d2726f6da",
+ "text": "Aim to define functions for Azure Landing Zone Platform team.",
+ "severity": "Low",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "DevOps Team Topologies",
+ "id": "C03.01"
+ },
+ {
+ "guid": "165eb5e9-b434-448a-9e24-178632186212",
+ "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.",
+ "severity": "High",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "DevOps Team Topologies",
+ "id": "C03.02"
+ },
+ {
+ "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a",
+ "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.",
+ "severity": "High",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "DevOps Team Topologies",
+ "id": "C03.03"
+ },
+ {
+ "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5",
+ "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.",
+ "severity": "Low",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "DevOps Team Topologies",
+ "id": "C03.04"
+ },
+ {
+ "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4",
+ "text": "Implement automation for new landing zone for applications and workloads through subscription vending",
+ "severity": "Low",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "DevOps Team Topologies",
+ "id": "C03.05"
+ },
+ {
+ "guid": "0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460",
+ "text": "Include unit tests for IaC and application code as part of your build process.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "DevOps Team Topologies",
+ "id": "C03.06"
+ },
+ {
+ "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+ "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
+ "severity": "High",
+ "service": "Key Vault",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "DevOps Team Topologies",
+ "id": "C03.07"
+ },
+ {
+ "guid": "c7245dd4-af8a-403a-8bb7-890c1a7cfa9d",
+ "text": "Follow a branching strategy to allow teams to collaborate better and efficiently manage version control of IaC and application Code. Review options such as Github Flow.",
+ "severity": "Low",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "Development Lifecycle",
+ "id": "C04.01"
+ },
+ {
+ "guid": "12aeea20-9165-4b3e-bdf2-6795fcd3cdbe",
+ "text": "Adopt a pull request strategy to help keep control of code changes merged into branches.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "Development Lifecycle",
+ "id": "C04.02"
+ },
+ {
+ "guid": "2676ae46-65ca-444e-8695-fdddeace4cb1",
+ "text": "Establish a process for using code to implement quick fixes. Always register quick fixes in your team's backlog so each fix can be reworked at a later point, and you can limit technical debt.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "Development Lifecycle",
+ "id": "C04.03"
+ },
+ {
+ "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b",
+ "text": "Ensure a version control system is used for source code of applications and IaC developed. Microsoft recommends Git.",
+ "severity": "High",
+ "waf": "Operations",
+ "category": "Platform Automation and DevOps",
+ "subcategory": "Development Lifecycle",
+ "id": "C04.04"
+ },
+ {
+ "guid": "859c3900-4514-41eb-b010-475d695abd74",
+ "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.01"
+ },
+ {
+ "guid": "619e8a13-f988-4795-85d6-26886d70ba6c",
+ "text": "When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.02"
+ },
+ {
+ "guid": "a6e55d7d-8a2a-4db1-87d6-326af625ca44",
+ "text": "Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assignments ensures the appropriate guardrails are in place to enforce who can deploy and configure resources and what resources they can deploy and configure.",
+ "severity": "Low",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.03"
+ },
+ {
+ "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c",
+ "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.04"
+ },
+ {
+ "guid": "541acdce-9793-477b-adb3-751ab2ab13ad",
+ "text": "Use resource locks to prevent accidental deletion of critical shared services.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.05"
+ },
+ {
+ "guid": "e5695f22-23ac-4e8c-a123-08ca5017f154",
+ "text": "Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an important component of resource management in Azure.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.06"
+ },
+ {
+ "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610",
+ "text": "Establish monitoring for platform components of your landing zone, AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.07"
+ },
+ {
+ "guid": "e3ab3693-829e-47e3-8618-3687a0477a20",
+ "text": "Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.08"
+ },
+ {
+ "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+ "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.09"
+ },
+ {
+ "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+ "text": "Use Azure Monitor alerts for the generation of operational alerts.",
+ "severity": "Medium",
+ "service": "Monitor",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.10"
+ },
+ {
+ "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+ "text": "Use Azure Monitor Logs for insights and reporting.",
+ "severity": "Medium",
+ "service": "Monitor",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.11"
+ },
+ {
+ "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+ "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
+ "severity": "Medium",
+ "service": "Monitor",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.12"
+ },
+ {
+ "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+ "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
+ "severity": "Medium",
+ "service": "Monitor",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.13"
+ },
+ {
+ "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+ "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
+ "severity": "Medium",
+ "service": "Monitor",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.14"
+ },
+ {
+ "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+ "text": "Use Network Watcher to proactively monitor traffic flows",
+ "severity": "Medium",
+ "service": "Network Watcher",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Monitoring",
+ "id": "D01.15"
+ },
+ {
+ "guid": "84101f59-1941-4195-a270-e28034290e3a",
+ "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Reliability",
+ "category": "Management",
+ "subcategory": "Fault Tolerance",
+ "id": "D02.01"
+ },
+ {
+ "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+ "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
+ "severity": "High",
+ "service": "VM",
+ "waf": "Reliability",
+ "category": "Management",
+ "subcategory": "Fault Tolerance",
+ "id": "D02.02"
+ },
+ {
+ "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+ "text": "Avoid running a production workload on a single VM.",
+ "severity": "High",
+ "service": "VM",
+ "waf": "Reliability",
+ "category": "Management",
+ "subcategory": "Fault Tolerance",
+ "id": "D02.03"
+ },
+ {
+ "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb",
+ "text": "Consider cross-region replication in Azure for BCDR with paired regions",
+ "severity": "Medium",
+ "waf": "Reliability",
+ "category": "Management",
+ "subcategory": "Data Protection",
+ "id": "D03.01"
+ },
+ {
+ "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+ "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
+ "severity": "Medium",
+ "service": "Site Recovery",
+ "waf": "Reliability",
+ "category": "Management",
+ "subcategory": "Data Protection",
+ "id": "D03.02"
+ },
+ {
+ "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+ "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
+ "severity": "Medium",
+ "service": "microsoft.network/frontdoorwebapplicationfirewalls",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "App delivery",
+ "id": "D04.01"
+ },
+ {
+ "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+ "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
+ "severity": "High",
+ "service": "microsoft.network/frontdoorwebapplicationfirewalls",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "App delivery",
+ "id": "D04.02"
+ },
+ {
+ "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+ "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Operational compliance",
+ "id": "D05.01"
+ },
+ {
+ "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+ "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Operational compliance",
+ "id": "D05.02"
+ },
+ {
+ "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+ "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Security",
+ "category": "Management",
+ "subcategory": "Operational compliance",
+ "id": "D05.03"
+ },
+ {
+ "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+ "text": "Monitor VM security configuration drift via Azure Policy.",
+ "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Security",
+ "category": "Management",
+ "subcategory": "Operational compliance",
+ "id": "D05.04"
+ },
+ {
+ "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a",
+ "text": "Ensure to use and test native PaaS service disaster recovery capabilities.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Protect and Recover",
+ "id": "D06.01"
+ },
+ {
+ "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+ "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Protect and Recover",
+ "id": "D06.02"
+ },
+ {
+ "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+ "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
+ "severity": "Medium",
+ "service": "Site Recovery",
+ "waf": "Operations",
+ "category": "Management",
+ "subcategory": "Protect and Recover",
+ "id": "D06.03"
+ },
+ {
+ "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215",
+ "text": "Plan how new azure services will be implemented",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Service enablement framework",
+ "id": "E01.01"
+ },
+ {
+ "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b",
+ "text": "Plan how service request will be fulfilled for Azure services",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Service enablement framework",
+ "id": "E01.02"
+ },
+ {
+ "guid": "4e3ab369-3829-4e7e-9161-83687a0477a2",
+ "text": "Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.01"
+ },
+ {
+ "guid": "874a748b-662d-46d1-9051-2a66498f6dfe",
+ "text": "Use an Azure Event Grid-based solution for log-oriented, real-time alerts",
+ "severity": "Low",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.02"
+ },
+ {
+ "guid": "09945bda-4333-44f2-9911-634182ba5275",
+ "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.03"
+ },
+ {
+ "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+ "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.04"
+ },
+ {
+ "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+ "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.05"
+ },
+ {
+ "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+ "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.06"
+ },
+ {
+ "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+ "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.07"
+ },
+ {
+ "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+ "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.08"
+ },
+ {
+ "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+ "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.09"
+ },
+ {
+ "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+ "text": "Enable Endpoint Protection on IaaS Servers.",
+ "severity": "High",
+ "service": "VM",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.10"
+ },
+ {
+ "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+ "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
+ "severity": "Medium",
+ "service": "Monitor",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Operations",
+ "id": "E02.11"
+ },
+ {
+ "guid": "6f704104-85c1-441f-96d3-c9819911645e",
+ "text": "Separate privileged admin accounts for Azure administrative tasks.",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Secure privileged access",
+ "id": "E03.01"
+ },
+ {
+ "guid": "b86ad884-08e3-4727-94b8-75ba18f20459",
+ "text": "Determine the incident response plan for Azure services before allowing it into production.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Access control",
+ "id": "E04.01"
+ },
+ {
+ "guid": "01365d38-e43f-49cc-ad86-8266abca264f",
+ "text": "Implement a zero-trust approach for access to the Azure platform, where appropriate.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Access control",
+ "id": "E04.02"
+ },
+ {
+ "guid": "16183687-a047-47a2-8994-5bda43334f24",
+ "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.01"
+ },
+ {
+ "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+ "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.02"
+ },
+ {
+ "guid": "913156a1-2476-4e49-b541-acdce979377b",
+ "text": "Establish an automated process for key and certificate rotation.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.03"
+ },
+ {
+ "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+ "text": "Use an Azure Key Vault per application per environment per region.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.04"
+ },
+ {
+ "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+ "text": "Use Azure Key Vault to store your secrets and credentials",
+ "severity": "High",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.05"
+ },
+ {
+ "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+ "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.06"
+ },
+ {
+ "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+ "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.07"
+ },
+ {
+ "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+ "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.08"
+ },
+ {
+ "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+ "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.09"
+ },
+ {
+ "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+ "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.10"
+ },
+ {
+ "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+ "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.11"
+ },
+ {
+ "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+ "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.12"
+ },
+ {
+ "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+ "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
+ "severity": "Medium",
+ "service": "Key Vault",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Encryption and keys",
+ "id": "E05.13"
+ },
+ {
+ "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+ "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
+ "severity": "High",
+ "service": "Storage",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Overview",
+ "id": "E06.01"
+ },
+ {
+ "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+ "text": "Secure transfer to storage accounts should be enabled",
+ "severity": "High",
+ "service": "Storage",
+ "waf": "Security",
+ "category": "Security",
+ "subcategory": "Overview",
+ "id": "E06.02"
+ },
+ {
+ "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3",
+ "text": "Periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account",
+ "severity": "Medium",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Microsoft Customer Agreement",
+ "id": "F01.01"
+ },
+ {
+ "guid": "6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c",
+ "text": "Configure Agreement billing account notification contact email",
+ "severity": "Low",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Microsoft Customer Agreement",
+ "id": "F01.02"
+ },
+ {
+ "guid": "90e87802-602f-4dfb-acea-67c60689f1d7",
+ "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management",
+ "severity": "Low",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Microsoft Customer Agreement",
+ "id": "F01.03"
+ },
+ {
+ "guid": "e81a73f0-84c4-4641-b406-14db3b4d1f50",
+ "text": "Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production workloads",
+ "severity": "Low",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Microsoft Customer Agreement",
+ "id": "F01.04"
+ },
+ {
+ "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+ "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
+ "severity": "Low",
+ "service": "Entra",
+ "waf": "Operations",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Microsoft Entra ID Tenants",
+ "id": "F02.01"
+ },
+ {
+ "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+ "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
+ "severity": "Low",
+ "service": "Entra",
+ "waf": "Operations",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Microsoft Entra ID Tenants",
+ "id": "F02.02"
+ },
+ {
+ "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+ "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Operations",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Microsoft Entra ID Tenants",
+ "id": "F02.03"
+ },
+ {
+ "guid": "32952499-58c8-4e6f-ada5-972e67893d55",
+ "text": "Setup Cost Reporting and Views with Azure Cost Management",
+ "severity": "Medium",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Cloud Solution Provider",
+ "id": "F03.01"
+ },
+ {
+ "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01",
+ "text": "Discuss support request and escalation process with CSP partner",
+ "severity": "Low",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Cloud Solution Provider",
+ "id": "F03.02"
+ },
+ {
+ "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+ "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Cloud Solution Provider",
+ "id": "F03.03"
+ },
+ {
+ "guid": "12cd499f-96e2-4e41-a243-231fb3245a1c",
+ "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy which can help with separating billing.",
+ "severity": "Low",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Enterprise Agreement",
+ "id": "F04.01"
+ },
+ {
+ "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b",
+ "text": "Make use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads",
+ "severity": "Low",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Enterprise Agreement",
+ "id": "F04.02"
+ },
+ {
+ "guid": "685cb4f2-ac9c-4b19-9167-993ed0b32415",
+ "text": "Configure Notification Contacts to a group mailbox",
+ "severity": "Medium",
+ "waf": "Cost",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Enterprise Agreement",
+ "id": "F04.03"
+ },
+ {
+ "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6",
+ "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allow users with the correct perms review Cost and Billing Data.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Azure Billing and Microsoft Entra ID Tenants",
+ "subcategory": "Enterprise Agreement",
+ "id": "F04.04"
+ },
+ {
+ "guid": "614658d3-558f-4d77-849b-821112df27ee",
+ "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
+ "severity": "High",
+ "service": "DNS",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.01"
+ },
+ {
+ "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+ "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
+ "severity": "Medium",
+ "service": "DNS",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.02"
+ },
+ {
+ "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+ "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
+ "severity": "Low",
+ "service": "DNS",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.03"
+ },
+ {
+ "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+ "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
+ "severity": "Medium",
+ "service": "DNS",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.04"
+ },
+ {
+ "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+ "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.05"
+ },
+ {
+ "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+ "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
+ "severity": "High",
+ "service": "VNet",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.06"
+ },
+ {
+ "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+ "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+ "severity": "High",
+ "service": "VNet",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.07"
+ },
+ {
+ "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+ "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
+ "severity": "Low",
+ "service": "VNet",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "IP plan",
+ "id": "G01.08"
+ },
+ {
+ "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6",
+ "text": "Develop a plan for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front door. You can use the Application Delivery checklist to for recommendations.",
+ "severity": "Medium",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "App delivery",
+ "id": "G02.01"
+ },
+ {
+ "guid": "6138a720-0f1c-4e16-bd30-1d6e872e52e3",
+ "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "App delivery",
+ "id": "G02.02"
+ },
+ {
+ "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+ "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+ "severity": "Medium",
+ "service": "VNet",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "App delivery",
+ "id": "G02.03"
+ },
+ {
+ "guid": "c2447ec6-6138-4a72-80f1-ce16ed301d6e",
+ "text": "Delegate subnet creation to the landing zone owner.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.01"
+ },
+ {
+ "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+ "text": "Use a /26 prefix for your Azure Firewall subnets.",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.02"
+ },
+ {
+ "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+ "text": "Use at least a /27 prefix for your Gateway subnets",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.03"
+ },
+ {
+ "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+ "text": "Consider the limit of NSG rules per NSG (1000).",
+ "severity": "Medium",
+ "service": "NSG",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.04"
+ },
+ {
+ "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+ "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
+ "severity": "Medium",
+ "service": "NSG",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.05"
+ },
+ {
+ "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+ "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
+ "severity": "Medium",
+ "service": "NSG",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.06"
+ },
+ {
+ "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+ "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
+ "severity": "Medium",
+ "service": "NSG",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.07"
+ },
+ {
+ "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+ "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
+ "severity": "Medium",
+ "service": "NSG",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.08"
+ },
+ {
+ "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+ "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
+ "severity": "Medium",
+ "service": "NSG",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Segmentation",
+ "id": "G03.09"
+ },
+ {
+ "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+ "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Encryption",
+ "id": "G04.01"
+ },
+ {
+ "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+ "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
+ "severity": "Low",
+ "service": "ExpressRoute",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Encryption",
+ "id": "G04.02"
+ },
+ {
+ "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+ "text": "Consider using Azure Bastion to securely connect to your network.",
+ "severity": "Medium",
+ "service": "microsoft.network/bastionhosts",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.01"
+ },
+ {
+ "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+ "text": "Use Azure Bastion in a subnet /26 or larger.",
+ "severity": "Medium",
+ "service": "microsoft.network/bastionhosts",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.02"
+ },
+ {
+ "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+ "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
+ "severity": "Low",
+ "service": "microsoft.network/frontdoorwebapplicationfirewalls",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.03"
+ },
+ {
+ "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+ "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+ "severity": "Medium",
+ "service": "microsoft.network/frontdoorwebapplicationfirewalls",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.04"
+ },
+ {
+ "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+ "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
+ "severity": "High",
+ "service": "microsoft.network/frontdoorwebapplicationfirewalls",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.05"
+ },
+ {
+ "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+ "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
+ "severity": "High",
+ "service": "VNet",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.06"
+ },
+ {
+ "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+ "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
+ "severity": "High",
+ "service": "VNet",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.07"
+ },
+ {
+ "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+ "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
+ "severity": "High",
+ "service": "VNet",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Internet",
+ "id": "G05.08"
+ },
+ {
+ "guid": "e43a58a9-c229-49c4-b7b5-7d0c655562f2",
+ "text": "Use Private Link, where available, for shared Azure PaaS services.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "PaaS",
+ "id": "G06.01"
+ },
+ {
+ "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+ "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
+ "severity": "High",
+ "service": "AppGW",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "PaaS",
+ "id": "G06.02"
+ },
+ {
+ "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+ "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "PaaS",
+ "id": "G06.03"
+ },
+ {
+ "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+ "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "PaaS",
+ "id": "G06.04"
+ },
+ {
+ "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+ "text": "Don't enable virtual network service endpoints by default on all subnets.",
+ "severity": "Medium",
+ "service": "VNet",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "PaaS",
+ "id": "G06.05"
+ },
+ {
+ "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+ "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
+ "severity": "Low",
+ "service": "Firewall",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.01"
+ },
+ {
+ "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+ "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.02"
+ },
+ {
+ "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+ "text": "Implement backups for your firewall rules",
+ "severity": "Low",
+ "service": "Firewall",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.03"
+ },
+ {
+ "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+ "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.04"
+ },
+ {
+ "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+ "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.05"
+ },
+ {
+ "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+ "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.06"
+ },
+ {
+ "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+ "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it\u00e2\u20ac\u2122s a sign that SNAT exhaustion might be imminent.",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.07"
+ },
+ {
+ "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+ "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.08"
+ },
+ {
+ "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+ "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.09"
+ },
+ {
+ "guid": "346840b8-1064-496e-8396-4b1340172d52",
+ "text": "Enable TLS Inspection",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.10"
+ },
+ {
+ "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+ "text": "Use web categories to allow or deny outbound access to specific topics.",
+ "severity": "Low",
+ "service": "Firewall",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.11"
+ },
+ {
+ "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+ "text": "Enable Azure Firewall DNS proxy configuration ",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.12"
+ },
+ {
+ "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+ "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.13"
+ },
+ {
+ "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+ "text": "Use Azure Firewall Premium for additional security and protection.",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.14"
+ },
+ {
+ "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+ "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.15"
+ },
+ {
+ "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+ "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.16"
+ },
+ {
+ "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+ "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.17"
+ },
+ {
+ "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+ "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.18"
+ },
+ {
+ "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+ "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
+ "severity": "High",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.19"
+ },
+ {
+ "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+ "text": "Ensure there is a policy assignment to deny Public IP addresses\u00c2\u00a0directly tied to Virtual Machines",
+ "severity": "Medium",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.20"
+ },
+ {
+ "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+ "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
+ "severity": "Low",
+ "service": "Firewall",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Firewall",
+ "id": "G07.21"
+ },
+ {
+ "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+ "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Cost",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.01"
+ },
+ {
+ "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+ "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Cost",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.02"
+ },
+ {
+ "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+ "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Cost",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.03"
+ },
+ {
+ "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+ "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.04"
+ },
+ {
+ "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+ "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.05"
+ },
+ {
+ "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+ "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.06"
+ },
+ {
+ "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+ "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.07"
+ },
+ {
+ "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+ "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.08"
+ },
+ {
+ "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+ "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.09"
+ },
+ {
+ "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+ "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.10"
+ },
+ {
+ "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+ "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.11"
+ },
+ {
+ "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+ "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.12"
+ },
+ {
+ "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+ "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.13"
+ },
+ {
+ "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+ "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.14"
+ },
+ {
+ "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+ "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
+ "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.15"
+ },
+ {
+ "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+ "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.16"
+ },
+ {
+ "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+ "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
+ "severity": "High",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.17"
+ },
+ {
+ "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+ "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.18"
+ },
+ {
+ "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+ "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.19"
+ },
+ {
+ "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+ "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.20"
+ },
+ {
+ "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
+ "severity": "Medium",
+ "service": "ExpressRoute",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.21"
+ },
+ {
+ "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+ "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
+ "severity": "Medium",
+ "service": "VPN",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.22"
+ },
+ {
+ "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+ "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
+ "severity": "Medium",
+ "service": "VPN",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hybrid",
+ "id": "G08.23"
+ },
+ {
+ "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+ "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
+ "severity": "Medium",
+ "service": "VM",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.01"
+ },
+ {
+ "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+ "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
+ "severity": "Low",
+ "service": "ExpressRoute",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.02"
+ },
+ {
+ "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+ "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
+ "severity": "Low",
+ "service": "microsoft.network/virtualhubs",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.03"
+ },
+ {
+ "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+ "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
+ "severity": "High",
+ "service": "VNet",
+ "waf": "Cost",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.04"
+ },
+ {
+ "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+ "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
+ "severity": "Medium",
+ "service": "VNet",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.05"
+ },
+ {
+ "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+ "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
+ "severity": "Medium",
+ "service": "VNet",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.06"
+ },
+ {
+ "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+ "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
+ "severity": "Medium",
+ "service": "VNet",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.07"
+ },
+ {
+ "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+ "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
+ "severity": "High",
+ "service": "VNet",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.08"
+ },
+ {
+ "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+ "text": "Consider the limit of routes per route table (400).",
+ "severity": "Medium",
+ "service": "VNet",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.09"
+ },
+ {
+ "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+ "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
+ "severity": "Medium",
+ "service": "VNet",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Hub and spoke",
+ "id": "G09.10"
+ },
+ {
+ "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+ "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.01"
+ },
+ {
+ "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+ "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Operations",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.02"
+ },
+ {
+ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+ "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.03"
+ },
+ {
+ "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+ "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
+ "severity": "Low",
+ "service": "VWAN",
+ "waf": "Performance",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.04"
+ },
+ {
+ "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+ "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.05"
+ },
+ {
+ "guid": "9c75dfef-573c-461c-a698-68598595581a",
+ "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
+ "severity": "High",
+ "service": "VWAN",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.06"
+ },
+ {
+ "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+ "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.07"
+ },
+ {
+ "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+ "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.08"
+ },
+ {
+ "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+ "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Reliability",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.09"
+ },
+ {
+ "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+ "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
+ "severity": "Medium",
+ "service": "VWAN",
+ "waf": "Security",
+ "category": "Network Topology and Connectivity",
+ "subcategory": "Virtual WAN",
+ "id": "G10.10"
+ },
+ {
+ "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94",
+ "text": "When deploying Microsoft Entra Connect, leverage a staging sever for high availability / Disaster recovery",
+ "severity": "Medium",
+ "waf": "Reliability",
+ "category": "Identity and Access Management",
+ "subcategory": "Microsoft Entra ID",
+ "id": "H01.01"
+ },
+ {
+ "guid": "4348bf81-7573-4512-8f46-9061cc198fea",
+ "text": "Use managed identities instead of service principals for authentication to Azure services. You can check for existing service principals via Entra ID > Sign in Logs > Service principal logins.",
+ "severity": "High",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Microsoft Entra ID and Hybrid Identity",
+ "id": "H02.01"
+ },
+ {
+ "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780",
+ "text": "When deploying Active Directory on Windows Server, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set",
+ "severity": "Medium",
+ "waf": "Reliability",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.01"
+ },
+ {
+ "guid": "f5664b5e-984a-4859-a773-e7d261623a76",
+ "text": "Use Azure custom RBAC roles for the following key roles to provide fine-grain access across your ALZ: Azure platform owner, network management, security operations, subscription owner, application owner. Align these roles to teams and responsibilities within your business.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.02"
+ },
+ {
+ "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6",
+ "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.03"
+ },
+ {
+ "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+ "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
+ "severity": "High",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.04"
+ },
+ {
+ "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+ "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
+ "severity": "High",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.05"
+ },
+ {
+ "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+ "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.06"
+ },
+ {
+ "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+ "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.07"
+ },
+ {
+ "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+ "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
+ "severity": "Low",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.08"
+ },
+ {
+ "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+ "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.09"
+ },
+ {
+ "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+ "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.10"
+ },
+ {
+ "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+ "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
+ "severity": "Medium",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.11"
+ },
+ {
+ "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+ "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
+ "severity": "High",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.12"
+ },
+ {
+ "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+ "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
+ "severity": "High",
+ "service": "Entra",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Identity",
+ "id": "H03.13"
+ },
+ {
+ "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8",
+ "text": "Configure Identity network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Landing zones",
+ "id": "H04.01"
+ },
+ {
+ "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4",
+ "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.g. Data Operations across Key Vault, Storage Account and Database Services.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Landing zones",
+ "id": "H04.02"
+ },
+ {
+ "guid": "d505ebcb-79b1-4274-9c0d-a27c8bea489c",
+ "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.",
+ "severity": "Medium",
+ "waf": "Security",
+ "category": "Identity and Access Management",
+ "subcategory": "Landing zones",
+ "id": "H04.03"
+ }
+ ],
+ "yesno": [
+ {
+ "name": "Yes"
+ },
+ {
+ "name": "No"
+ }
+ ],
+ "waf": [
+ {
+ "name": "Operations"
+ },
+ {
+ "name": "Reliability"
+ },
+ {
+ "name": "Performance"
+ },
+ {
+ "name": "Cost"
+ },
+ {
+ "name": "Security"
+ }
+ ],
+ "categories": [
+ {
+ "name": "Platform Automation And Devops"
+ },
+ {
+ "name": "Network Topology And Connectivity"
+ },
+ {
+ "name": "Azure Billing And Microsoft Entra Id Tenants"
+ },
+ {
+ "name": "Resource Organization"
+ },
+ {
+ "name": "Governance"
+ },
+ {
+ "name": "Management"
+ },
+ {
+ "name": "Identity And Access Management"
+ },
+ {
+ "name": "Security"
+ }
+ ],
+ "metadata": {
+ "timestamp": "September 26, 2024",
+ "name": "Azure Landing Zone Review"
+ }
+}
\ No newline at end of file
diff --git a/v2/checklists/alz.yaml b/v2/checklists/alz.yaml
new file mode 100644
index 000000000..c16cf942c
--- /dev/null
+++ b/v2/checklists/alz.yaml
@@ -0,0 +1,371 @@
+name: Azure Landing Zone Review
+areas:
+- name: Resource Organization
+ subareas:
+ - name: Subscriptions
+ include:
+ nameSelector:
+ - revcl-FlatManagementGroupHierarchyFourLevels
+ - revcl-SandboxManagementGroupUsers
+ - revcl-PlatformManagementGroupRootManagementGroup
+ - revcl-AzureVirtualWanHubPrivateDomainNameSystem
+ - revcl-RootManagementGroupSubscriptions
+ - revcl-ManagementGroupHierarchySettingsManagementGroups
+ - revcl-RootLevelManagementGroupManagementGroups
+ - revcl-ResourceOwnersAccessReview
+ - revcl-ItCoreTeamProvisionResources
+ - revcl-ReservedInstanceVmSkusReservedInstances
+ - revcl-StorageCapacityMetricsDiskSpace
+ - revcl-CostManagementProcess
+ - revcl-DedicatedIdentitySubscriptionIdentityManagementGroup
+ - revcl-CostManagementTags
+ - revcl-ConfidentialOnlineManagementGroupSovereignLandingZone
+ - name: Regions
+ include:
+ nameSelector:
+ - revcl-GlobalScaleCloudPlatformRightAzureRegionS
+ - revcl-GeoDisasterRecoveryCapabilitiesLocalizedResourceCapacityConstraint
+ - revcl-RequiredServicesDeploymentRegions-1
+ - name: Naming and tagging
+ include:
+ nameSelector:
+ - revcl-MicrosoftBestPracticeNamingStandardsAzureNamingTool
+- name: Governance
+ subareas:
+ - name: Optimize your cloud investment
+ include:
+ nameSelector:
+ - revcl-ForecastedBudgetAlertsActual
+ - name: Governance
+ include:
+ nameSelector:
+ - revcl-LeverageAzurePolicyPolicyInitiatives
+ - revcl-AzurePolicyDefinitionsAzureRoleAssignments
+ - revcl-IntermediateRootManagementGroupAzurePolicyDefinitions
+ - revcl-HighestAppropriateLevelPolicyAssignments
+ - revcl-SubscriptionManagementGroupLevelAzurePolicy
+ - revcl-OperationalOverheadPolicies
+ - revcl-ResourcePolicyContributorRoleCentralItTeam
+ - revcl-RootManagementGroupScopeAzurePolicyAssignments
+ - revcl-DataSovereigntyRequirementsAzurePolicies
+ - revcl-SovereigntyPolicyBaselinePolicyInitiativeSovereignLandingZone
+ - revcl-SovereignLandingZoneSovereignControlObjectives
+ - revcl-SovereignLandingZoneSovereignControlObjectives-1
+- name: Platform Automation and DevOps
+ subareas:
+ - name: Security
+ include:
+ nameSelector:
+ - revcl-CombinedProcessInnovationProcess
+ - name: Development Strategy
+ include:
+ nameSelector:
+ - revcl-AzureLandingZoneArchitectureLeverageDeclarativeInfrastructure
+ - name: DevOps Team Topologies
+ include:
+ nameSelector:
+ - revcl-CrossFunctionalDevopsPlatformTeamAzureLandingZoneArchitecture
+ - revcl-AzureLandingZonePlatformTeamFunctions
+ - revcl-DevopsPlatformTeamSupportApplicationWorkloadTeams
+ - revcl-CiCdPipelineIacArtifacts
+ - revcl-UnitTestsApplicationCode
+ - revcl-VirtualMachinesUserPasswordsKeyVaultSecrets
+ - revcl-NewLandingZoneSubscriptionVending
+ - name: Development Lifecycle
+ include:
+ nameSelector:
+ - revcl-VersionControlSystemSourceCode
+ - revcl-BranchingStrategyVersionControl
+ - revcl-PullRequestStrategyCodeChanges
+ - revcl-QuickFixesTechnicalDebt
+- name: Management
+ subareas:
+ - name: Monitoring
+ include:
+ nameSelector:
+ - revcl-SingleMonitorLogsWorkspaceAzureRoleBasedAccessControl
+ - revcl-LogRetentionRequirementsAzureStorage
+ - revcl-AzureAutomanageMachineConfigurationAuditCapabilitiesOsLevelVirtualMachine
+ - revcl-NetworkWatcherTrafficFlows
+ - revcl-CriticalSharedServicesResourceLocks
+ - revcl-AzureRoleAssignmentsDenyPolicies
+ - revcl-OverallPlatformMonitoringSolutionResourceHealthEvents
+ - revcl-AzureServiceHealthPlatformActionGroups
+ - revcl-RawLogEntriesPremisesMonitoringSystems
+ - revcl-AzureMonitorLogsInsights
+ - revcl-AzureDiagnosticExtensionLogStorageSharedStorageAccounts
+ - revcl-AzureMonitorAlertsOperationalAlerts
+ - revcl-AppropriateDataCollectionMonitoringRequirements
+ - revcl-LogAnalyticsWorkspaceAzureAutomationAccounts
+ - revcl-PlatformComponentsLandingZone
+ - name: Fault Tolerance
+ include:
+ nameSelector:
+ - revcl-LeverageAvailabilityZonesVms
+ - revcl-ProductionWorkloadSingleVm
+ - revcl-AzureLoadBalancerIncomingNetworkTraffic
+ - name: Data Protection
+ include:
+ nameSelector:
+ - revcl-CrossRegionReplicationAzure
+ - revcl-DifferentBackupTypesAzureBackup
+ - name: App delivery
+ include:
+ nameSelector:
+ - revcl-ApplicationDeliveryServicesAzureFrontDoor
+ - revcl-ApplicationDeliveryServicesAzureFrontDoor-1
+ - name: Operational compliance
+ include:
+ nameSelector:
+ - revcl-AzureUpdateManagerPatchingMechanism
+ - revcl-AzureUpdateManagerPatchingMechanism-1
+ - revcl-CompliantBaselineVmConfigurationVmExtensions
+ - revcl-VmSecurityConfigurationDriftGuestConfigurationFeatures
+ - name: Protect and Recover
+ include:
+ nameSelector:
+ - revcl-AzureVirtualMachinesDisasterRecoveryScenariosAzureSiteRecovery
+ - revcl-NativePaasServiceDisasterRecoveryCapabilities
+ - revcl-AzureCompatibleRdPartyBackupSolutionAzureNativeBackupCapabilities
+- name: Security
+ subareas:
+ - name: Service enablement framework
+ include:
+ nameSelector:
+ - revcl-NewAzureServices
+ - revcl-ServiceRequestAzureServices
+ - name: Operations
+ include:
+ nameSelector:
+ - revcl-MicrosoftEntraIdReportingCapabilitiesAccessControlAuditReports
+ - revcl-AzureActivityLogsAzureMonitorLogs
+ - revcl-DefenderCloudSecurityPostureManagementSubscriptions
+ - revcl-DefenderCloudWorkloadProtectionPlanServers
+ - revcl-DefenderCloudWorkloadProtectionPlansAzureResources
+ - revcl-EndpointProtectionIaasServers
+ - revcl-BaseOperatingSystemPatchingAzureMonitorLogs
+ - revcl-CentralizedAzureMonitorLogAnalyticsWorkspaceDefaultResourceConfigurations
+ - revcl-SovereignLandingZoneEntraIdTenant
+ - revcl-SovereignLandingZoneEntraIdTenant-1
+ - revcl-AzureEventGridBasedSolutionLogOrientedRealTimeAlerts
+ - name: Secure privileged access
+ include:
+ nameSelector:
+ - revcl-SeparatePrivilegedAdminAccountsAzureAdministrativeTasks
+ - name: Access control
+ include:
+ nameSelector:
+ - revcl-IncidentResponsePlanAzureServices
+ - revcl-ZeroTrustApproachAzurePlatform
+ - name: Encryption and keys
+ include:
+ nameSelector:
+ - revcl-AzureKeyVaultSecrets
+ - revcl-DifferentAzureKeyVaultsTransactionScaleLimits
+ - revcl-AzureKeyVaultSoftDelete
+ - revcl-CustomMicrosoftEntraIdRolesPrivilegeModel
+ - revcl-PublicCertificateAuthoritiesCertificateManagement
+ - revcl-AutomatedProcessCertificateRotation
+ - revcl-VirtualNetworkServiceEndpointPrivateEndpoint
+ - revcl-PlatformCentralAzureMonitorLogAnalyticsWorkspaceSecretUsage
+ - revcl-DelegateKeyVaultInstantiationPrivilegedAccess
+ - revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys-1
+ - revcl-AzureKeyVaultApplication
+ - revcl-AppropriateRegionPairsDisasterRecoveryRegions
+ - revcl-SovereignLandingZoneAzureKeyVault
+ - name: Overview
+ include:
+ nameSelector:
+ - revcl-SecureTransferStorageAccounts
+ - revcl-ContainerSoftDeleteStorageAccount
+- name: Azure Billing and Microsoft Entra ID Tenants
+ subareas:
+ - name: Microsoft Customer Agreement
+ include:
+ nameSelector:
+ - revcl-BillingAccountNotificationConfigureAgreement
+ - revcl-EffectiveCostManagementInvoiceSections
+ - revcl-MicrosoftAzurePlanDevTestOffer
+ - revcl-AgreementBillingRbacRoleAssignmentsMcaBillingAccount
+ - name: Microsoft Entra ID Tenants
+ include:
+ nameSelector:
+ - revcl-OneEntraTenantAzureResources
+ - revcl-MicrosoftEntraIdTenantsMultiTenantAutomationApproach
+ - revcl-LeverageAzureLighthouseMultiTenantManagement
+ - name: Cloud Solution Provider
+ include:
+ nameSelector:
+ - revcl-AzureLighthouseTenant
+ - revcl-SupportRequestEscalationProcess
+ - revcl-SetupCostReportingAzureCostManagement
+ - name: Enterprise Agreement
+ include:
+ nameSelector:
+ - revcl-NotificationContactsGroupMailbox
+ - revcl-EnrollmentHierarchyDepartments
+ - revcl-DaViewChargesAoViewCharges
+ - revcl-EnterpriseDevTestSubscriptionsNonProductionWorkloads
+- name: Network Topology and Connectivity
+ subareas:
+ - name: IP plan
+ include:
+ nameSelector:
+ - revcl-OverlappingIpAddressSpacesAzureRegions
+ - revcl-AddressAllocationRangesIpAddresses
+ - revcl-IpAddressSpaceLargeVirtualNetworks
+ - revcl-OverlappingIpAddressRangesDrSites
+ - revcl-AzurePrivateDnsDelegatedZone
+ - revcl-AzureDnsPrivateResolverNameResolution
+ - revcl-RedHatOpenshiftPreferredDnsSolution
+ - revcl-AzureDnsDnsRecords
+ - name: App delivery
+ include:
+ nameSelector:
+ - revcl-AzureFrontDoorDeliveryApplicationContent
+ - revcl-AppDeliveryLandingZones
+ - revcl-IpProtectionPlansPublicIpAddresses
+ - name: Segmentation
+ include:
+ nameSelector:
+ - revcl-AzureFirewallSubnets
+ - revcl-GatewaySubnets
+ - revcl-NsgInboundDefaultRulesVirtualnetworkServiceTag
+ - revcl-DelegateSubnetCreationLandingZoneOwner
+ - revcl-LandingZonesEastWestTraffic
+ - revcl-ApplicationSecurityGroupsApplicationTeam
+ - revcl-ApplicationSecurityGroupsMicroSegmentTraffic
+ - revcl-VnetFlowLogsExternalTrafficFlows
+ - revcl-NsgRulesLimit
+ - name: Encryption
+ include:
+ nameSelector:
+ - revcl-ExpressrouteDirectLayerTwoLevel
+ - revcl-ExpressroutePrivatePeeringExpressrouteDirect
+ - name: Internet
+ include:
+ nameSelector:
+ - revcl-AzureBastionNetwork
+ - revcl-AzureBastionSubnet
+ - revcl-InboundHttpSConnectionsAzureFrontDoor
+ - revcl-AzureFrontDoorAzureApplicationGateway
+ - revcl-OtherReverseProxiesLandingZoneVirtualNetwork
+ - revcl-PublicIpAddressesEndpointsIpProtectionPlans
+ - revcl-NetworkOutboundTrafficConfigurationDefaultOutboundAccess
+ - revcl-DdosRelatedLogsPublicIpAddresses
+ - name: PaaS
+ include:
+ nameSelector:
+ - revcl-AzurePaasServicesControlPlaneTraffic
+ - revcl-AzurePaasServicesPrivateLink
+ - revcl-AzurePaasServicesExpressroutePrivatePeering
+ - revcl-VirtualNetworkServiceEndpointsDefault
+ - revcl-AzurePaasServicesAzureFirewall
+ - name: Firewall
+ include:
+ nameSelector:
+ - revcl-HttpSInboundConnectionsEastWestTrafficFiltering
+ - revcl-AzureRoleBasedAccessControlGlobalAzureFirewallPolicy
+ - revcl-SupportedPartnerSaasSecurityProvidersFirewallManager
+ - revcl-FqdnBasedNetworkRulesApplicationRules
+ - revcl-AzureFirewallPremiumAdditionalSecurity
+ - revcl-AzureFirewallThreatIntelligenceModeAdditionalProtection
+ - revcl-AzureFirewallIdpsModeAdditionalProtection
+ - revcl-NetworkVirtualApplianceVirtualWan
+ - revcl-ResourceSpecificDestinationTableAzureFirewallDeployments
+ - revcl-AzureFirewallClassicRulesFirewallPolicy
+ - revcl-RuleCollectionGroupsRuleCollections
+ - revcl-IpTableRulesIpGroups
+ - revcl-SourceIpIncomingDnats
+ - revcl-NatGatewaySettingsSnatPortUsage
+ - revcl-TlsInspection
+ - revcl-WebCategoriesOutboundAccess
+ - revcl-AzureAppGatewaysTlsInspection
+ - revcl-AzureFirewallDnsProxyConfiguration
+ - revcl-PublicIpAddressesPolicyAssignment
+ - revcl-AzureFirewallAzureMonitor
+ - revcl-FirewallRulesBackups
+ - name: Hybrid
+ include:
+ nameSelector:
+ - revcl-PrimaryConnectionPossibility
+ - revcl-MultipleExpressrouteCircuitsPremLocations
+ - revcl-RightSkuExpressrouteVpnGateways
+ - revcl-UnlimitedDataExpressrouteCircuitsBandwidth
+ - revcl-CircuitsPeeringLocationLocalSku
+ - revcl-ZoneRedundantExpressrouteGatewayAzureRegions
+ - revcl-GbpsPortsExpressrouteDirect
+ - revcl-LowLatencyExpressrouteGateway
+ - revcl-ZoneRedundantVpnGatewaysRemoteLocations
+ - revcl-RedundantVpnAppliancesPremises
+ - revcl-LocalAzureRegionsExpressrouteLocalCircuits
+ - revcl-DifferentExpressrouteCircuitsIsolatedRoutingDomains
+ - revcl-ExpressRouteInsightsExpressrouteAvailability
+ - revcl-ConnectionMonitorConnectivityMonitoring
+ - revcl-DifferentPeeringLocationsExpressrouteCircuits
+ - revcl-SingleExpressrouteCircuitSite
+ - revcl-RouteTableGatewayRoutes
+ - revcl-PremisesRoutingConnectionFailure
+ - revcl-TwoDistinctEdgeDevicesTwoPhysicalLinks
+ - revcl-BidirectionalForwardingDetectionEdgeRoutingDevices
+ - revcl-DifferentPeeringLocationsExpressrouteGateway
+ - revcl-ExpressrouteVirtualNetworkGatewayDiagnosticLogs
+ - revcl-ExpressrouteCircuitsVnetCommunication
+ - name: Hub and spoke
+ include:
+ nameSelector:
+ - revcl-SpokeNetworkTopologyNetworkDesign
+ - revcl-CentralHubVirtualNetworkNetworkingServices
+ - revcl-PartnerNetworkingTechnologiesPartnerVendor
+ - revcl-AzureRouteServerVpnGateways
+ - revcl-RouteServerSubnet
+ - revcl-GlobalVirtualNetworkPeeringsNetworkArchitectures
+ - revcl-AzureMonitorEndState
+ - revcl-CentralHubVirtualNetworkVnetPeeringLimits
+ - revcl-RouteTableLimit
+ - revcl-RemoteVirtualNetworkVnetPeerings
+ - name: Virtual WAN
+ include:
+ nameSelector:
+ - revcl-SimplifiedAzureNetworkingManagementVirtualWanRoutingDesigns
+ - revcl-CommonGlobalAzureVirtualWanVirtualWanHub
+ - revcl-MicrosoftBackboneNetworkPrinciple
+ - revcl-OutboundInternetTrafficProtectionAzureFirewall
+ - revcl-AzureVirtualWanLimitsNetworkArchitecture
+ - revcl-AzureMonitorInsightsVirtualWan
+ - revcl-IacDeploymentsVirtualWan
+ - revcl-HubRoutingPreferenceAsPath
+ - revcl-IacDeploymentsLabelBasedPropagation
+ - revcl-EnoughIpSpaceVirtualHubs
+- name: Identity and Access Management
+ subareas:
+ - name: Microsoft Entra ID
+ include:
+ nameSelector:
+ - revcl-MicrosoftEntraConnectStagingSever
+ - name: Microsoft Entra ID and Hybrid Identity
+ include:
+ nameSelector:
+ - revcl-ServicePrincipalLoginsExistingServicePrincipals
+ - name: Identity
+ include:
+ nameSelector:
+ - revcl-CloudOperatingModelRbacModel
+ - revcl-AuthenticationTypeSchoolAccount
+ - revcl-GroupManagementSystemEntraId
+ - revcl-MicrosoftEntraIdConditionalAccessPoliciesAzureEnvironments
+ - revcl-MultiFactorAuthenticationAzureEnvironments
+ - revcl-DelegatedResponsibilitiesLandingZone
+ - revcl-MicrosoftEntraIdPrivilegedIdentityManagementZeroStandingAccess
+ - revcl-ActiveDirectoryWindowsServer
+ - revcl-AzureCustomRbacRolesAzurePlatformOwner
+ - revcl-MicrosoftEntraIdLogsCloudNativeOptions
+ - revcl-TenantWideAccountLockoutEmergencyAccess
+ - revcl-MicrosoftEntraIdRoleAssignmentsPremisesSyncedAccounts
+ - revcl-MicrosoftEntraIdApplicationProxyRemoteUsers
+ - name: Landing zones
+ include:
+ nameSelector:
+ - revcl-ApplicationLandingZoneIdentityNetworkSegmentation
+ - revcl-DataPlaneAccessDataOperations
+ - revcl-MicrosoftEntraIdPimAccessReviewsResourceEntitlements
diff --git a/v2/checklists/app_delivery.yaml b/v2/checklists/app_delivery.yaml
new file mode 100644
index 000000000..22cbd5d25
--- /dev/null
+++ b/v2/checklists/app_delivery.yaml
@@ -0,0 +1,11 @@
+name: Network Application Delivery
+description: |
+ Items
+include:
+ resourceTypeSelector:
+ - microsoft.network/applicationGateways
+ - Microsoft.Cdn/profiles
+ - Microsoft.Network/trafficManagerProfiles
+ - Microsoft.Network/loadBalancers
+ sourceSelector:
+ - revcl
\ No newline at end of file
diff --git a/v2/checklists/app_delivery_aprl.yaml b/v2/checklists/app_delivery_aprl.yaml
new file mode 100644
index 000000000..9b33971c3
--- /dev/null
+++ b/v2/checklists/app_delivery_aprl.yaml
@@ -0,0 +1,11 @@
+name: Network Application Delivery
+description: |
+ Items
+include:
+ resourceTypeSelector:
+ - microsoft.network/applicationGateways
+ - Microsoft.Cdn/profiles
+ - Microsoft.Network/trafficManagerProfiles
+ - Microsoft.Network/loadBalancers
+ sourceSelector:
+ - aprl
\ No newline at end of file
diff --git a/v2/checklists/aprl.yaml b/v2/checklists/aprl.yaml
new file mode 100644
index 000000000..a9fded368
--- /dev/null
+++ b/v2/checklists/aprl.yaml
@@ -0,0 +1,4 @@
+name: 'All recommendations'
+include:
+ sourceSelector:
+ - aprl
diff --git a/v2/checklists/no-service.yaml b/v2/checklists/no-service.yaml
new file mode 100644
index 000000000..229fd66bb
--- /dev/null
+++ b/v2/checklists/no-service.yaml
@@ -0,0 +1,8 @@
+name: Multi-service
+description: |
+ This checklist is for cross-service recommendations.
+include:
+ resourceTypeSelector:
+ - None
+ sourceSelector:
+ - revcl
\ No newline at end of file
diff --git a/v2/checklists/waf.yaml b/v2/checklists/waf.yaml
new file mode 100644
index 000000000..a97aa741e
--- /dev/null
+++ b/v2/checklists/waf.yaml
@@ -0,0 +1,7 @@
+name: 'Azure Review Checklists - WAF'
+include:
+ sourceSelector:
+ - revcl
+exclude:
+ resourceTypeSelector:
+ - None
\ No newline at end of file
diff --git a/v2/checklists/waf_resiliency.yaml b/v2/checklists/waf_resiliency.yaml
new file mode 100644
index 000000000..21f6a6c4b
--- /dev/null
+++ b/v2/checklists/waf_resiliency.yaml
@@ -0,0 +1,6 @@
+name: 'Azure Review Checklists - WAF Resiliency'
+include:
+ sourceSelector:
+ - revcl
+ wafSelector:
+ - Reliability
diff --git a/v2/checklists/waf_sg_security.yaml b/v2/checklists/waf_sg_security.yaml
new file mode 100644
index 000000000..ec15a1ced
--- /dev/null
+++ b/v2/checklists/waf_sg_security.yaml
@@ -0,0 +1,6 @@
+name: 'Azure Review Checklists - WAF Security'
+include:
+ sourceSelector:
+ - wafsg
+ wafSelector:
+ - Security
diff --git a/v2/recos/Practices/Cost/revcl-AgreementBillingRbacRoleAssignmentsMcaBillingAccount.yaml b/v2/recos/Practices/Cost/revcl-AgreementBillingRbacRoleAssignmentsMcaBillingAccount.yaml
new file mode 100644
index 000000000..ad18e5a08
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-AgreementBillingRbacRoleAssignmentsMcaBillingAccount.yaml
@@ -0,0 +1,18 @@
+name: revcl-AgreementBillingRbacRoleAssignmentsMcaBillingAccount
+title: Periodically audit the agreement billing RBAC role assignments to review who
+ has access to your MCA billing account
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 1
+labels:
+ guid: ae757485-92a4-482a-8bc9-eefe6f5b5ec3
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Microsoft Customer Agreement
+ id: A04.04
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-AzureRunCostsDevTestSystems.yaml b/v2/recos/Practices/Cost/revcl-AzureRunCostsDevTestSystems.yaml
new file mode 100644
index 000000000..b8473ead7
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-AzureRunCostsDevTestSystems.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureRunCostsDevTestSystems
+title: Consider running dev/test systems in a snooze model to save and optimize Azure
+ run costs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: a491dfc4-9353-4213-9217-eef0949f9467
+links:
+- type: docs
+ url: https://azure.microsoft.com/pricing/offers/dev-test/
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-BillingAccountNotificationConfigureAgreement.yaml b/v2/recos/Practices/Cost/revcl-BillingAccountNotificationConfigureAgreement.yaml
new file mode 100644
index 000000000..e8a02ddfd
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-BillingAccountNotificationConfigureAgreement.yaml
@@ -0,0 +1,17 @@
+name: revcl-BillingAccountNotificationConfigureAgreement
+title: Configure Agreement billing account notification contact email
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: 6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Microsoft Customer Agreement
+ id: A04.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-DatabaseManagementSystemExcessiveNetworkTraffic.yaml b/v2/recos/Practices/Cost/revcl-DatabaseManagementSystemExcessiveNetworkTraffic.yaml
new file mode 100644
index 000000000..638e8bea1
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-DatabaseManagementSystemExcessiveNetworkTraffic.yaml
@@ -0,0 +1,20 @@
+name: revcl-DatabaseManagementSystemExcessiveNetworkTraffic
+title: It isn't recommended to host the database management system (DBMS) and application
+ layers of SAP systems in different VNets and connect them with VNet peering because
+ of the substantial costs that excessive network traffic between the layers can produce.
+ Recommend using subnets within the Azure virtual network to separate the SAP application
+ layer and DBMS layer.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 0
+labels:
+ guid: b65c878b-4b14-4f4e-92d8-d873936493f2
+links:
+- type: docs
+ url: https://me.sap.com/notes/2015553
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-EffectiveCostManagementInvoiceSections.yaml b/v2/recos/Practices/Cost/revcl-EffectiveCostManagementInvoiceSections.yaml
new file mode 100644
index 000000000..4e5098f16
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-EffectiveCostManagementInvoiceSections.yaml
@@ -0,0 +1,18 @@
+name: revcl-EffectiveCostManagementInvoiceSections
+title: Use Billing Profiles and Invoice sections to structure your agreements billing
+ for effective cost management
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: 90e87802-602f-4dfb-acea-67c60689f1d7
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Microsoft Customer Agreement
+ id: A04.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-EnrollmentHierarchyDepartments.yaml b/v2/recos/Practices/Cost/revcl-EnrollmentHierarchyDepartments.yaml
new file mode 100644
index 000000000..ed1bd0587
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-EnrollmentHierarchyDepartments.yaml
@@ -0,0 +1,18 @@
+name: revcl-EnrollmentHierarchyDepartments
+title: Use departments and accounts to map your organization's structure to your enrollment
+ hierarchy which can help with separating billing.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: 12cd499f-96e2-4e41-a243-231fb3245a1c
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Enterprise Agreement
+ id: A03.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-EnterpriseDevTestSubscriptionsNonProductionWorkloads.yaml b/v2/recos/Practices/Cost/revcl-EnterpriseDevTestSubscriptionsNonProductionWorkloads.yaml
new file mode 100644
index 000000000..b245c3dcb
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-EnterpriseDevTestSubscriptionsNonProductionWorkloads.yaml
@@ -0,0 +1,18 @@
+name: revcl-EnterpriseDevTestSubscriptionsNonProductionWorkloads
+title: Make use of Enterprise Dev/Test Subscriptions to reduce costs for non-production
+ workloads
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: 5cf9f485-2784-49b3-9824-75d9b8bdb57b
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Enterprise Agreement
+ id: A03.05
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-ForecastedBudgetAlertsActual.yaml b/v2/recos/Practices/Cost/revcl-ForecastedBudgetAlertsActual.yaml
new file mode 100644
index 000000000..92967fb9d
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-ForecastedBudgetAlertsActual.yaml
@@ -0,0 +1,17 @@
+name: revcl-ForecastedBudgetAlertsActual
+title: Configure 'Actual' and 'Forecasted' Budget Alerts.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 1
+labels:
+ guid: 29fd366b-a180-452b-9bd7-954b7700c667
+ area: Governance
+ subarea: Optimize your cloud investment
+ id: E02.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-MicrosoftAzurePlanDevTestOffer.yaml b/v2/recos/Practices/Cost/revcl-MicrosoftAzurePlanDevTestOffer.yaml
new file mode 100644
index 000000000..e3c9a1a2f
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-MicrosoftAzurePlanDevTestOffer.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftAzurePlanDevTestOffer
+title: Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production
+ workloads
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: e81a73f0-84c4-4641-b406-14db3b4d1f50
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Microsoft Customer Agreement
+ id: A04.03
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-NotificationContactsGroupMailbox.yaml b/v2/recos/Practices/Cost/revcl-NotificationContactsGroupMailbox.yaml
new file mode 100644
index 000000000..cede4c48c
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-NotificationContactsGroupMailbox.yaml
@@ -0,0 +1,17 @@
+name: revcl-NotificationContactsGroupMailbox
+title: Configure Notification Contacts to a group mailbox
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 1
+labels:
+ guid: 685cb4f2-ac9c-4b19-9167-993ed0b32415
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Enterprise Agreement
+ id: A03.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-ProductionHanaDatabaseServerVmsSapHanaHardwareDirectory.yaml b/v2/recos/Practices/Cost/revcl-ProductionHanaDatabaseServerVmsSapHanaHardwareDirectory.yaml
new file mode 100644
index 000000000..86e681b12
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-ProductionHanaDatabaseServerVmsSapHanaHardwareDirectory.yaml
@@ -0,0 +1,17 @@
+name: revcl-ProductionHanaDatabaseServerVmsSapHanaHardwareDirectory
+title: As a lower-cost alternative configuration (multipurpose), you can choose a
+ low-performance SKU for your non-production HANA database server VMs. However, it
+ is important to note that some VM types, such as E-series, are not HANA certified
+ (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: 9877f353-2591-4e8b-8381-e9043fed1010
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-SapHanaDatabaseBackupsAzureVms.yaml b/v2/recos/Practices/Cost/revcl-SapHanaDatabaseBackupsAzureVms.yaml
new file mode 100644
index 000000000..39d47245a
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-SapHanaDatabaseBackupsAzureVms.yaml
@@ -0,0 +1,14 @@
+name: revcl-SapHanaDatabaseBackupsAzureVms
+title: Review SAP HANA database backups for Azure VMs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 0
+labels:
+ guid: ff5136bd-dcf1-4d2b-ae52-39333efdf45a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/sap-hana-database-about
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-SapSystemStartStopCosts.yaml b/v2/recos/Practices/Cost/revcl-SapSystemStartStopCosts.yaml
new file mode 100644
index 000000000..d0015ea3d
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-SapSystemStartStopCosts.yaml
@@ -0,0 +1,14 @@
+name: revcl-SapSystemStartStopCosts
+title: Automate SAP System Start-Stop to manage costs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 1
+labels:
+ guid: 925d1f8c-01f3-4a67-948e-aabf0a1fad60
+links:
+- type: docs
+ url: https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-SetupCostReportingAzureCostManagement.yaml b/v2/recos/Practices/Cost/revcl-SetupCostReportingAzureCostManagement.yaml
new file mode 100644
index 000000000..f7aa535d9
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-SetupCostReportingAzureCostManagement.yaml
@@ -0,0 +1,17 @@
+name: revcl-SetupCostReportingAzureCostManagement
+title: Setup Cost Reporting and Views with Azure Cost Management
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 1
+labels:
+ guid: 32952499-58c8-4e6f-ada5-972e67893d55
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Cloud Solution Provider
+ id: A02.03
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-SiteRecoveryMonitoring.yaml b/v2/recos/Practices/Cost/revcl-SiteRecoveryMonitoring.yaml
new file mode 100644
index 000000000..a6427faa8
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-SiteRecoveryMonitoring.yaml
@@ -0,0 +1,14 @@
+name: revcl-SiteRecoveryMonitoring
+title: Review Site Recovery built-in monitoring, where used for SAP.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 1
+labels:
+ guid: cafde29d-a0af-4bcd-87c0-0f299d63f0e8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-StandardHddAzureStorageAzureStandardSsdStorage.yaml b/v2/recos/Practices/Cost/revcl-StandardHddAzureStorageAzureStandardSsdStorage.yaml
new file mode 100644
index 000000000..8496ee59c
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-StandardHddAzureStorageAzureStandardSsdStorage.yaml
@@ -0,0 +1,18 @@
+name: revcl-StandardHddAzureStorageAzureStandardSsdStorage
+title: In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD
+ storage can be used to select a cost-conscious storage solution. However, please
+ note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA
+ of the individual VMs. Also, for systems with lower I/O throughput and low latency,
+ such as non-production environments, lower series VMs can be used.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: 71dc00cd-4392-4262-8949-20c05e6c0333
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1
+queries: {}
diff --git a/v2/recos/Practices/Cost/revcl-SupportRequestEscalationProcess.yaml b/v2/recos/Practices/Cost/revcl-SupportRequestEscalationProcess.yaml
new file mode 100644
index 000000000..24d503560
--- /dev/null
+++ b/v2/recos/Practices/Cost/revcl-SupportRequestEscalationProcess.yaml
@@ -0,0 +1,17 @@
+name: revcl-SupportRequestEscalationProcess
+title: Discuss support request and escalation process with CSP partner
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Cost
+severity: 2
+labels:
+ guid: a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Cloud Solution Provider
+ id: A02.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-cloud-solution-provider#design-recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AppropriateDataCollectionMonitoringRequirements.yaml b/v2/recos/Practices/Operations/revcl-AppropriateDataCollectionMonitoringRequirements.yaml
new file mode 100644
index 000000000..4f686e336
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AppropriateDataCollectionMonitoringRequirements.yaml
@@ -0,0 +1,18 @@
+name: revcl-AppropriateDataCollectionMonitoringRequirements
+title: Ensure that monitoring requirements have been assessed and that appropriate
+ data collection and alerting configurations are applied
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 859c3900-4514-41eb-b010-475d695abd74
+ area: Management
+ subarea: Monitoring
+ id: F01.18
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/best-practices/monitoring
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AutomatedBackupVAzureVms.yaml b/v2/recos/Practices/Operations/revcl-AutomatedBackupVAzureVms.yaml
new file mode 100644
index 000000000..29eb78e18
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AutomatedBackupVAzureVms.yaml
@@ -0,0 +1,14 @@
+name: revcl-AutomatedBackupVAzureVms
+title: Review the use of Automated Backup v2 for Azure VMs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: b82e650f-676d-417d-994d-fc33ca54ec14
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AvailabilityZoneZoneDeployment.yaml b/v2/recos/Practices/Operations/revcl-AvailabilityZoneZoneDeployment.yaml
new file mode 100644
index 000000000..88bf32f27
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AvailabilityZoneZoneDeployment.yaml
@@ -0,0 +1,16 @@
+name: revcl-AvailabilityZoneZoneDeployment
+title: If deploying to an availability zone, ensure that the VM's zone deployment
+ is available once the quota has been approved. Submit a support request with the
+ subscription, VM series, number of CPUs and availability zone required.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: cbfad17b-f240-42bf-a1d8-f4f4cee661c8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureBestPracticesAzureInfrastructure.yaml b/v2/recos/Practices/Operations/revcl-AzureBestPracticesAzureInfrastructure.yaml
new file mode 100644
index 000000000..7d12ead9d
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureBestPracticesAzureInfrastructure.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureBestPracticesAzureInfrastructure
+title: Perform a quality check for SAP HANA on the provisioned Azure infrastructure
+ to verify that provisioned VMs comply with SAP HANA on Azure best practices.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 73686af4-6791-4f89-95ad-a43324e13811
+links:
+- type: docs
+ url: https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureBlobStorageSqlServer.yaml b/v2/recos/Practices/Operations/revcl-AzureBlobStorageSqlServer.yaml
new file mode 100644
index 000000000..57209192b
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureBlobStorageSqlServer.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureBlobStorageSqlServer
+title: Review the use of Azure Blob Storage with SQL Server 2016.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 2943b6d8-1d31-4e19-ade7-78e6b26d1962
+links:
+- type: docs
+ url: https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureDiagnosticExtensionLogStorageSharedStorageAccounts.yaml b/v2/recos/Practices/Operations/revcl-AzureDiagnosticExtensionLogStorageSharedStorageAccounts.yaml
new file mode 100644
index 000000000..c36bd305e
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureDiagnosticExtensionLogStorageSharedStorageAccounts.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureDiagnosticExtensionLogStorageSharedStorageAccounts
+title: When necessary, use shared storage accounts within the landing zone for Azure
+ diagnostic extension log storage.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 619e8a13-f988-4795-85d6-26886d70ba6c
+ area: Management
+ subarea: Monitoring
+ id: F01.16
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureFrontDoorDeliveryApplicationContent.yaml b/v2/recos/Practices/Operations/revcl-AzureFrontDoorDeliveryApplicationContent.yaml
new file mode 100644
index 000000000..0a5a97f23
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureFrontDoorDeliveryApplicationContent.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzureFrontDoorDeliveryApplicationContent
+title: Develop a plan for securing the delivery application content from your Workload
+ spokes using Application Gateway and Azure Front door. You can use the Application
+ Delivery checklist to for recommendations.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 373f482f-3e39-4d39-8aa4-7e566f6082b6
+ area: Network Topology and Connectivity
+ subarea: App delivery
+ id: D01.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureLandingZoneArchitectureLeverageDeclarativeInfrastructure.yaml b/v2/recos/Practices/Operations/revcl-AzureLandingZoneArchitectureLeverageDeclarativeInfrastructure.yaml
new file mode 100644
index 000000000..b4c5d7561
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureLandingZoneArchitectureLeverageDeclarativeInfrastructure.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzureLandingZoneArchitectureLeverageDeclarativeInfrastructure
+title: Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM
+ Templates or Terraform to build and maintain your Azure Landing Zone architecture.
+ Both from a Platform and Application workload perspective.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73
+ area: Platform Automation and DevOps
+ subarea: Development Strategy
+ id: H03.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureLandingZonePlatformTeamFunctions.yaml b/v2/recos/Practices/Operations/revcl-AzureLandingZonePlatformTeamFunctions.yaml
new file mode 100644
index 000000000..3c9708372
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureLandingZonePlatformTeamFunctions.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureLandingZonePlatformTeamFunctions
+title: Aim to define functions for Azure Landing Zone Platform team.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 2
+labels:
+ guid: 634146bf-7085-4419-a7b5-f96d2726f6da
+ area: Platform Automation and DevOps
+ subarea: DevOps Team Topologies
+ id: H01.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureLinuxVmBackupStrategiesOracleDatabase.yaml b/v2/recos/Practices/Operations/revcl-AzureLinuxVmBackupStrategiesOracleDatabase.yaml
new file mode 100644
index 000000000..47a1d1f97
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureLinuxVmBackupStrategiesOracleDatabase.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureLinuxVmBackupStrategiesOracleDatabase
+title: Review Oracle Database in Azure Linux VM backup strategies.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: c823873a-2bec-4c2a-b684-a1ce8ae80efd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureNativeIdentityServicesManagedServiceProviders.yaml b/v2/recos/Practices/Operations/revcl-AzureNativeIdentityServicesManagedServiceProviders.yaml
new file mode 100644
index 000000000..ad0dfd282
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureNativeIdentityServicesManagedServiceProviders.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureNativeIdentityServicesManagedServiceProviders
+title: If you partner with customers by managing their SAP estates, consider Azure
+ Lighthouse. Azure Lighthouse allows managed service providers to use Azure native
+ identity services to authenticate to the customers' environment. It puts the control
+ in the hands of customers, because they can revoke access at any time and audit
+ service providers' actions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: b7056168-6199-4732-a514-cdbb2d5c9c54
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/lighthouse/overview
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureNetworkWatcherNetworkLatencyMeasurements.yaml b/v2/recos/Practices/Operations/revcl-AzureNetworkWatcherNetworkLatencyMeasurements.yaml
new file mode 100644
index 000000000..26121f89e
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureNetworkWatcherNetworkLatencyMeasurements.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureNetworkWatcherNetworkLatencyMeasurements
+title: Use Connection Monitor in Azure Network Watcher to monitor latency metrics
+ for SAP databases and application servers. Or collect and display network latency
+ measurements by using Azure Monitor.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 523181aa-4174-4269-93ff-8ae7d7d47431
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview
+- type: docs
+ url: https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureRoleAssignmentsDenyPolicies.yaml b/v2/recos/Practices/Operations/revcl-AzureRoleAssignmentsDenyPolicies.yaml
new file mode 100644
index 000000000..326331b20
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureRoleAssignmentsDenyPolicies.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureRoleAssignmentsDenyPolicies
+title: Use deny policies to supplement Azure role assignments. The combination of
+ deny policies and Azure role assignments ensures the appropriate guardrails are
+ in place to enforce who can deploy and configure resources and what resources they
+ can deploy and configure.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 2
+labels:
+ guid: a6e55d7d-8a2a-4db1-87d6-326af625ca44
+ area: Management
+ subarea: Monitoring
+ id: F01.10
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureServiceHealthPlatformActionGroups.yaml b/v2/recos/Practices/Operations/revcl-AzureServiceHealthPlatformActionGroups.yaml
new file mode 100644
index 000000000..0ef5afdb0
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureServiceHealthPlatformActionGroups.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureServiceHealthPlatformActionGroups
+title: Include alerts and action groups as part of the Azure Service Health platform
+ to ensure that alerts or issues can be actioned
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: d5f345bf-97ab-41a7-819c-6104baa7d48c
+ area: Management
+ subarea: Monitoring
+ id: F01.12
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService-1.yaml b/v2/recos/Practices/Operations/revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService-1.yaml
new file mode 100644
index 000000000..00c5b9c8e
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService-1.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService-1
+title: Use Azure Site Recovery monitoring to maintain the health of the disaster recovery
+ service for SAP application servers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: d89fd98d-23e4-4b40-a92e-32db9365522c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot
+- type: docs
+ url: https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureTaggingResources.yaml b/v2/recos/Practices/Operations/revcl-AzureTaggingResources.yaml
new file mode 100644
index 000000000..d6e4f5e62
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureTaggingResources.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureTaggingResources
+title: Azure tagging can be leveraged to logically group and track resources, automate
+ their deployments, and most importantly, provide visibility on the incurred costs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 579266bc-ca27-45fa-a1ab-fe9d55d04c3c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance
+- type: docs
+ url: https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-AzureUpdateManagerAvailableUpdates.yaml b/v2/recos/Practices/Operations/revcl-AzureUpdateManagerAvailableUpdates.yaml
new file mode 100644
index 000000000..9978e96f1
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-AzureUpdateManagerAvailableUpdates.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureUpdateManagerAvailableUpdates
+title: Use Azure Update Manager to check the status of available updates for a single
+ VM or multiple VMs and consider scheduling regular patching.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 4d116785-d2fa-456c-96ad-48408fe72734
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-BranchingStrategyVersionControl.yaml b/v2/recos/Practices/Operations/revcl-BranchingStrategyVersionControl.yaml
new file mode 100644
index 000000000..cb8619a42
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-BranchingStrategyVersionControl.yaml
@@ -0,0 +1,19 @@
+name: revcl-BranchingStrategyVersionControl
+title: Follow a branching strategy to allow teams to collaborate better and efficiently
+ manage version control of IaC and application Code. Review options such as Github
+ Flow.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 2
+labels:
+ guid: c7245dd4-af8a-403a-8bb7-890c1a7cfa9d
+ area: Platform Automation and DevOps
+ subarea: Development Lifecycle
+ id: H02.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-CiCdPipelineIacArtifacts.yaml b/v2/recos/Practices/Operations/revcl-CiCdPipelineIacArtifacts.yaml
new file mode 100644
index 000000000..63fe7af05
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-CiCdPipelineIacArtifacts.yaml
@@ -0,0 +1,18 @@
+name: revcl-CiCdPipelineIacArtifacts
+title: Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your
+ deployment and Azure environments.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 165eb5e9-b434-448a-9e24-178632186212
+ area: Platform Automation and DevOps
+ subarea: DevOps Team Topologies
+ id: H01.04
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-CombinedProcessInnovationProcess.yaml b/v2/recos/Practices/Operations/revcl-CombinedProcessInnovationProcess.yaml
new file mode 100644
index 000000000..100df8bc2
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-CombinedProcessInnovationProcess.yaml
@@ -0,0 +1,18 @@
+name: revcl-CombinedProcessInnovationProcess
+title: Integrate security into the already combined process of development and operations
+ in DevOps to mitigate risks in the innovation process.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: cc87a3bc-c572-4ad2-92ed-8cabab66160f
+ area: Platform Automation and DevOps
+ subarea: Security
+ id: H04.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-CriticalSharedServicesResourceLocks.yaml b/v2/recos/Practices/Operations/revcl-CriticalSharedServicesResourceLocks.yaml
new file mode 100644
index 000000000..72b385358
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-CriticalSharedServicesResourceLocks.yaml
@@ -0,0 +1,19 @@
+name: revcl-CriticalSharedServicesResourceLocks
+title: Use resource locks to prevent accidental deletion of critical shared services.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 541acdce-9793-477b-adb3-751ab2ab13ad
+ area: Management
+ subarea: Monitoring
+ id: F01.09
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-CrossFunctionalDevopsPlatformTeamAzureLandingZoneArchitecture.yaml b/v2/recos/Practices/Operations/revcl-CrossFunctionalDevopsPlatformTeamAzureLandingZoneArchitecture.yaml
new file mode 100644
index 000000000..327a09751
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-CrossFunctionalDevopsPlatformTeamAzureLandingZoneArchitecture.yaml
@@ -0,0 +1,18 @@
+name: revcl-CrossFunctionalDevopsPlatformTeamAzureLandingZoneArchitecture
+title: Ensure you have a cross functional DevOps Platform Team to build, manage and
+ maintain your Azure Landing Zone architecture.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: e85f4226-bf06-4e35-8a8b-7aee4d2d633a
+ area: Platform Automation and DevOps
+ subarea: DevOps Team Topologies
+ id: H01.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-DevopsPlatformTeamSupportApplicationWorkloadTeams.yaml b/v2/recos/Practices/Operations/revcl-DevopsPlatformTeamSupportApplicationWorkloadTeams.yaml
new file mode 100644
index 000000000..36cd6a5a7
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-DevopsPlatformTeamSupportApplicationWorkloadTeams.yaml
@@ -0,0 +1,19 @@
+name: revcl-DevopsPlatformTeamSupportApplicationWorkloadTeams
+title: Aim to define functions for application workload teams to be self-sufficient
+ and not require DevOps Platform Team support. Achieve this through the use of custom
+ RBAC role.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 2
+labels:
+ guid: a9e65070-c59e-4112-8bf6-c11364d4a2a5
+ area: Platform Automation and DevOps
+ subarea: DevOps Team Topologies
+ id: H01.03
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-DifferentDnsZonesPrivateDnsZones.yaml b/v2/recos/Practices/Operations/revcl-DifferentDnsZonesPrivateDnsZones.yaml
new file mode 100644
index 000000000..728713030
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-DifferentDnsZonesPrivateDnsZones.yaml
@@ -0,0 +1,18 @@
+name: revcl-DifferentDnsZonesPrivateDnsZones
+title: Use different DNS zones to distinguish each environment (sandbox, development,
+ preproduction, and production) from each other. The exception is for SAP deployments
+ with their own VNet; here, private DNS zones might not be necessary.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: a2858f78-105b-4f52-b7a9-5b0f4439743b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-EnablingWriteAcceleratorMSeries.yaml b/v2/recos/Practices/Operations/revcl-EnablingWriteAcceleratorMSeries.yaml
new file mode 100644
index 000000000..d99a456de
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-EnablingWriteAcceleratorMSeries.yaml
@@ -0,0 +1,12 @@
+name: revcl-EnablingWriteAcceleratorMSeries
+title: Enabling Write accelerator for M series when using premium disks(V1)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 347c2dcc-e6eb-4b04-80c5-628b171aa62d
+links: []
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-ExistingAzureBasedSapSystemsSapSolutions.yaml b/v2/recos/Practices/Operations/revcl-ExistingAzureBasedSapSystemsSapSolutions.yaml
new file mode 100644
index 000000000..7df9bedbd
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-ExistingAzureBasedSapSystemsSapSolutions.yaml
@@ -0,0 +1,20 @@
+name: revcl-ExistingAzureBasedSapSystemsSapSolutions
+title: Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a
+ top-level workload on Azure. ACSS is an end-to-end solution that enables you to
+ create and run SAP systems as a unified workload on Azure and provides a more seamless
+ foundation for innovation. You can take advantage of the management capabilities
+ for both new and existing Azure-based SAP systems.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 4620dc87-e948-4ce8-8426-f3e6e5d7bd85
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/center-sap-solutions/overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-ExistingManagementGroupPoliciesSapSubscriptions.yaml b/v2/recos/Practices/Operations/revcl-ExistingManagementGroupPoliciesSapSubscriptions.yaml
new file mode 100644
index 000000000..757c9bdad
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-ExistingManagementGroupPoliciesSapSubscriptions.yaml
@@ -0,0 +1,16 @@
+name: revcl-ExistingManagementGroupPoliciesSapSubscriptions
+title: enforce existing Management Group policies to SAP Subscriptions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 6ba28021-4591-4147-9e39-e5309cccd979
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
+- type: docs
+ url: https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-FastViolationDetectionConsistentPolicyAdherence.yaml b/v2/recos/Practices/Operations/revcl-FastViolationDetectionConsistentPolicyAdherence.yaml
new file mode 100644
index 000000000..500ed8755
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-FastViolationDetectionConsistentPolicyAdherence.yaml
@@ -0,0 +1,18 @@
+name: revcl-FastViolationDetectionConsistentPolicyAdherence
+title: 'Use Azure Policy for access control and compliance reporting. Azure Policy
+ provides the ability to enforce organization-wide settings to ensure consistent
+ policy adherence and fast violation detection. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 5325ae52-5ba3-44d4-985e-2213ace7bb12
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-GlobalTransitConnectivityGlobalNetworks.yaml b/v2/recos/Practices/Operations/revcl-GlobalTransitConnectivityGlobalNetworks.yaml
new file mode 100644
index 000000000..22cc65d64
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-GlobalTransitConnectivityGlobalNetworks.yaml
@@ -0,0 +1,19 @@
+name: revcl-GlobalTransitConnectivityGlobalNetworks
+title: Use Virtual WAN for Azure deployments in new, large, or global networks where
+ you need global transit connectivity across Azure regions and on-premises locations.
+ With this approach, you won't need to manually set up transitive routing for Azure
+ networking, and you can follow a standard for SAP on Azure deployments.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3
+links:
+- type: docs
+ url: https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-HighAvailabilitySuseClustersSapSolutionManager.yaml b/v2/recos/Practices/Operations/revcl-HighAvailabilitySuseClustersSapSolutionManager.yaml
new file mode 100644
index 000000000..8a29853f0
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-HighAvailabilitySuseClustersSapSolutionManager.yaml
@@ -0,0 +1,18 @@
+name: revcl-HighAvailabilitySuseClustersSapSolutionManager
+title: Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA,
+ high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing
+ Azure Monitor for SAP solutions with SAP Solution Manager.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 14591147-5e39-4e53-89cc-cd979366bcda
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-IpAddressDrSide.yaml b/v2/recos/Practices/Operations/revcl-IpAddressDrSide.yaml
new file mode 100644
index 000000000..a8dc95f34
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-IpAddressDrSide.yaml
@@ -0,0 +1,16 @@
+name: revcl-IpAddressDrSide
+title: Consider reserving IP address on DR side when configuring ASR
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 9cccd979-366b-4cda-8750-ab1ab039d95d
+links:
+- type: docs
+ url: https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-network-infrastructure/
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-LeverageAzureResourceTagResourceGrouping.yaml b/v2/recos/Practices/Operations/revcl-LeverageAzureResourceTagResourceGrouping.yaml
new file mode 100644
index 000000000..9f7914748
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-LeverageAzureResourceTagResourceGrouping.yaml
@@ -0,0 +1,18 @@
+name: revcl-LeverageAzureResourceTagResourceGrouping
+title: 'Leverage Azure resource tag for cost categorization and resource grouping
+ (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development),
+ Tier (Web Tier, Application Tier), Application Owner, ProjectName)'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 4e138115-2318-41aa-9174-26943ff8ae7d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization
+- type: docs
+ url: https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-ManySystemInterfacesSapLandscape.yaml b/v2/recos/Practices/Operations/revcl-ManySystemInterfacesSapLandscape.yaml
new file mode 100644
index 000000000..f4e47080c
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-ManySystemInterfacesSapLandscape.yaml
@@ -0,0 +1,21 @@
+name: revcl-ManySystemInterfacesSapLandscape
+title: If the virtual machine's DNS or virtual name is not changed during migration
+ to Azure, Background DNS and virtual names connect many system interfaces in the
+ SAP landscape, and customers are only sometimes aware of the interfaces that developers
+ define over time. Connection challenges arise between various systems when virtual
+ or DNS names change after migrations, and it's recommended to retain DNS aliases
+ to prevent these types of difficulties.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-MaximumNetworkThroughputSapLandingZones.yaml b/v2/recos/Practices/Operations/revcl-MaximumNetworkThroughputSapLandingZones.yaml
new file mode 100644
index 000000000..f32c01097
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-MaximumNetworkThroughputSapLandingZones.yaml
@@ -0,0 +1,20 @@
+name: revcl-MaximumNetworkThroughputSapLandingZones
+title: Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based
+ topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network
+ throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second.
+ If necessary, SAP landing zones can use VNet peering to connect to other landing
+ zones and overcome this bandwidth limitation.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: facc08c6-ea95-4641-91cd-fa09e573adbd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture
+- type: docs
+ url: https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-MultipleDelegatedSubnetsOneDelegatedSubnet.yaml b/v2/recos/Practices/Operations/revcl-MultipleDelegatedSubnetsOneDelegatedSubnet.yaml
new file mode 100644
index 000000000..f1d39a110
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-MultipleDelegatedSubnetsOneDelegatedSubnet.yaml
@@ -0,0 +1,19 @@
+name: revcl-MultipleDelegatedSubnetsOneDelegatedSubnet
+title: While Azure does help you to create multiple delegated subnets in a VNet, only
+ one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create
+ a new volume will fail if you use more than one delegated subnet for Azure NetApp
+ Files.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 6e154e3a-a359-4282-ae6e-206173686af4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-NativePaasServiceDisasterRecoveryCapabilities.yaml b/v2/recos/Practices/Operations/revcl-NativePaasServiceDisasterRecoveryCapabilities.yaml
new file mode 100644
index 000000000..c281ef8d2
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-NativePaasServiceDisasterRecoveryCapabilities.yaml
@@ -0,0 +1,17 @@
+name: revcl-NativePaasServiceDisasterRecoveryCapabilities
+title: Ensure to use and test native PaaS service disaster recovery capabilities.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: b2ab13ad-a6e5-45d7-b8a2-adb117d6326a
+ area: Management
+ subarea: Protect and Recover
+ id: F04.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-NetworkVirtualAppliancesPartnerNetworkingTechnologies.yaml b/v2/recos/Practices/Operations/revcl-NetworkVirtualAppliancesPartnerNetworkingTechnologies.yaml
new file mode 100644
index 000000000..d43a69073
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-NetworkVirtualAppliancesPartnerNetworkingTechnologies.yaml
@@ -0,0 +1,19 @@
+name: revcl-NetworkVirtualAppliancesPartnerNetworkingTechnologies
+title: Consider deploying network virtual appliances (NVAs) between regions only if
+ partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs
+ are present. When you're deploying partner networking technologies and NVAs, follow
+ the vendor's guidance to verify conflicting configurations with Azure networking.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 0cedb1f6-ae6c-492b-8b17-8061f50b16d3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability
+- type: docs
+ url: https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-NewLandingZoneSubscriptionVending.yaml b/v2/recos/Practices/Operations/revcl-NewLandingZoneSubscriptionVending.yaml
new file mode 100644
index 000000000..b92cc5103
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-NewLandingZoneSubscriptionVending.yaml
@@ -0,0 +1,18 @@
+name: revcl-NewLandingZoneSubscriptionVending
+title: Implement automation for new landing zone for applications and workloads through
+ subscription vending
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 2
+labels:
+ guid: a52e0c98-76b9-4a09-a1c9-6b2babf22ac4
+ area: Platform Automation and DevOps
+ subarea: DevOps Team Topologies
+ id: H01.07
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-OverallPlatformMonitoringSolutionResourceHealthEvents.yaml b/v2/recos/Practices/Operations/revcl-OverallPlatformMonitoringSolutionResourceHealthEvents.yaml
new file mode 100644
index 000000000..8089bfe43
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-OverallPlatformMonitoringSolutionResourceHealthEvents.yaml
@@ -0,0 +1,19 @@
+name: revcl-OverallPlatformMonitoringSolutionResourceHealthEvents
+title: Include service and resource health events as part of the overall platform
+ monitoring solution. Tracking service and resource health from the platform perspective
+ is an important component of resource management in Azure.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: e5695f22-23ac-4e8c-a123-08ca5017f154
+ area: Management
+ subarea: Monitoring
+ id: F01.11
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-OverlappingIpAddressRangesDrSites-1.yaml b/v2/recos/Practices/Operations/revcl-OverlappingIpAddressRangesDrSites-1.yaml
new file mode 100644
index 000000000..e892ebcdb
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-OverlappingIpAddressRangesDrSites-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-OverlappingIpAddressRangesDrSites-1
+title: Avoid using overlapping IP address ranges for production and DR sites.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 54c7c892-9cb1-407d-9325-ae525ba34d46
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing
+- type: docs
+ url: https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-PlatformComponentsLandingZone.yaml b/v2/recos/Practices/Operations/revcl-PlatformComponentsLandingZone.yaml
new file mode 100644
index 000000000..f0af0e30c
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-PlatformComponentsLandingZone.yaml
@@ -0,0 +1,21 @@
+name: revcl-PlatformComponentsLandingZone
+title: Establish monitoring for platform components of your landing zone, AMBA is
+ a framework solution that is available and provides an easy way to scale alerting
+ by using Azure Policy
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: aa45be6a-8f2d-4896-b0e3-775e6e94e610
+ area: Management
+ subarea: Monitoring
+ id: F01.19
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-monitor
+- type: docs
+ url: https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-PullRequestStrategyCodeChanges.yaml b/v2/recos/Practices/Operations/revcl-PullRequestStrategyCodeChanges.yaml
new file mode 100644
index 000000000..d8d5e1a7e
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-PullRequestStrategyCodeChanges.yaml
@@ -0,0 +1,18 @@
+name: revcl-PullRequestStrategyCodeChanges
+title: Adopt a pull request strategy to help keep control of code changes merged into
+ branches.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 12aeea20-9165-4b3e-bdf2-6795fcd3cdbe
+ area: Platform Automation and DevOps
+ subarea: Development Lifecycle
+ id: H02.03
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-QuickFixesTechnicalDebt.yaml b/v2/recos/Practices/Operations/revcl-QuickFixesTechnicalDebt.yaml
new file mode 100644
index 000000000..2619e57ed
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-QuickFixesTechnicalDebt.yaml
@@ -0,0 +1,19 @@
+name: revcl-QuickFixesTechnicalDebt
+title: Establish a process for using code to implement quick fixes. Always register
+ quick fixes in your team's backlog so each fix can be reworked at a later point,
+ and you can limit technical debt.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 2676ae46-65ca-444e-8695-fdddeace4cb1
+ area: Platform Automation and DevOps
+ subarea: Development Lifecycle
+ id: H02.04
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-platform
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-RawLogEntriesPremisesMonitoringSystems.yaml b/v2/recos/Practices/Operations/revcl-RawLogEntriesPremisesMonitoringSystems.yaml
new file mode 100644
index 000000000..7f1ac2f13
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-RawLogEntriesPremisesMonitoringSystems.yaml
@@ -0,0 +1,19 @@
+name: revcl-RawLogEntriesPremisesMonitoringSystems
+title: Don't send raw log entries back to on-premises monitoring systems. Instead,
+ adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration
+ is required, then send critical alerts instead of logs.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: e3ab3693-829e-47e3-8618-3687a0477a20
+ area: Management
+ subarea: Monitoring
+ id: F01.13
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sentinel/quickstart-onboard
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-RequiredServicesDeploymentRegions.yaml b/v2/recos/Practices/Operations/revcl-RequiredServicesDeploymentRegions.yaml
new file mode 100644
index 000000000..773ba85cb
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-RequiredServicesDeploymentRegions.yaml
@@ -0,0 +1,17 @@
+name: revcl-RequiredServicesDeploymentRegions
+title: Ensure required services and features are available within the chosen deployment
+ regions eg. ANF , Zone etc.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: e6e20617-3686-4af4-9791-f8935ada4332
+links:
+- type: docs
+ url: https://azure.microsoft.com/explore/global-infrastructure/products-by-region/
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-SameSapSubscriptionAdditionalRouting.yaml b/v2/recos/Practices/Operations/revcl-SameSapSubscriptionAdditionalRouting.yaml
new file mode 100644
index 000000000..88532815e
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-SameSapSubscriptionAdditionalRouting.yaml
@@ -0,0 +1,17 @@
+name: revcl-SameSapSubscriptionAdditionalRouting
+title: Integrate tightly coupled applications into the same SAP subscription to avoid
+ additional routing and management complexity
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 366bcda2-750a-4b1a-a039-d95d54c7c892
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-SapBasisOperationsSapLandscapeManagement.yaml b/v2/recos/Practices/Operations/revcl-SapBasisOperationsSapLandscapeManagement.yaml
new file mode 100644
index 000000000..2a25c2046
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-SapBasisOperationsSapLandscapeManagement.yaml
@@ -0,0 +1,18 @@
+name: revcl-SapBasisOperationsSapLandscapeManagement
+title: Optimize and manage SAP Basis operations by using SAP Landscape Management
+ (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh
+ SAP systems.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 2
+labels:
+ guid: 76c8bcbf-45bb-4e60-ad8a-03e97778424d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/lama-installation
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-SapDeploymentAutomationFrameworkOpenSourceOrchestrationTool.yaml b/v2/recos/Practices/Operations/revcl-SapDeploymentAutomationFrameworkOpenSourceOrchestrationTool.yaml
new file mode 100644
index 000000000..28c14ab92
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-SapDeploymentAutomationFrameworkOpenSourceOrchestrationTool.yaml
@@ -0,0 +1,18 @@
+name: revcl-SapDeploymentAutomationFrameworkOpenSourceOrchestrationTool
+title: Azure supports automating SAP deployments in Linux and Windows. SAP Deployment
+ Automation Framework is an open-source orchestration tool that can deploy, install,
+ and maintain SAP environments.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 5d75e99d-624d-4afe-91d9-e17adc580790
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops
+- type: docs
+ url: https://github.com/Azure/sap-automation
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-SapHanaSystemLandscapeGuidance.yaml b/v2/recos/Practices/Operations/revcl-SapHanaSystemLandscapeGuidance.yaml
new file mode 100644
index 000000000..52e4dcdda
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-SapHanaSystemLandscapeGuidance.yaml
@@ -0,0 +1,14 @@
+name: revcl-SapHanaSystemLandscapeGuidance
+title: Review the Monitoring the SAP HANA System Landscape guidance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 82d7b8de-d3f1-44a0-830b-38e200e82acf
+links:
+- type: docs
+ url: https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-ScaleUnitLeverageSubscription.yaml b/v2/recos/Practices/Operations/revcl-ScaleUnitLeverageSubscription.yaml
new file mode 100644
index 000000000..f8fb1545a
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-ScaleUnitLeverageSubscription.yaml
@@ -0,0 +1,17 @@
+name: revcl-ScaleUnitLeverageSubscription
+title: 'Leverage Subscription as scale unit and scaling our resources, consider deploying
+ subscription per environment eg. Sandbox, non-prod, prod '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 9cb107d5-325a-4e52-9ba3-4d4685e2213a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-TheQuotaApiRestApi.yaml b/v2/recos/Practices/Operations/revcl-TheQuotaApiRestApi.yaml
new file mode 100644
index 000000000..4dc519a26
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-TheQuotaApiRestApi.yaml
@@ -0,0 +1,15 @@
+name: revcl-TheQuotaApiRestApi
+title: The Quota API is a REST API that you can use to view and manage quotas for
+ Azure services. Consider using it if necessary.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 2
+labels:
+ guid: ce4fab2f-433a-4d59-a5a9-3d1032e03ebc
+links:
+- type: docs
+ url: https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-TimeZoneMatchesOperatingSystem.yaml b/v2/recos/Practices/Operations/revcl-TimeZoneMatchesOperatingSystem.yaml
new file mode 100644
index 000000000..83dff99ff
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-TimeZoneMatchesOperatingSystem.yaml
@@ -0,0 +1,14 @@
+name: revcl-TimeZoneMatchesOperatingSystem
+title: Ensure time-zone matches between the operating system and the SAP system.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 42d37218-a3a7-45df-bff6-1173e7f249ea
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-TotalAvailableVmCoresQuotaIncrease.yaml b/v2/recos/Practices/Operations/revcl-TotalAvailableVmCoresQuotaIncrease.yaml
new file mode 100644
index 000000000..711d12179
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-TotalAvailableVmCoresQuotaIncrease.yaml
@@ -0,0 +1,17 @@
+name: revcl-TotalAvailableVmCoresQuotaIncrease
+title: Ensure quota increase as a part of subscription provisioning (e.g. total available
+ VM cores within a subscription)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: ce7bb122-f7c9-45f0-9e15-4e3aa3592829
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/quotas/quotas-overview
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-UnderlyingAzureExtensionVmExtension.yaml b/v2/recos/Practices/Operations/revcl-UnderlyingAzureExtensionVmExtension.yaml
new file mode 100644
index 000000000..0408d3615
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-UnderlyingAzureExtensionVmExtension.yaml
@@ -0,0 +1,19 @@
+name: revcl-UnderlyingAzureExtensionVmExtension
+title: Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed
+ identity of a virtual machine (VM) to access VM monitoring and configuration data.
+ The check ensures that all performance metrics in your SAP application come from
+ the underlying Azure Extension for SAP.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: 2750ab1a-b039-4d95-b54c-7c8929cb107d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-UnitTestsApplicationCode.yaml b/v2/recos/Practices/Operations/revcl-UnitTestsApplicationCode.yaml
new file mode 100644
index 000000000..ea84f7050
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-UnitTestsApplicationCode.yaml
@@ -0,0 +1,17 @@
+name: revcl-UnitTestsApplicationCode
+title: Include unit tests for IaC and application code as part of your build process.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 1
+labels:
+ guid: 0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460
+ area: Platform Automation and DevOps
+ subarea: DevOps Team Topologies
+ id: H01.05
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds
+queries: {}
diff --git a/v2/recos/Practices/Operations/revcl-VersionControlSystemSourceCode.yaml b/v2/recos/Practices/Operations/revcl-VersionControlSystemSourceCode.yaml
new file mode 100644
index 000000000..5423bfea7
--- /dev/null
+++ b/v2/recos/Practices/Operations/revcl-VersionControlSystemSourceCode.yaml
@@ -0,0 +1,18 @@
+name: revcl-VersionControlSystemSourceCode
+title: Ensure a version control system is used for source code of applications and
+ IaC developed. Microsoft recommends Git.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Operations
+severity: 0
+labels:
+ guid: cfe363b5-f579-4284-bc56-a42153e4c10b
+ area: Platform Automation and DevOps
+ subarea: Development Lifecycle
+ id: H02.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-AutomaticWorkloadRepositorySqlScripts.yaml b/v2/recos/Practices/Performance/revcl-AutomaticWorkloadRepositorySqlScripts.yaml
new file mode 100644
index 000000000..dfd6b532f
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-AutomaticWorkloadRepositorySqlScripts.yaml
@@ -0,0 +1,20 @@
+name: revcl-AutomaticWorkloadRepositorySqlScripts
+title: For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose
+ performance problems. Automatic Workload Repository (AWR) reports contain valuable
+ information for diagnosing problems in the Oracle system. We recommend that you
+ run an AWR report during several sessions and choose peak times for it, to ensure
+ broad coverage for the analysis.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: 33c5d5bf-daf3-4f0d-bd50-6010fdcec22e
+links:
+- type: docs
+ url: https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178
+- type: docs
+ url: https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-AzureAcceleratedNetworkingSapApplication.yaml b/v2/recos/Practices/Performance/revcl-AzureAcceleratedNetworkingSapApplication.yaml
new file mode 100644
index 000000000..9429c30a8
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-AzureAcceleratedNetworkingSapApplication.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureAcceleratedNetworkingSapApplication
+title: Make sure that Azure accelerated networking is enabled on the VMs used in the
+ SAP application and DBMS layers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 0
+labels:
+ guid: 85e2213a-ce7b-4b12-8f7c-95f06e154e3a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat
+- type: docs
+ url: https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-AzureAvailabilityZonesLowLatencyZones.yaml b/v2/recos/Practices/Performance/revcl-AzureAvailabilityZonesLowLatencyZones.yaml
new file mode 100644
index 000000000..614b84f4d
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-AzureAvailabilityZonesLowLatencyZones.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureAvailabilityZonesLowLatencyZones
+title: For each Azure subscription, run a latency test on Azure availability zones
+ before zonal deployment to choose low-latency zones for deployment of SAP on Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 0
+labels:
+ guid: 616785d6-fa96-4c96-ad88-518f482734c8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/high-availability-zones
+- type: docs
+ url: https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-AzureProximityPlacementGroupsOptimalNetworkLatency.yaml b/v2/recos/Practices/Performance/revcl-AzureProximityPlacementGroupsOptimalNetworkLatency.yaml
new file mode 100644
index 000000000..a03b2e7e3
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-AzureProximityPlacementGroupsOptimalNetworkLatency.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureProximityPlacementGroupsOptimalNetworkLatency
+title: For optimal network latency with SAP applications, consider using Azure proximity
+ placement groups.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: fa96c96a-d885-418f-9827-34c886ba2802
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-CustomBrandAssetsCdn.yaml b/v2/recos/Practices/Performance/revcl-CustomBrandAssetsCdn.yaml
new file mode 100644
index 000000000..6790d888b
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-CustomBrandAssetsCdn.yaml
@@ -0,0 +1,14 @@
+name: revcl-CustomBrandAssetsCdn
+title: Custom brand assets should be hosted on a CDN
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: 3e3553a4-c873-4964-ab66-2d6c15f51296
+links:
+- type: docs
+ url: https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-DatabaseFileSystemsDatabaseVendors.yaml b/v2/recos/Practices/Performance/revcl-DatabaseFileSystemsDatabaseVendors.yaml
new file mode 100644
index 000000000..c24b89bf1
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-DatabaseFileSystemsDatabaseVendors.yaml
@@ -0,0 +1,17 @@
+name: revcl-DatabaseFileSystemsDatabaseVendors
+title: Exclude all the database file systems and executable programs from antivirus
+ scans. Including them could lead to performance problems. Check with the database
+ vendors for prescriptive details on the exclusion list. For example, Oracle recommends
+ excluding /oracle//sapdata from antivirus scans.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: abb6af9c-982c-4cf1-83fb-329fafd1ee56
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-DifferentAzureVnetsSapApplicationLayer.yaml b/v2/recos/Practices/Performance/revcl-DifferentAzureVnetsSapApplicationLayer.yaml
new file mode 100644
index 000000000..1abf2d83d
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-DifferentAzureVnetsSapApplicationLayer.yaml
@@ -0,0 +1,17 @@
+name: revcl-DifferentAzureVnetsSapApplicationLayer
+title: Placing of the SAP application layer and SAP DBMS in different Azure VNets
+ that aren't peered isn't supported.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 0
+labels:
+ guid: 45bbe609-d8a0-43e9-9778-424d616785d6
+links:
+- type: docs
+ url: https://me.sap.com/notes/2015553
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-FullDatabaseStatisticsOracleStatistics.yaml b/v2/recos/Practices/Performance/revcl-FullDatabaseStatisticsOracleStatistics.yaml
new file mode 100644
index 000000000..96606b2b4
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-FullDatabaseStatisticsOracleStatistics.yaml
@@ -0,0 +1,15 @@
+name: revcl-FullDatabaseStatisticsOracleStatistics
+title: Consider collecting full database statistics for non-HANA databases after migration.
+ For example, implement SAP note 1020260 - Delivery of Oracle statistics.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 2
+labels:
+ guid: c027f893-f404-41a9-b33d-39d625a14964
+links:
+- type: docs
+ url: https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-GlobalTransitConnectivityGlobalNetworks-1.yaml b/v2/recos/Practices/Performance/revcl-GlobalTransitConnectivityGlobalNetworks-1.yaml
new file mode 100644
index 000000000..c908e4b06
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-GlobalTransitConnectivityGlobalNetworks-1.yaml
@@ -0,0 +1,19 @@
+name: revcl-GlobalTransitConnectivityGlobalNetworks-1
+title: Use Virtual WAN for Azure deployments in new, large, or global networks where
+ you need global transit connectivity across Azure regions and on-premises locations.
+ With this approach, you won't need to manually set up transitive routing for Azure
+ networking, and you can follow a standard for SAP on Azure deployments.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: e73de7d5-6f36-4217-a526-e1a621ecddde
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/front-door-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-InterVmLatencyMonitoringLatencySensitiveApplications.yaml b/v2/recos/Practices/Performance/revcl-InterVmLatencyMonitoringLatencySensitiveApplications.yaml
new file mode 100644
index 000000000..a26f7c239
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-InterVmLatencyMonitoringLatencySensitiveApplications.yaml
@@ -0,0 +1,14 @@
+name: revcl-InterVmLatencyMonitoringLatencySensitiveApplications
+title: Use inter-VM latency monitoring for latency-sensitive applications.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 2
+labels:
+ guid: 04b8e5e5-13cb-4b22-af62-5a8ecfcf0337
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-LinuxGuestOperatingSystemsLinuxNetworkParameter.yaml b/v2/recos/Practices/Performance/revcl-LinuxGuestOperatingSystemsLinuxNetworkParameter.yaml
new file mode 100644
index 000000000..7646dfa54
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-LinuxGuestOperatingSystemsLinuxNetworkParameter.yaml
@@ -0,0 +1,17 @@
+name: revcl-LinuxGuestOperatingSystemsLinuxNetworkParameter
+title: If using Load Balancer with Linux guest operating systems, check that the Linux
+ network parameter net.ipv4.tcp_timestamps is set to 0.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 0
+labels:
+ guid: 402a9846-d515-4061-aff8-cd30088693fa
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-OracleAutomaticStorageManagementOracleDeployments.yaml b/v2/recos/Practices/Performance/revcl-OracleAutomaticStorageManagementOracleDeployments.yaml
new file mode 100644
index 000000000..8afbf53ef
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-OracleAutomaticStorageManagementOracleDeployments.yaml
@@ -0,0 +1,17 @@
+name: revcl-OracleAutomaticStorageManagementOracleDeployments
+title: Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments
+ that use SAP on Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: fdafb1f5-3eee-4354-a8c9-deb8127ebc2e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm
+- type: docs
+ url: https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SapApplicationLayerVmsDbmsVms.yaml b/v2/recos/Practices/Performance/revcl-SapApplicationLayerVmsDbmsVms.yaml
new file mode 100644
index 000000000..11e80457c
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SapApplicationLayerVmsDbmsVms.yaml
@@ -0,0 +1,16 @@
+name: revcl-SapApplicationLayerVmsDbmsVms
+title: Test network latency between SAP application layer VMs and DBMS VMs (NIPING).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: 35709da7-fc7d-4efe-bb20-2e91547b7390
+links:
+- type: docs
+ url: https://me.sap.com/notes/500235
+- type: docs
+ url: https://me.sap.com/notes/1100926/E
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SapApplicationServerDatabaseServerLatency.yaml b/v2/recos/Practices/Performance/revcl-SapApplicationServerDatabaseServerLatency.yaml
new file mode 100644
index 000000000..ea9e0362d
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SapApplicationServerDatabaseServerLatency.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapApplicationServerDatabaseServerLatency
+title: Review SAP application server to database server latency using SAP ABAPMeter
+ report /SSA/CAT.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: b9b140cf-413a-483d-aad2-8802c4e3c017
+links:
+- type: docs
+ url: https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456
+- type: docs
+ url: https://me.sap.com/notes/0002879613
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SapApplicationServerLayerDbmsLayer.yaml b/v2/recos/Practices/Performance/revcl-SapApplicationServerLayerDbmsLayer.yaml
new file mode 100644
index 000000000..971174930
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SapApplicationServerLayerDbmsLayer.yaml
@@ -0,0 +1,18 @@
+name: revcl-SapApplicationServerLayerDbmsLayer
+title: It is NOT supported at all to run an SAP Application Server layer and DBMS
+ layer split between on-premise and Azure. Both layers need to completely reside
+ either on-premise or in Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 0
+labels:
+ guid: 18c8b61c-855a-4405-b6ed-266455e4f4ce
+links:
+- type: docs
+ url: https://me.sap.com/notes/2015553
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SapDatabaseServerSapApplication.yaml b/v2/recos/Practices/Performance/revcl-SapDatabaseServerSapApplication.yaml
new file mode 100644
index 000000000..be10ce642
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SapDatabaseServerSapApplication.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapDatabaseServerSapApplication
+title: "It is not supported to deploy any NVA between SAP application and SAP Database\xC2\
+ \_server"
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 0
+labels:
+ guid: 41742694-3ff8-4ae7-b7d4-743176c8bcbf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/planning-guide
+- type: docs
+ url: https://me.sap.com/notes/2731110
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SapEarlywatchAlertSapComponents.yaml b/v2/recos/Practices/Performance/revcl-SapEarlywatchAlertSapComponents.yaml
new file mode 100644
index 000000000..898ee4fb3
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SapEarlywatchAlertSapComponents.yaml
@@ -0,0 +1,16 @@
+name: revcl-SapEarlywatchAlertSapComponents
+title: Activate SAP EarlyWatch Alert for all SAP components.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: 9fd7ffd4-da11-49f6-a374-8d03e94c511d
+links:
+- type: docs
+ url: https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html
+- type: docs
+ url: https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SapHanaHealthChecksHanaConfigurationMinichecks.yaml b/v2/recos/Practices/Performance/revcl-SapHanaHealthChecksHanaConfigurationMinichecks.yaml
new file mode 100644
index 000000000..ae19ea9e0
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SapHanaHealthChecksHanaConfigurationMinichecks.yaml
@@ -0,0 +1,14 @@
+name: revcl-SapHanaHealthChecksHanaConfigurationMinichecks
+title: Perform SAP HANA health checks using HANA_Configuration_Minichecks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: f1a92ab5-9509-4b57-86ff-b0ade361b694
+links:
+- type: docs
+ url: https://me.sap.com/notes/1969700
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SapHanaStudioAlerts.yaml b/v2/recos/Practices/Performance/revcl-SapHanaStudioAlerts.yaml
new file mode 100644
index 000000000..711bce50a
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SapHanaStudioAlerts.yaml
@@ -0,0 +1,14 @@
+name: revcl-SapHanaStudioAlerts
+title: Review SAP HANA studio alerts.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: 9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-SqlServerPerformanceMonitoringCcms.yaml b/v2/recos/Practices/Performance/revcl-SqlServerPerformanceMonitoringCcms.yaml
new file mode 100644
index 000000000..17a08595b
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-SqlServerPerformanceMonitoringCcms.yaml
@@ -0,0 +1,12 @@
+name: revcl-SqlServerPerformanceMonitoringCcms
+title: Review SQL Server performance monitoring using CCMS.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: 62fbf0f8-51db-49e1-a961-bb5df7a35f80
+links: []
+queries: {}
diff --git a/v2/recos/Practices/Performance/revcl-TestAvailabilityZoneLatency.yaml b/v2/recos/Practices/Performance/revcl-TestAvailabilityZoneLatency.yaml
new file mode 100644
index 000000000..7e9889c92
--- /dev/null
+++ b/v2/recos/Practices/Performance/revcl-TestAvailabilityZoneLatency.yaml
@@ -0,0 +1,14 @@
+name: revcl-TestAvailabilityZoneLatency
+title: Test availability zone latency.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Performance
+severity: 1
+labels:
+ guid: b96512cf-996f-4b17-b9b8-6b16db1a2a94
+links:
+- type: docs
+ url: https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-ActiveDirectoryWindowsServer.yaml b/v2/recos/Practices/Reliability/revcl-ActiveDirectoryWindowsServer.yaml
new file mode 100644
index 000000000..39fa706eb
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-ActiveDirectoryWindowsServer.yaml
@@ -0,0 +1,21 @@
+name: revcl-ActiveDirectoryWindowsServer
+title: When deploying Active Directory on Windows Server, use a location with Availability
+ Zones and deploy at least two VMs across these zones. If not available, deploy in
+ an Availability Set
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 1559ab91-53e8-4908-ae28-c84c33b6b780
+ area: Identity and Access Management
+ subarea: Identity
+ id: B03.09
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-active-directory/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureApplicationConsistentSnapshotToolAzureNetappFiles.yaml b/v2/recos/Practices/Reliability/revcl-AzureApplicationConsistentSnapshotToolAzureNetappFiles.yaml
new file mode 100644
index 000000000..4365c8646
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureApplicationConsistentSnapshotToolAzureNetappFiles.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureApplicationConsistentSnapshotToolAzureNetappFiles
+title: If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use
+ the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent
+ snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a
+ central VM rather than on individual VMs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 302a2fbf-3745-4a5f-a365-c9d1a16ca22c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureAvailabilitySetAvailabilityZone.yaml b/v2/recos/Practices/Reliability/revcl-AzureAvailabilitySetAvailabilityZone.yaml
new file mode 100644
index 000000000..acf292322
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureAvailabilitySetAvailabilityZone.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureAvailabilitySetAvailabilityZone
+title: Before you deploy your high-availability infrastructure, and depending on the
+ region you choose, determine whether to deploy with an Azure availability set or
+ an availability zone.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: c47cc4f3-f105-452c-845e-9b307b3856c1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/availability
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureAvailabilitySetsAzureAvailabilityZone.yaml b/v2/recos/Practices/Reliability/revcl-AzureAvailabilitySetsAzureAvailabilityZone.yaml
new file mode 100644
index 000000000..d3328ddcb
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureAvailabilitySetsAzureAvailabilityZone.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureAvailabilitySetsAzureAvailabilityZone
+title: You can't deploy Azure availability sets within an Azure availability zone
+ unless you use proximity placement groups.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: f2201000-d045-40a6-a79a-d7cdc01b4d86
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/co-location
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureBackupServiceHanaDatabase.yaml b/v2/recos/Practices/Reliability/revcl-AzureBackupServiceHanaDatabase.yaml
new file mode 100644
index 000000000..13c27a71d
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureBackupServiceHanaDatabase.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureBackupServiceHanaDatabase
+title: Help protect your HANA database by using the Azure Backup service.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 2f7c95f0-6e15-44e3-aa35-92829e6e2061
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/sap-hana-database-about
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureDisasterRecoveryRegionsVpnConnections.yaml b/v2/recos/Practices/Reliability/revcl-AzureDisasterRecoveryRegionsVpnConnections.yaml
new file mode 100644
index 000000000..b854e2bbb
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureDisasterRecoveryRegionsVpnConnections.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzureDisasterRecoveryRegionsVpnConnections
+title: Set up ExpressRoute connections from on-premises to the primary and secondary
+ Azure disaster recovery regions. Also, as an alternative to using ExpressRoute,
+ consider setting up VPN connections from on-premises to the primary and secondary
+ Azure disaster recovery regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: ba07c007-1f90-43e9-aa4f-601346b80352
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureNetappFilesPremiumManagedSsds.yaml b/v2/recos/Practices/Reliability/revcl-AzureNetappFilesPremiumManagedSsds.yaml
new file mode 100644
index 000000000..02ec7c0d9
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureNetappFilesPremiumManagedSsds.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureNetappFilesPremiumManagedSsds
+title: Run all production systems on Premium managed SSDs and use Azure NetApp Files
+ or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you
+ can achieve better performance and the best SLA.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 07991f7d-6598-4d90-9431-45c62605d3a5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureProximityPlacementGroupsSameProximityPlacementGroup.yaml b/v2/recos/Practices/Reliability/revcl-AzureProximityPlacementGroupsSameProximityPlacementGroup.yaml
new file mode 100644
index 000000000..341d0c452
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureProximityPlacementGroupsSameProximityPlacementGroup.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureProximityPlacementGroupsSameProximityPlacementGroup
+title: When you use Azure proximity placement groups in an availability set deployment,
+ all three SAP components (central services, application server, and database) should
+ be in the same proximity placement group.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureSiteRecoveryHighAvailabilityConfiguration.yaml b/v2/recos/Practices/Reliability/revcl-AzureSiteRecoveryHighAvailabilityConfiguration.yaml
new file mode 100644
index 000000000..e58d1df4a
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureSiteRecoveryHighAvailabilityConfiguration.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureSiteRecoveryHighAvailabilityConfiguration
+title: Consider configuring high availability depending on the type of storage you
+ use for your SAP workloads. Some storage services available in Azure are not supported
+ by Azure Site Recovery, so your high availability configuration may differ.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 51904867-a70e-4fa0-b4ff-3e6292846d7c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService.yaml b/v2/recos/Practices/Reliability/revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService.yaml
new file mode 100644
index 000000000..abf1087f1
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureSiteRecoveryMonitoringDisasterRecoveryService
+title: Use Azure Site Recovery monitoring to maintain the health of the disaster recovery
+ service for SAP application servers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 07e5ed53-3d96-43d8-87ea-631b77da5aba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-CentralServicesClusterVmsLinuxPacemakerCluster.yaml b/v2/recos/Practices/Reliability/revcl-CentralServicesClusterVmsLinuxPacemakerCluster.yaml
new file mode 100644
index 000000000..d88398612
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-CentralServicesClusterVmsLinuxPacemakerCluster.yaml
@@ -0,0 +1,17 @@
+name: revcl-CentralServicesClusterVmsLinuxPacemakerCluster
+title: Use Site Recovery to replicate an application server to a DR site. Site Recovery
+ can also help with replicating central-services cluster VMs to the DR site. When
+ you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR
+ site (for example, replace the VIP or SBD, run corosync.conf, and more).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 0258ed30-fe42-434f-87b9-58f91f908e0a
+links:
+- type: docs
+ url: https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-CloudAdaptionFrameworkResiliencyReport.yaml b/v2/recos/Practices/Reliability/revcl-CloudAdaptionFrameworkResiliencyReport.yaml
new file mode 100644
index 000000000..5f97e3ac4
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-CloudAdaptionFrameworkResiliencyReport.yaml
@@ -0,0 +1,18 @@
+name: revcl-CloudAdaptionFrameworkResiliencyReport
+title: Run the Resiliency Report to ensure that the configuration of the entire provisioned
+ Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies
+ with the configuration defined by Cloud Adaption Framework for Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 410adcba-db46-424f-a6c4-05ecde75c52e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability
+- type: docs
+ url: https://learn.microsoft.com/training/paths/azure-well-architected-framework/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-CommonArchitecturePatternDifferentStorageStacks.yaml b/v2/recos/Practices/Reliability/revcl-CommonArchitecturePatternDifferentStorageStacks.yaml
new file mode 100644
index 000000000..1baafe91d
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-CommonArchitecturePatternDifferentStorageStacks.yaml
@@ -0,0 +1,19 @@
+name: revcl-CommonArchitecturePatternDifferentStorageStacks
+title: Azure doesn't support architectures in which the primary and secondary VMs
+ share storage for DBMS data. For the DBMS layer, the common architecture pattern
+ is to replicate databases at the same time and with different storage stacks than
+ the ones that the primary and secondary VMs use.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: afae6bec-2671-49ae-bc69-140b8ec8d320
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows
+- type: docs
+ url: https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-CrossRegionReplicationAzure.yaml b/v2/recos/Practices/Reliability/revcl-CrossRegionReplicationAzure.yaml
new file mode 100644
index 000000000..2e185379e
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-CrossRegionReplicationAzure.yaml
@@ -0,0 +1,17 @@
+name: revcl-CrossRegionReplicationAzure
+title: Consider cross-region replication in Azure for BCDR with paired regions
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 7ea02e1c-7166-45a3-bdf5-098891367fcb
+ area: Management
+ subarea: Data Protection
+ id: F02.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/cross-region-replication-azure
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-DifferentAvailabilityZonesHighAvailability.yaml b/v2/recos/Practices/Reliability/revcl-DifferentAvailabilityZonesHighAvailability.yaml
new file mode 100644
index 000000000..b1d792748
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-DifferentAvailabilityZonesHighAvailability.yaml
@@ -0,0 +1,15 @@
+name: revcl-DifferentAvailabilityZonesHighAvailability
+title: Follow VM rules for high availability on the VM level (premium disks, two or
+ more in a region, in different availability zones)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 604489a8-f42d-478e-98c0-7a73b22a4a57
+links:
+- type: docs
+ url: https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-DifferentNativeAzureStorageServicesRespectiveStorageService.yaml b/v2/recos/Practices/Reliability/revcl-DifferentNativeAzureStorageServicesRespectiveStorageService.yaml
new file mode 100644
index 000000000..9c1e8811a
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-DifferentNativeAzureStorageServicesRespectiveStorageService.yaml
@@ -0,0 +1,17 @@
+name: revcl-DifferentNativeAzureStorageServicesRespectiveStorageService
+title: Different native Azure storage services (like Azure Files, Azure NetApp Files,
+ Azure Shared Disk) may not be available in all regions. So to have similar SAP setup
+ on the DR region after failover, ensure the respective storage service is offered
+ in DR site.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 1ac2d928-c9b7-42c6-ba18-23b1aea78693
+links:
+- type: docs
+ url: https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-DirectorySynchronizationReplication.yaml b/v2/recos/Practices/Reliability/revcl-DirectorySynchronizationReplication.yaml
new file mode 100644
index 000000000..59b66c73a
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-DirectorySynchronizationReplication.yaml
@@ -0,0 +1,14 @@
+name: revcl-DirectorySynchronizationReplication
+title: Don't replicate! Replication can create issues with directory synchronization
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: e7a8dd4a-30e3-47c3-b297-11b2362ceee0
+links:
+- type: docs
+ url: https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-FiveDifferentCentralServicesDifferentApplicationServices.yaml b/v2/recos/Practices/Reliability/revcl-FiveDifferentCentralServicesDifferentApplicationServices.yaml
new file mode 100644
index 000000000..c02cad008
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-FiveDifferentCentralServicesDifferentApplicationServices.yaml
@@ -0,0 +1,19 @@
+name: revcl-FiveDifferentCentralServicesDifferentApplicationServices
+title: Don't group different application services in the same cluster. For example,
+ don't combine DRBD and central services clusters on the same cluster. However, you
+ can use the same Pacemaker cluster to manage approximately five different central
+ services (multi-SID cluster).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: c3c7abc0-716c-4486-893c-40e181d65539
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-FloatingIpLoadBalancer.yaml b/v2/recos/Practices/Reliability/revcl-FloatingIpLoadBalancer.yaml
new file mode 100644
index 000000000..cc40d1d2f
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-FloatingIpLoadBalancer.yaml
@@ -0,0 +1,16 @@
+name: revcl-FloatingIpLoadBalancer
+title: Make sure the Floating IP is enabled on the Load balancer
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 1a541741-5833-4fb4-ae3c-2df743165c3a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations
+- type: docs
+ url: https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-GeoDisasterRecoveryCapabilitiesLocalizedResourceCapacityConstraint.yaml b/v2/recos/Practices/Reliability/revcl-GeoDisasterRecoveryCapabilitiesLocalizedResourceCapacityConstraint.yaml
new file mode 100644
index 000000000..1e39b6988
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-GeoDisasterRecoveryCapabilitiesLocalizedResourceCapacityConstraint.yaml
@@ -0,0 +1,24 @@
+name: revcl-GeoDisasterRecoveryCapabilitiesLocalizedResourceCapacityConstraint
+title: Consider a multi-region deployment. Depending on customer size, locations,
+ and users presence, operating in multiple regions can be a common choice to deliver
+ services and run applications closer to them. Using a multi-region deployment is
+ also important to provide geo disaster recovery capabilities, to eliminate the dependency
+ from a single region capacity and diminish the risk of a temporary and localized
+ resource capacity constraint
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 19ca3f89-397d-44b1-b5b6-5e18661372ac
+ area: Resource Organization
+ subarea: Regions
+ id: C03.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions#operate-in-multiple-geographic-regions
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-GlobalScaleCloudPlatformRightAzureRegionS.yaml b/v2/recos/Practices/Reliability/revcl-GlobalScaleCloudPlatformRightAzureRegionS.yaml
new file mode 100644
index 000000000..18ddb7711
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-GlobalScaleCloudPlatformRightAzureRegionS.yaml
@@ -0,0 +1,23 @@
+name: revcl-GlobalScaleCloudPlatformRightAzureRegionS
+title: Select the right Azure region/s for your deployment. Azure is a global-scale
+ cloud platform that provide global coverage through many regions and geographies.
+ Different Azure regions have different characteristics, access and availability
+ models, costs, capacity, and services offered, then it is important to consider
+ all criteria and requirements
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 250d81ce-8bbe-4f85-9051-6a18a8221e50
+ area: Resource Organization
+ subarea: Regions
+ id: C03.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-GlobalVnetPeeringMultipleAzureRegions.yaml b/v2/recos/Practices/Reliability/revcl-GlobalVnetPeeringMultipleAzureRegions.yaml
new file mode 100644
index 000000000..e0c0b9621
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-GlobalVnetPeeringMultipleAzureRegions.yaml
@@ -0,0 +1,18 @@
+name: revcl-GlobalVnetPeeringMultipleAzureRegions
+title: Local and global VNet peering provide connectivity and are the preferred approaches
+ to ensure connectivity between landing zones for SAP deployments across multiple
+ Azure regions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: a3592829-e6e2-4061-9368-6af46791f893
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-KeyVaultContentsDrRegion.yaml b/v2/recos/Practices/Reliability/revcl-KeyVaultContentsDrRegion.yaml
new file mode 100644
index 000000000..5a9441cae
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-KeyVaultContentsDrRegion.yaml
@@ -0,0 +1,15 @@
+name: revcl-KeyVaultContentsDrRegion
+title: Replicate key vault contents like certificates, secrets, or keys across regions
+ so you can decrypt data in the DR region.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 2
+labels:
+ guid: d2b30195-b11d-4a8f-a672-28b2b4169a7c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-MicrosoftEntraConnectStagingSever.yaml b/v2/recos/Practices/Reliability/revcl-MicrosoftEntraConnectStagingSever.yaml
new file mode 100644
index 000000000..55984f5f8
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-MicrosoftEntraConnectStagingSever.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftEntraConnectStagingSever
+title: When deploying Microsoft Entra Connect, leverage a staging sever for high availability
+ / Disaster recovery
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: cd163e39-84a5-4b39-97b7-6973abd70d94
+ area: Identity and Access Management
+ subarea: Microsoft Entra ID
+ id: B03.14
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-MultiRegions.yaml b/v2/recos/Practices/Reliability/revcl-MultiRegions.yaml
new file mode 100644
index 000000000..1bef0040d
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-MultiRegions.yaml
@@ -0,0 +1,14 @@
+name: revcl-MultiRegions
+title: Have active-active for multi-regions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 79b598de-fc59-472c-b4cd-21b078036f5e
+links:
+- type: docs
+ url: https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-MultipleIdentiyProvidersFacebookAccounts.yaml b/v2/recos/Practices/Reliability/revcl-MultipleIdentiyProvidersFacebookAccounts.yaml
new file mode 100644
index 000000000..dbe169f5c
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-MultipleIdentiyProvidersFacebookAccounts.yaml
@@ -0,0 +1,15 @@
+name: revcl-MultipleIdentiyProvidersFacebookAccounts
+title: Have multiple identiy providers (i.e., login with your microsoft, google, facebook
+ accounts)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 2
+labels:
+ guid: 5398e6df-d237-4de1-93b1-6c21d79a9b64
+links:
+- type: docs
+ url: https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-NativeDatabaseReplicationTechnologyHaPair.yaml b/v2/recos/Practices/Reliability/revcl-NativeDatabaseReplicationTechnologyHaPair.yaml
new file mode 100644
index 000000000..7895bc384
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-NativeDatabaseReplicationTechnologyHaPair.yaml
@@ -0,0 +1,17 @@
+name: revcl-NativeDatabaseReplicationTechnologyHaPair
+title: Native database replication technology should be used to synchronize the database
+ in a HA pair.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 726a1d3e-5508-4a06-9d54-93f4b50040c1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-OneProximityPlacementGroupSapSid.yaml b/v2/recos/Practices/Reliability/revcl-OneProximityPlacementGroupSapSid.yaml
new file mode 100644
index 000000000..474e70f19
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-OneProximityPlacementGroupSapSid.yaml
@@ -0,0 +1,15 @@
+name: revcl-OneProximityPlacementGroupSapSid
+title: Use one proximity placement group per SAP SID. Groups don't span across Availability
+ Zones or Azure regions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 5d2fa56c-56ad-4484-88fe-72734c486ba2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-PotentialPhysicalHardwareFailuresAzurePlannedMaintenance.yaml b/v2/recos/Practices/Reliability/revcl-PotentialPhysicalHardwareFailuresAzurePlannedMaintenance.yaml
new file mode 100644
index 000000000..08a55e240
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-PotentialPhysicalHardwareFailuresAzurePlannedMaintenance.yaml
@@ -0,0 +1,21 @@
+name: revcl-PotentialPhysicalHardwareFailuresAzurePlannedMaintenance
+title: When you create availability sets, use the maximum number of fault domains
+ and update domains available. For example, if you deploy more than two VMs in one
+ availability set, use the maximum number of fault domains (three) and enough update
+ domains to limit the effect of potential physical hardware failures, network outages,
+ or power interruptions, in addition to Azure planned maintenance. The default number
+ of fault domains is two, and you can't change it online later.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 9674e7c7-7796-4181-8920-09f4429543ba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/availability-set-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-PrimaryVirtualNetworkDrSite.yaml b/v2/recos/Practices/Reliability/revcl-PrimaryVirtualNetworkDrSite.yaml
new file mode 100644
index 000000000..db68fee8a
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-PrimaryVirtualNetworkDrSite.yaml
@@ -0,0 +1,17 @@
+name: revcl-PrimaryVirtualNetworkDrSite
+title: The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap
+ with the CIDR of the DR site's VNet
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 6561f847-3db5-4ff8-9200-5ad3c3b436ad
+links:
+- type: docs
+ url: https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq
+- type: docs
+ url: https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-RecoveryTimesRtoRequirements.yaml b/v2/recos/Practices/Reliability/revcl-RecoveryTimesRtoRequirements.yaml
new file mode 100644
index 000000000..81eef2382
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-RecoveryTimesRtoRequirements.yaml
@@ -0,0 +1,13 @@
+name: revcl-RecoveryTimesRtoRequirements
+title: Test the backup and recovery times to verify that they meet your RTO requirements
+ for restoring all systems simultaneously after a disaster.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: c4b8e117-930b-4dbd-ae50-7bc5faf6f91a
+links: []
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-RequiredServicesDeploymentRegions-1.yaml b/v2/recos/Practices/Reliability/revcl-RequiredServicesDeploymentRegions-1.yaml
new file mode 100644
index 000000000..42a0a2f7c
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-RequiredServicesDeploymentRegions-1.yaml
@@ -0,0 +1,20 @@
+name: revcl-RequiredServicesDeploymentRegions-1
+title: Ensure required services and features are available within the chosen deployment
+ regions
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 4c27d42e-8bba-4c75-9155-9ab9153e8908
+ area: Resource Organization
+ subarea: Regions
+ id: C03.03
+links:
+- type: docs
+ url: https://azure.microsoft.com/explore/global-infrastructure/products-by-region/
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SameAvailabilitySetCentralServicesVms.yaml b/v2/recos/Practices/Reliability/revcl-SameAvailabilitySetCentralServicesVms.yaml
new file mode 100644
index 000000000..36a57acd1
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SameAvailabilitySetCentralServicesVms.yaml
@@ -0,0 +1,17 @@
+name: revcl-SameAvailabilitySetCentralServicesVms
+title: Do not mix servers of different roles in the same availability set. Keep central
+ services VMs, database VMs, application VMs in their own availability sets
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: cbe05bbe-209d-4490-ba47-778424d11678
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/availability-set-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SameHighAvailabilityClusterRedHatEnterpriseLinux.yaml b/v2/recos/Practices/Reliability/revcl-SameHighAvailabilityClusterRedHatEnterpriseLinux.yaml
new file mode 100644
index 000000000..01471d2fb
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SameHighAvailabilityClusterRedHatEnterpriseLinux.yaml
@@ -0,0 +1,17 @@
+name: revcl-SameHighAvailabilityClusterRedHatEnterpriseLinux
+title: Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances
+ on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 7f684ebc-95da-425e-b329-e782dbed050f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SameHighAvailabilityOptionsAvailabilitySets.yaml b/v2/recos/Practices/Reliability/revcl-SameHighAvailabilityOptionsAvailabilitySets.yaml
new file mode 100644
index 000000000..b000cd2fa
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SameHighAvailabilityOptionsAvailabilitySets.yaml
@@ -0,0 +1,16 @@
+name: revcl-SameHighAvailabilityOptionsAvailabilitySets
+title: If you want to meet the infrastructure SLAs for your applications for SAP components
+ (central services, application servers, and databases), you must choose the same
+ high availability options (VMs, availability sets, availability zones) for all components.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 844f69c3-07e5-4ec1-bff7-4be27bcf5fea
+links:
+- type: docs
+ url: https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SameLinuxPacemakerClusterFiveMultipleCentralServicesClusters.yaml b/v2/recos/Practices/Reliability/revcl-SameLinuxPacemakerClusterFiveMultipleCentralServicesClusters.yaml
new file mode 100644
index 000000000..674ea62ca
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SameLinuxPacemakerClusterFiveMultipleCentralServicesClusters.yaml
@@ -0,0 +1,18 @@
+name: revcl-SameLinuxPacemakerClusterFiveMultipleCentralServicesClusters
+title: Azure doesn't currently support combining ASCS and DB HA in the same Linux
+ Pacemaker cluster; separate them into individual clusters. However, you can combine
+ up to five multiple central-services clusters into a pair of VMs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: ed46b937-913e-4018-9c62-8393ab037e53
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SameStorageConfigurationSameSize.yaml b/v2/recos/Practices/Reliability/revcl-SameStorageConfigurationSameSize.yaml
new file mode 100644
index 000000000..e1208830e
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SameStorageConfigurationSameSize.yaml
@@ -0,0 +1,16 @@
+name: revcl-SameStorageConfigurationSameSize
+title: Deploy both VMs in the high-availability pair in an availability set or in
+ availability zones. These VMs should be the same size and have the same storage
+ configuration.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: f656e745-0cfb-453e-8008-0528fa21c933
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SapApplicationLayerComponentsSpecificHighAvailabilityScenarios.yaml b/v2/recos/Practices/Reliability/revcl-SapApplicationLayerComponentsSpecificHighAvailabilityScenarios.yaml
new file mode 100644
index 000000000..322ff7c7a
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SapApplicationLayerComponentsSpecificHighAvailabilityScenarios.yaml
@@ -0,0 +1,20 @@
+name: revcl-SapApplicationLayerComponentsSpecificHighAvailabilityScenarios
+title: You can use Azure shared disks in Windows for ASCS + SCS components and specific
+ high-availability scenarios. Set up your failover clusters separately for SAP application
+ layer components and the DBMS layer. Azure doesn't currently support high-availability
+ architectures that combine SAP application layer components and the DBMS layer into
+ one failover cluster.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 1f737179-8e7f-4e1a-a30c-e5a649a3092b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SapApplicationLayerComponentsStandardLoadBalancerSku.yaml b/v2/recos/Practices/Reliability/revcl-SapApplicationLayerComponentsStandardLoadBalancerSku.yaml
new file mode 100644
index 000000000..01ddc359b
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SapApplicationLayerComponentsStandardLoadBalancerSku.yaml
@@ -0,0 +1,20 @@
+name: revcl-SapApplicationLayerComponentsStandardLoadBalancerSku
+title: Most failover clusters for SAP application layer components (ASCS) and the
+ DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer
+ should handle the virtual IP address for all other cases. One design principle is
+ to use one load balancer per cluster configuration. We recommend that you use the
+ standard version of the load balancer (Standard Load Balancer SKU).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: a78b3d31-3170-44f2-b5d7-651a29f4ccf5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SapApplicationServersAzureAvailabilityZones.yaml b/v2/recos/Practices/Reliability/revcl-SapApplicationServersAzureAvailabilityZones.yaml
new file mode 100644
index 000000000..fe70a023b
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SapApplicationServersAzureAvailabilityZones.yaml
@@ -0,0 +1,19 @@
+name: revcl-SapApplicationServersAzureAvailabilityZones
+title: When using Azure Availability Zones to achieve high availability, you must
+ consider latency between SAP application servers and database servers. For zones
+ with high latencies, operational procedures need to be in place to ensure that SAP
+ application servers and database servers are running in the same zone at all times.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: aa208dca-784f-46c6-9014-cc919c542dc9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/high-availability-zones
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SapCentralServicesClustersOperatingSystem.yaml b/v2/recos/Practices/Reliability/revcl-SapCentralServicesClustersOperatingSystem.yaml
new file mode 100644
index 000000000..a8cd05d73
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SapCentralServicesClustersOperatingSystem.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapCentralServicesClustersOperatingSystem
+title: Use one of the following services to run SAP central services clusters, depending
+ on the operating system.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SapHanaDbVirtualNetworkDisasterRecoveryVirtualNetworks.yaml b/v2/recos/Practices/Reliability/revcl-SapHanaDbVirtualNetworkDisasterRecoveryVirtualNetworks.yaml
new file mode 100644
index 000000000..792463d9e
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SapHanaDbVirtualNetworkDisasterRecoveryVirtualNetworks.yaml
@@ -0,0 +1,16 @@
+name: revcl-SapHanaDbVirtualNetworkDisasterRecoveryVirtualNetworks
+title: Peer the primary and disaster recovery virtual networks. For example, for HANA
+ System Replication, an SAP HANA DB virtual network needs to be peered to the disaster
+ recovery site's SAP HANA DB virtual network.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 05f1101d-250f-40e7-b2a1-b674ab50edbd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SapHanaSystemReplicationSapApplicationLayer.yaml b/v2/recos/Practices/Reliability/revcl-SapHanaSystemReplicationSapApplicationLayer.yaml
new file mode 100644
index 000000000..c0a53dff7
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SapHanaSystemReplicationSapApplicationLayer.yaml
@@ -0,0 +1,21 @@
+name: revcl-SapHanaSystemReplicationSapApplicationLayer
+title: You can replicate standard storage between paired regions, but you can't use
+ standard storage to store your databases or virtual hard disks. You can replicate
+ backups only between paired regions that you use. For all your other data, run your
+ replication by using native DBMS features like SQL Server Always On or SAP HANA
+ System Replication. Use a combination of Site Recovery, rsync or robocopy, and other
+ third-party software for the SAP application layer.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: b651423c-8552-42db-a545-5cb50c05527a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/cross-region-replication-azure
+- type: docs
+ url: https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-SapSHanaArchitecturesSapWebDispatcher.yaml b/v2/recos/Practices/Reliability/revcl-SapSHanaArchitecturesSapWebDispatcher.yaml
new file mode 100644
index 000000000..6af116130
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-SapSHanaArchitecturesSapWebDispatcher.yaml
@@ -0,0 +1,19 @@
+name: revcl-SapSHanaArchitecturesSapWebDispatcher
+title: Consider the availability of SAP software against single points of failure.
+ This includes single points of failure within applications such as DBMSs utilized
+ in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other
+ tools such as SAP Web Dispatcher.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 8300cb30-766b-4084-b126-0dd8fb1269a1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-TimeRecoveryProductionDatabases.yaml b/v2/recos/Practices/Reliability/revcl-TimeRecoveryProductionDatabases.yaml
new file mode 100644
index 000000000..c2478bd1e
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-TimeRecoveryProductionDatabases.yaml
@@ -0,0 +1,16 @@
+name: revcl-TimeRecoveryProductionDatabases
+title: Perform a point-in-time recovery for your production databases at any point
+ and in a time frame that meets your RTO; point-in-time recovery typically includes
+ operator errors deleting data either on the DBMS layer or through SAP, incidentally
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: d17f6f39-a377-48a2-931f-5ead3ebe33a8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-TransactionRedoLogFilesAzureNetappFiles.yaml b/v2/recos/Practices/Reliability/revcl-TransactionRedoLogFilesAzureNetappFiles.yaml
new file mode 100644
index 000000000..88c15c666
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-TransactionRedoLogFilesAzureNetappFiles.yaml
@@ -0,0 +1,18 @@
+name: revcl-TransactionRedoLogFilesAzureNetappFiles
+title: The DBMS data and transaction/redo log files are stored in Azure supported
+ block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported
+ as storage for DBMS data and/or redo log files with SAP workload.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: ac614e95-6767-4bc3-b8a4-9953533da6ba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-TwoAzureNetappFilesAccountsAzureNetappFilesStorage.yaml b/v2/recos/Practices/Reliability/revcl-TwoAzureNetappFilesAccountsAzureNetappFilesStorage.yaml
new file mode 100644
index 000000000..0cc3af9fd
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-TwoAzureNetappFilesAccountsAzureNetappFilesStorage.yaml
@@ -0,0 +1,17 @@
+name: revcl-TwoAzureNetappFilesAccountsAzureNetappFilesStorage
+title: If you use Azure NetApp Files storage for your SAP deployments, at a minimum,
+ create two Azure NetApp Files accounts in the Premium tier, in two regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 2
+labels:
+ guid: d3351bf7-628a-46de-917d-dfc11d3b6b40
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels
+- type: docs
+ url: https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-UserFlowsResilientInterfaces.yaml b/v2/recos/Practices/Reliability/revcl-UserFlowsResilientInterfaces.yaml
new file mode 100644
index 000000000..7dd6746fe
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-UserFlowsResilientInterfaces.yaml
@@ -0,0 +1,16 @@
+name: revcl-UserFlowsResilientInterfaces
+title: Make sure that your sign-in user flows are backed up and resilient. Make sure
+ that the code that you use to sign-in your users are backed up and recoverable.
+ Resilient interfaces with external processes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 1
+labels:
+ guid: 503547c1-447e-4c66-828a-71f0f1ce16dd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-VeritasInfoscaleSupportFailoverWindowsServerFailoverClustering.yaml b/v2/recos/Practices/Reliability/revcl-VeritasInfoscaleSupportFailoverWindowsServerFailoverClustering.yaml
new file mode 100644
index 000000000..8a0a9070b
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-VeritasInfoscaleSupportFailoverWindowsServerFailoverClustering.yaml
@@ -0,0 +1,19 @@
+name: revcl-VeritasInfoscaleSupportFailoverWindowsServerFailoverClustering
+title: For SAP and SAP databases, consider implementing automatic failover clusters.
+ In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux
+ Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale
+ support failover.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 56402f11-ccbe-42c3-a2f6-c6f6f38ab579
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Reliability/revcl-WriteAcceleratorFileSystem.yaml b/v2/recos/Practices/Reliability/revcl-WriteAcceleratorFileSystem.yaml
new file mode 100644
index 000000000..0e0ff2f10
--- /dev/null
+++ b/v2/recos/Practices/Reliability/revcl-WriteAcceleratorFileSystem.yaml
@@ -0,0 +1,20 @@
+name: revcl-WriteAcceleratorFileSystem
+title: You should run SAP HANA on Azure only on the types of storage that are certified
+ by SAP. Note that certain volumes must be run on certain disk configurations, where
+ applicable. These configurations include enabling Write Accelerator and using Premium
+ storage. You also need to ensure that the file system that runs on storage is compatible
+ with the DBMS that runs on the machine.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Reliability
+severity: 0
+labels:
+ guid: 73cdaecc-7d74-48d8-a040-88416eebc98c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AppDeliveryLandingZones.yaml b/v2/recos/Practices/Security/revcl-AppDeliveryLandingZones.yaml
new file mode 100644
index 000000000..cb91ee3f1
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AppDeliveryLandingZones.yaml
@@ -0,0 +1,20 @@
+name: revcl-AppDeliveryLandingZones
+title: Perform app delivery within landing zones for both internal-facing (corp) and
+ external-facing apps (online).
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 6138a720-0f1c-4e16-bd30-1d6e872e52e3
+ area: Network Topology and Connectivity
+ subarea: App delivery
+ id: D01.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ApplicationLandingZoneIdentityNetworkSegmentation.yaml b/v2/recos/Practices/Security/revcl-ApplicationLandingZoneIdentityNetworkSegmentation.yaml
new file mode 100644
index 000000000..839c88fcf
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ApplicationLandingZoneIdentityNetworkSegmentation.yaml
@@ -0,0 +1,21 @@
+name: revcl-ApplicationLandingZoneIdentityNetworkSegmentation
+title: Configure Identity network segmentation through the use of a virtual Network
+ and peer back to the hub. Providing authentication inside application landing zone
+ (legacy).
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 9cf5418b-1520-4b7b-add7-88eb28f833e8
+ area: Identity and Access Management
+ subarea: Landing zones
+ id: B04.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureActivityLogsAzureMonitorLogs.yaml b/v2/recos/Practices/Security/revcl-AzureActivityLogsAzureMonitorLogs.yaml
new file mode 100644
index 000000000..268ec9b0d
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureActivityLogsAzureMonitorLogs.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureActivityLogsAzureMonitorLogs
+title: Export Azure activity logs to Azure Monitor Logs for long-term data retention.
+ Export to Azure Storage for long-term storage beyond two years, if necessary.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 4e3ab369-3829-4e7e-9161-83687a0477a2
+ area: Security
+ subarea: Operations
+ id: G03.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureAdAutomatedUserProvisioningOtherSaasApplications.yaml b/v2/recos/Practices/Security/revcl-AzureAdAutomatedUserProvisioningOtherSaasApplications.yaml
new file mode 100644
index 000000000..08fb4489e
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureAdAutomatedUserProvisioningOtherSaasApplications.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureAdAutomatedUserProvisioningOtherSaasApplications
+title: If you're using SAP SuccessFactors, consider using the Azure AD automated user
+ provisioning. With this integration, as you add new employees to SAP SuccessFactors,
+ you can automatically create their user accounts in Azure AD. Optionally, you can
+ create user accounts in Microsoft 365 or other SaaS applications that are supported
+ by Azure AD. Use write-back of the email address to SAP SuccessFactors.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 01f11b7f-38df-4251-9c76-4dec19abd3e8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureAdIdentityProvider.yaml b/v2/recos/Practices/Security/revcl-AzureAdIdentityProvider.yaml
new file mode 100644
index 000000000..ff70737c9
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureAdIdentityProvider.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureAdIdentityProvider
+title: Consider Azure AD an identity provider for SAP systems hosted on RISE. For
+ more information, see Integrating the Service with Azure AD.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: c7bae5bf-daf9-4761-9c56-f92891890aa4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureCustomRbacRolesAzurePlatformOwner.yaml b/v2/recos/Practices/Security/revcl-AzureCustomRbacRolesAzurePlatformOwner.yaml
new file mode 100644
index 000000000..b71eae4b5
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureCustomRbacRolesAzurePlatformOwner.yaml
@@ -0,0 +1,22 @@
+name: revcl-AzureCustomRbacRolesAzurePlatformOwner
+title: 'Use Azure custom RBAC roles for the following key roles to provide fine-grain
+ access across your ALZ: Azure platform owner, network management, security operations,
+ subscription owner, application owner. Align these roles to teams and responsibilities
+ within your business.'
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: f5664b5e-984a-4859-a773-e7d261623a76
+ area: Identity and Access Management
+ subarea: Identity
+ id: B03.10
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureDataLakeStorageGenAzureBlobStorage.yaml b/v2/recos/Practices/Security/revcl-AzureDataLakeStorageGenAzureBlobStorage.yaml
new file mode 100644
index 000000000..6e8820345
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureDataLakeStorageGenAzureBlobStorage.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureDataLakeStorageGenAzureBlobStorage
+title: To prevent data leakage, use Azure Private Link to securely access platform
+ as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage
+ Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure
+ traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic
+ between your VNet and the Private Endpoint enabled service travels across the Microsoft
+ global network, which prevents its exposure to the public internet.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 3c536a3e-1b6b-4e87-95ca-15edb47251c0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services
+- type: docs
+ url: https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureEventGridBasedSolutionLogOrientedRealTimeAlerts.yaml b/v2/recos/Practices/Security/revcl-AzureEventGridBasedSolutionLogOrientedRealTimeAlerts.yaml
new file mode 100644
index 000000000..c9c3f9561
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureEventGridBasedSolutionLogOrientedRealTimeAlerts.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureEventGridBasedSolutionLogOrientedRealTimeAlerts
+title: Use an Azure Event Grid-based solution for log-oriented, real-time alerts
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 2
+labels:
+ guid: 874a748b-662d-46d1-9051-2a66498f6dfe
+ area: Security
+ subarea: Operations
+ id: G03.11
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureKeyVaultApplication-1.yaml b/v2/recos/Practices/Security/revcl-AzureKeyVaultApplication-1.yaml
new file mode 100644
index 000000000..c7ac15b40
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureKeyVaultApplication-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureKeyVaultApplication-1
+title: Use an Azure Key Vault per application per environment per region.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 4935ada4-2223-4ece-a1b1-23181a541741
+links:
+- type: docs
+ url: https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices
+- type: docs
+ url: https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureKeyVaultDiskEncryptionKeys.yaml b/v2/recos/Practices/Security/revcl-AzureKeyVaultDiskEncryptionKeys.yaml
new file mode 100644
index 000000000..111644d25
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureKeyVaultDiskEncryptionKeys.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureKeyVaultDiskEncryptionKeys
+title: To control and manage disk encryption keys and secrets for non-HANA Windows
+ and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported
+ with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: abc9634d-c44d-41e9-a530-e8444e16aa3c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureKeyVaultSecrets-1.yaml b/v2/recos/Practices/Security/revcl-AzureKeyVaultSecrets-1.yaml
new file mode 100644
index 000000000..ff84caf4e
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureKeyVaultSecrets-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureKeyVaultSecrets-1
+title: Use Azure Key Vault to store your secrets and credentials
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureKeyVaultSoftDelete-1.yaml b/v2/recos/Practices/Security/revcl-AzureKeyVaultSoftDelete-1.yaml
new file mode 100644
index 000000000..3e2b23119
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureKeyVaultSoftDelete-1.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureKeyVaultSoftDelete-1
+title: Provision Azure Key Vault with the soft delete and purge policies enabled to
+ allow retention protection for deleted objects.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 2223ece8-1b12-4318-8a54-17415833fb4a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzurePaasServicesPrivateLink.yaml b/v2/recos/Practices/Security/revcl-AzurePaasServicesPrivateLink.yaml
new file mode 100644
index 000000000..324102e21
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzurePaasServicesPrivateLink.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzurePaasServicesPrivateLink
+title: Use Private Link, where available, for shared Azure PaaS services.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: e43a58a9-c229-49c4-b7b5-7d0c655562f2
+ area: Network Topology and Connectivity
+ subarea: PaaS
+ id: D08.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking-features
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzurePrivateLinkAzureResources.yaml b/v2/recos/Practices/Security/revcl-AzurePrivateLinkAzureResources.yaml
new file mode 100644
index 000000000..d28663259
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzurePrivateLinkAzureResources.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzurePrivateLinkAzureResources
+title: Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private
+ Link, and securely manage and control the SAP on Azure resources
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 56ad4840-8fe7-4273-9c48-6ba280dc0591
+links:
+- type: docs
+ url: https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureRbacRoleAzurePolicies.yaml b/v2/recos/Practices/Security/revcl-AzureRbacRoleAzurePolicies.yaml
new file mode 100644
index 000000000..cc1f3be6c
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureRbacRoleAzurePolicies.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureRbacRoleAzurePolicies
+title: Based on existing requirements, regulatory and compliance controls (internal/external)
+ - Determine what Azure Policies and Azure RBAC role are needed
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: e3c2df74-3165-4c3a-abe0-5bbe209d490d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy
+- type: docs
+ url: https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureStorageEncryptionAzureResourceManager.yaml b/v2/recos/Practices/Security/revcl-AzureStorageEncryptionAzureResourceManager.yaml
new file mode 100644
index 000000000..1e4c5b823
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureStorageEncryptionAzureResourceManager.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureStorageEncryptionAzureResourceManager
+title: Azure Storage encryption is enabled for all Azure Resource Manager and classic
+ storage accounts, and can't be disabled. Because your data is encrypted by default,
+ you don't need to modify your code or applications to use Azure Storage encryption.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: a1abfe9d-55d0-44c3-a491-9cb1b3d1325a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-service-encryption
+- type: docs
+ url: https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-AzureVirtualWanHubPrivateDomainNameSystem.yaml b/v2/recos/Practices/Security/revcl-AzureVirtualWanHubPrivateDomainNameSystem.yaml
new file mode 100644
index 000000000..c00819ab5
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-AzureVirtualWanHubPrivateDomainNameSystem.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureVirtualWanHubPrivateDomainNameSystem
+title: Enforce a dedicated connectivity subscription in the Connectivity management
+ group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute
+ circuit, and other networking resources.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 8bbac757-1559-4ab9-853e-8908ae28c84c
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.04
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ConfidentialOnlineManagementGroupSovereignLandingZone.yaml b/v2/recos/Practices/Security/revcl-ConfidentialOnlineManagementGroupSovereignLandingZone.yaml
new file mode 100644
index 000000000..644af8bf5
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ConfidentialOnlineManagementGroupSovereignLandingZone.yaml
@@ -0,0 +1,18 @@
+name: revcl-ConfidentialOnlineManagementGroupSovereignLandingZone
+title: For Sovereign Landing Zone, have a 'confidential corp' and 'confidential online'
+ management group directly under the 'landing zones' MG.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 6cc0ea22-42bb-441e-a345-804ab0a09666
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.15
+links:
+- type: docs
+ url: https://github.com/Azure/sovereign-landing-zone/blob/main/docs/02-Architecture.md
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-CostManagementProcess.yaml b/v2/recos/Practices/Security/revcl-CostManagementProcess.yaml
new file mode 100644
index 000000000..b8d5277e2
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-CostManagementProcess.yaml
@@ -0,0 +1,19 @@
+name: revcl-CostManagementProcess
+title: Enforce a process for cost management
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: ae28c84c-33b6-4b78-88b9-fe5c41049d40
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.12
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/cost-management-billing-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/control-spending-manage-bills/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-CostManagementTags.yaml b/v2/recos/Practices/Security/revcl-CostManagementTags.yaml
new file mode 100644
index 000000000..9cf7e897e
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-CostManagementTags.yaml
@@ -0,0 +1,21 @@
+name: revcl-CostManagementTags
+title: Ensure tags are used for billing and cost management
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 5de32c19-9248-4160-9d5d-1e4e614658d3
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.14
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries:
+ arg: resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId,
+ resourceGroup, tags, compliant
diff --git a/v2/recos/Practices/Security/revcl-CustomizedAzurePoliciesAzureResources.yaml b/v2/recos/Practices/Security/revcl-CustomizedAzurePoliciesAzureResources.yaml
new file mode 100644
index 000000000..94f783a9d
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-CustomizedAzurePoliciesAzureResources.yaml
@@ -0,0 +1,18 @@
+name: revcl-CustomizedAzurePoliciesAzureResources
+title: It is recommended to LOCK the Azure Resources post successful deployment to
+ safeguard against unauthorized changes. You can also enforce LOCK constraints and
+ rules on your per-subscription basis using customized Azure policies(Custome role).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 829e2edb-2173-4676-aff6-691b4935ada4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json
+- type: docs
+ url: https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DaViewChargesAoViewCharges.yaml b/v2/recos/Practices/Security/revcl-DaViewChargesAoViewCharges.yaml
new file mode 100644
index 000000000..5c5388927
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DaViewChargesAoViewCharges.yaml
@@ -0,0 +1,18 @@
+name: revcl-DaViewChargesAoViewCharges
+title: Enable both DA View Charges and AO View Charges on your EA Enrollments to allow
+ users with the correct perms review Cost and Billing Data.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: ca0fe401-12ad-46fc-8a7e-86293866a9f6
+ area: Azure Billing and Microsoft Entra ID Tenants
+ subarea: Enterprise Agreement
+ id: A03.04
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DataPlaneAccessDataOperations.yaml b/v2/recos/Practices/Security/revcl-DataPlaneAccessDataOperations.yaml
new file mode 100644
index 000000000..2624754c3
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DataPlaneAccessDataOperations.yaml
@@ -0,0 +1,20 @@
+name: revcl-DataPlaneAccessDataOperations
+title: Use Azure RBAC to manage data plane access to resources, if possible. E.g.
+ Data Operations across Key Vault, Storage Account and Database Services.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: d4d1ad54-1abc-4919-b267-3f342d3b49e4
+ area: Identity and Access Management
+ subarea: Landing zones
+ id: B04.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations
+- type: docs
+ url: https://learn.microsoft.com/azure/role-based-access-control/overview
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DedicatedIdentitySubscriptionIdentityManagementGroup.yaml b/v2/recos/Practices/Security/revcl-DedicatedIdentitySubscriptionIdentityManagementGroup.yaml
new file mode 100644
index 000000000..ccf2040e4
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DedicatedIdentitySubscriptionIdentityManagementGroup.yaml
@@ -0,0 +1,22 @@
+name: revcl-DedicatedIdentitySubscriptionIdentityManagementGroup
+title: If servers will be used for Identity services, like domain controllers, establish
+ a dedicated identity subscription in the identity management group, to host these
+ services. Make sure that resources are set to use the domain controllers available
+ in their region.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 3a923c34-74d0-4001-aac6-a9e01e6a83de
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.13
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/management-groups/overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DefenderCloudSecurityPostureManagementSubscriptions.yaml b/v2/recos/Practices/Security/revcl-DefenderCloudSecurityPostureManagementSubscriptions.yaml
new file mode 100644
index 000000000..c4b833768
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DefenderCloudSecurityPostureManagementSubscriptions.yaml
@@ -0,0 +1,14 @@
+name: revcl-DefenderCloudSecurityPostureManagementSubscriptions
+title: Enable Defender Cloud Security Posture Management for all subscriptions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 09945bda-4333-44f2-9911-634182ba5275
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DefenderCloudWorkloadProtectionPlanServers.yaml b/v2/recos/Practices/Security/revcl-DefenderCloudWorkloadProtectionPlanServers.yaml
new file mode 100644
index 000000000..03201698e
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DefenderCloudWorkloadProtectionPlanServers.yaml
@@ -0,0 +1,14 @@
+name: revcl-DefenderCloudWorkloadProtectionPlanServers
+title: Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 36a72a48-fffe-4c40-9747-0ab5064355ba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DefenderCloudWorkloadProtectionPlansAzureResources.yaml b/v2/recos/Practices/Security/revcl-DefenderCloudWorkloadProtectionPlansAzureResources.yaml
new file mode 100644
index 000000000..1e21c778f
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DefenderCloudWorkloadProtectionPlansAzureResources.yaml
@@ -0,0 +1,15 @@
+name: revcl-DefenderCloudWorkloadProtectionPlansAzureResources
+title: Enable Defender Cloud Workload Protection Plans for Azure Resources on all
+ subscriptions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 77425f48-ecba-43a0-aeac-a3ac733ccc6a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DelegateSubnetCreationLandingZoneOwner.yaml b/v2/recos/Practices/Security/revcl-DelegateSubnetCreationLandingZoneOwner.yaml
new file mode 100644
index 000000000..e71daca41
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DelegateSubnetCreationLandingZoneOwner.yaml
@@ -0,0 +1,19 @@
+name: revcl-DelegateSubnetCreationLandingZoneOwner
+title: Delegate subnet creation to the landing zone owner.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: c2447ec6-6138-4a72-80f1-ce16ed301d6e
+ area: Network Topology and Connectivity
+ subarea: Segmentation
+ id: D09.03
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-DelegatedResponsibilitiesLandingZone.yaml b/v2/recos/Practices/Security/revcl-DelegatedResponsibilitiesLandingZone.yaml
new file mode 100644
index 000000000..6dee7a8d7
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-DelegatedResponsibilitiesLandingZone.yaml
@@ -0,0 +1,20 @@
+name: revcl-DelegatedResponsibilitiesLandingZone
+title: Enforce centralized and delegated responsibilities to manage resources deployed
+ inside the landing zone, based on role and security requirements
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: e6a83de5-de32-4c19-a248-1607d5d1e4e6
+ area: Identity and Access Management
+ subarea: Identity
+ id: B03.06
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ExistingAzureEnvironmentNetworkSecurityGroups.yaml b/v2/recos/Practices/Security/revcl-ExistingAzureEnvironmentNetworkSecurityGroups.yaml
new file mode 100644
index 000000000..b73e4313e
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ExistingAzureEnvironmentNetworkSecurityGroups.yaml
@@ -0,0 +1,17 @@
+name: revcl-ExistingAzureEnvironmentNetworkSecurityGroups
+title: For SAP RISE/ECS deployments, virtual peering is the preferred way to establish
+ connectivity with customer's existing Azure environment. Both the SAP vnet and customer
+ vnet(s) are protected with network security groups (NSG), enabling communication
+ on SAP and database ports through the vnet peering
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 87585797-5551-4d53-bb7d-a94ee415734d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/rise-integration
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-FlatManagementGroupHierarchyFourLevels.yaml b/v2/recos/Practices/Security/revcl-FlatManagementGroupHierarchyFourLevels.yaml
new file mode 100644
index 000000000..bb89209c0
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-FlatManagementGroupHierarchyFourLevels.yaml
@@ -0,0 +1,23 @@
+name: revcl-FlatManagementGroupHierarchyFourLevels
+title: Enforce reasonably flat management group hierarchy with no more than four levels.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 2df27ee4-12e7-4f98-9f63-04722dd69c5b
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/
+queries:
+ arg: resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend
+ ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain|
+ extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) >
+ 1)
diff --git a/v2/recos/Practices/Security/revcl-HttpSInboundConnectionsEastWestTrafficFiltering-1.yaml b/v2/recos/Practices/Security/revcl-HttpSInboundConnectionsEastWestTrafficFiltering-1.yaml
new file mode 100644
index 000000000..dc13be026
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-HttpSInboundConnectionsEastWestTrafficFiltering-1.yaml
@@ -0,0 +1,18 @@
+name: revcl-HttpSInboundConnectionsEastWestTrafficFiltering-1
+title: Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S
+ inbound connections, and East/West traffic filtering (if the organization requires
+ it)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: d8a03e97-7784-424d-9167-85d6fa96c96a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json
+- type: docs
+ url: https://learn.microsoft.com/training/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-HubVirtualNetworkVirtualNetworkPeering.yaml b/v2/recos/Practices/Security/revcl-HubVirtualNetworkVirtualNetworkPeering.yaml
new file mode 100644
index 000000000..533a6e5d3
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-HubVirtualNetworkVirtualNetworkPeering.yaml
@@ -0,0 +1,19 @@
+name: revcl-HubVirtualNetworkVirtualNetworkPeering
+title: Isolate the SAP application and database servers from the internet or from
+ the on-premises network by passing all traffic through the hub virtual network,
+ which is connected to the spoke network by virtual network peering. The peered virtual
+ networks guarantee that the SAP on Azure solution is isolated from the public internet.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 87a924c4-25c2-419f-a2f0-96c7c4fe4525
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-InboundHttpSConnectionsAzureFrontDoor-1.yaml b/v2/recos/Practices/Security/revcl-InboundHttpSConnectionsAzureFrontDoor-1.yaml
new file mode 100644
index 000000000..27691e95f
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-InboundHttpSConnectionsAzureFrontDoor-1.yaml
@@ -0,0 +1,17 @@
+name: revcl-InboundHttpSConnectionsAzureFrontDoor-1
+title: Use Azure Front Door and WAF policies to provide global protection across Azure
+ regions for inbound HTTP/S connections to a landing zone.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 5e39e530-9ccc-4d97-a366-bcda2750ab1a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/training/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-IncidentResponsePlanAzureServices.yaml b/v2/recos/Practices/Security/revcl-IncidentResponsePlanAzureServices.yaml
new file mode 100644
index 000000000..222d662b5
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-IncidentResponsePlanAzureServices.yaml
@@ -0,0 +1,18 @@
+name: revcl-IncidentResponsePlanAzureServices
+title: Determine the incident response plan for Azure services before allowing it
+ into production.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: b86ad884-08e3-4727-94b8-75ba18f20459
+ area: Security
+ subarea: Access control
+ id: G01.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-InternalLoadBalancerConfigurationsAzureLoadBalancer.yaml b/v2/recos/Practices/Security/revcl-InternalLoadBalancerConfigurationsAzureLoadBalancer.yaml
new file mode 100644
index 000000000..538d53595
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-InternalLoadBalancerConfigurationsAzureLoadBalancer.yaml
@@ -0,0 +1,19 @@
+name: revcl-InternalLoadBalancerConfigurationsAzureLoadBalancer
+title: Make sure that internal deployments for Azure Load Balancer are set up to use
+ Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency
+ when internal load balancer configurations are used for high-availability configurations
+ on the DBMS layer.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 3ff8ae7d-7d47-4431-96c8-bcbf45bbe609
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview
+- type: docs
+ url: https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ItCoreTeamProvisionResources.yaml b/v2/recos/Practices/Security/revcl-ItCoreTeamProvisionResources.yaml
new file mode 100644
index 000000000..174d44e25
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ItCoreTeamProvisionResources.yaml
@@ -0,0 +1,18 @@
+name: revcl-ItCoreTeamProvisionResources
+title: Ensure that all subscription owners and IT core team are aware of subscription
+ quotas and the impact they have on provision resources for a given subscription.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 2dd69c5b-5c26-422f-94b6-9bad33aad5e8
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.09
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ManagementGroupHierarchySettingsManagementGroups.yaml b/v2/recos/Practices/Security/revcl-ManagementGroupHierarchySettingsManagementGroups.yaml
new file mode 100644
index 000000000..2bbe5f05f
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ManagementGroupHierarchySettingsManagementGroups.yaml
@@ -0,0 +1,18 @@
+name: revcl-ManagementGroupHierarchySettingsManagementGroups
+title: Enforce that only privileged users can operate management groups in the tenant
+ by enabling Azure RBAC authorization in the management group hierarchy settings
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 74d00018-ac6a-49e0-8e6a-83de5de32c19
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.06
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-MicrosoftAntiMalwareSoftwareVirtualMachines.yaml b/v2/recos/Practices/Security/revcl-MicrosoftAntiMalwareSoftwareVirtualMachines.yaml
new file mode 100644
index 000000000..fa54b1c23
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-MicrosoftAntiMalwareSoftwareVirtualMachines.yaml
@@ -0,0 +1,17 @@
+name: revcl-MicrosoftAntiMalwareSoftwareVirtualMachines
+title: Consider using Microsoft anti-malware software on Azure to protect your virtual
+ machines from malicious files, adware, and other threats.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 2
+labels:
+ guid: e124ba34-df68-45ed-bce9-bd3bb0cdb3b5
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations
+- type: docs
+ url: https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-MicrosoftBestPracticeNamingStandardsAzureNamingTool.yaml b/v2/recos/Practices/Security/revcl-MicrosoftBestPracticeNamingStandardsAzureNamingTool.yaml
new file mode 100644
index 000000000..a4b418da0
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-MicrosoftBestPracticeNamingStandardsAzureNamingTool.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftBestPracticeNamingStandardsAzureNamingTool
+title: It is recommended to follow Microsoft Best Practice Naming Standards
+description: Consider using the Azure naming tool available at https://aka.ms/azurenamingtool
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: cacf55bc-e4e4-46be-96bc-57a5f23a269a
+ area: Resource Organization
+ subarea: Naming and tagging
+ id: C01.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-MicrosoftDefenderSapEnvironment.yaml b/v2/recos/Practices/Security/revcl-MicrosoftDefenderSapEnvironment.yaml
new file mode 100644
index 000000000..de0f43c01
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-MicrosoftDefenderSapEnvironment.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftDefenderSapEnvironment
+title: When enabling Microsoft Defender for Endpoint on SAP environment, recommend
+ excluding data and log files on DBMS servers instead of targeting all servers. Follow
+ your DBMS vendor's recommendations when excluding target files.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: a4777842-4d11-4678-9d2f-a56c56ad4840
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance
+- type: docs
+ url: https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-MicrosoftEntraIdPimAccessReviewsResourceEntitlements.yaml b/v2/recos/Practices/Security/revcl-MicrosoftEntraIdPimAccessReviewsResourceEntitlements.yaml
new file mode 100644
index 000000000..f9be6e4b6
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-MicrosoftEntraIdPimAccessReviewsResourceEntitlements.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftEntraIdPimAccessReviewsResourceEntitlements
+title: Use Microsoft Entra ID PIM access reviews to periodically validate resource
+ entitlements
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: d505ebcb-79b1-4274-9c0d-a27c8bea489c
+ area: Identity and Access Management
+ subarea: Landing zones
+ id: B04.03
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-MicrosoftSentinelSolutionThreatProtection.yaml b/v2/recos/Practices/Security/revcl-MicrosoftSentinelSolutionThreatProtection.yaml
new file mode 100644
index 000000000..f0b33d12e
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-MicrosoftSentinelSolutionThreatProtection.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftSentinelSolutionThreatProtection
+title: Implement threat protection by using the Microsoft Sentinel solution for SAP.
+ Use this solution to monitor your SAP systems and detect sophisticated threats throughout
+ the business logic and application layers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 86ba2802-1459-4114-95e3-9e5309cccd97
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sentinel/sap/deployment-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-NetworkSecurityAccessControlListsApplicationSecurityGroup.yaml b/v2/recos/Practices/Security/revcl-NetworkSecurityAccessControlListsApplicationSecurityGroup.yaml
new file mode 100644
index 000000000..61d9e14f8
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-NetworkSecurityAccessControlListsApplicationSecurityGroup.yaml
@@ -0,0 +1,18 @@
+name: revcl-NetworkSecurityAccessControlListsApplicationSecurityGroup
+title: You can use application security group (ASG) and NSG rules to define network
+ security access-control lists between the SAP application and DBMS layers. ASGs
+ group virtual machines to help manage their security.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 6791f893-5ada-4433-84e1-3811523181aa
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works
+- type: docs
+ url: https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-NewAzureServices.yaml b/v2/recos/Practices/Security/revcl-NewAzureServices.yaml
new file mode 100644
index 000000000..2cdf10293
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-NewAzureServices.yaml
@@ -0,0 +1,17 @@
+name: revcl-NewAzureServices
+title: Plan how new azure services will be implemented
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 9a19bf39-c95d-444c-9c89-19ca1f6d5215
+ area: Security
+ subarea: Service enablement framework
+ id: G06.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-OtherCloudEnvironmentsUpdateManagementCenter.yaml b/v2/recos/Practices/Security/revcl-OtherCloudEnvironmentsUpdateManagementCenter.yaml
new file mode 100644
index 000000000..a4e99245a
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-OtherCloudEnvironmentsUpdateManagementCenter.yaml
@@ -0,0 +1,18 @@
+name: revcl-OtherCloudEnvironmentsUpdateManagementCenter
+title: If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments,
+ you can use the Update management center in Azure Automation to manage operating
+ system updates, including security patches.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 18dffcf3-248c-4039-a67c-dec8e3a5f804
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations
+- type: docs
+ url: https://learn.microsoft.com/azure/automation/update-management/overview
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-PlatformManagementGroupRootManagementGroup.yaml b/v2/recos/Practices/Security/revcl-PlatformManagementGroupRootManagementGroup.yaml
new file mode 100644
index 000000000..da27deab1
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-PlatformManagementGroupRootManagementGroup.yaml
@@ -0,0 +1,20 @@
+name: revcl-PlatformManagementGroupRootManagementGroup
+title: Enforce a platform management group under the root management group to support
+ common platform policy and Azure role assignment
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 61623a76-5a91-47e1-b348-ef254c27d42e
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.03
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-PowerfulProtectionMicrosoftDefender.yaml b/v2/recos/Practices/Security/revcl-PowerfulProtectionMicrosoftDefender.yaml
new file mode 100644
index 000000000..5a080325d
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-PowerfulProtectionMicrosoftDefender.yaml
@@ -0,0 +1,16 @@
+name: revcl-PowerfulProtectionMicrosoftDefender
+title: For even more powerful protection, consider using Microsoft Defender for Endpoint.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 2
+labels:
+ guid: 5eb2ec14-eeaa-4359-8829-e2edb2173676
+links:
+- type: docs
+ url: https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys-1.yaml b/v2/recos/Practices/Security/revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys-1.yaml
new file mode 100644
index 000000000..36dfd4cca
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys-1.yaml
@@ -0,0 +1,18 @@
+name: revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys-1
+title: Default to Microsoft-managed keys for principal encryption functionality and
+ use customer-managed keys when required.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 16183687-a047-47a2-8994-5bda43334f24
+ area: Security
+ subarea: Encryption and keys
+ id: G02.10
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys.yaml b/v2/recos/Practices/Security/revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys.yaml
new file mode 100644
index 000000000..2904091d0
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys.yaml
@@ -0,0 +1,17 @@
+name: revcl-PrincipalEncryptionFunctionalityMicrosoftManagedKeys
+title: Default to Microsoft-managed keys for principal encryption functionality and
+ use customer-managed keys when required.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: eeaa3592-829e-42ed-a217-3676aff6691b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal
+- type: docs
+ url: https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-PrincipalPropagationApplications.yaml b/v2/recos/Practices/Security/revcl-PrincipalPropagationApplications.yaml
new file mode 100644
index 000000000..68f8d57c1
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-PrincipalPropagationApplications.yaml
@@ -0,0 +1,15 @@
+name: revcl-PrincipalPropagationApplications
+title: For applications that access SAP, you might want to use principal propagation
+ to establish SSO.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: e4e48226-ce54-44b6-bb6b-bfa15bd8f753
+links:
+- type: docs
+ url: https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-PublicIpAssignmentSapWorkload.yaml b/v2/recos/Practices/Security/revcl-PublicIpAssignmentSapWorkload.yaml
new file mode 100644
index 000000000..ae83a7797
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-PublicIpAssignmentSapWorkload.yaml
@@ -0,0 +1,16 @@
+name: revcl-PublicIpAssignmentSapWorkload
+title: Public IP assignment to VM running SAP Workload is not recommended.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 82734c88-6ba2-4802-8459-11475e39e530
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing
+- type: docs
+ url: https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-RbacModelManagementGroups.yaml b/v2/recos/Practices/Security/revcl-RbacModelManagementGroups.yaml
new file mode 100644
index 000000000..b320a8d5d
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-RbacModelManagementGroups.yaml
@@ -0,0 +1,17 @@
+name: revcl-RbacModelManagementGroups
+title: Enforce a RBAC model for management groups, subscriptions, resource groups
+ and resources
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: fda1dbf3-dc95-4d48-a7c7-91dca0f6c565
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/well-architected/sap/design-areas/security
+- type: docs
+ url: https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ReservedInstanceVmSkusReservedInstances.yaml b/v2/recos/Practices/Security/revcl-ReservedInstanceVmSkusReservedInstances.yaml
new file mode 100644
index 000000000..4fc7f79fc
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ReservedInstanceVmSkusReservedInstances.yaml
@@ -0,0 +1,21 @@
+name: revcl-ReservedInstanceVmSkusReservedInstances
+title: Use Reserved Instances where appropriate to optimize cost and ensure available
+ capacity in target regions. Enforce the use of purchased Reserved Instance VM SKUs
+ via Azure Policy.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: c68e1d76-6673-413b-9f56-64b5e984a859
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.10
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ResourceOwnersAccessReview.yaml b/v2/recos/Practices/Security/revcl-ResourceOwnersAccessReview.yaml
new file mode 100644
index 000000000..1c5d938e4
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ResourceOwnersAccessReview.yaml
@@ -0,0 +1,18 @@
+name: revcl-ResourceOwnersAccessReview
+title: Enforce a process to make resource owners aware of their roles and responsibilities,
+ access review, budget review, policy compliance and remediate when necessary.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 49b82111-2df2-47ee-912e-7f983f630472
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.08
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/management-groups/overview
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-RoleBasedAccessControlAzureSpokeSubscriptions.yaml b/v2/recos/Practices/Security/revcl-RoleBasedAccessControlAzureSpokeSubscriptions.yaml
new file mode 100644
index 000000000..95ebde95a
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-RoleBasedAccessControlAzureSpokeSubscriptions.yaml
@@ -0,0 +1,17 @@
+name: revcl-RoleBasedAccessControlAzureSpokeSubscriptions
+title: Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions
+ to avoid accidental network-related changes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 209d490d-a477-4784-84d1-16785d2fa56c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/role-based-access-control/built-in-roles
+- type: docs
+ url: https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-RootLevelManagementGroupManagementGroups.yaml b/v2/recos/Practices/Security/revcl-RootLevelManagementGroupManagementGroups.yaml
new file mode 100644
index 000000000..67ebdbf17
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-RootLevelManagementGroupManagementGroups.yaml
@@ -0,0 +1,19 @@
+name: revcl-RootLevelManagementGroupManagementGroups
+title: Enforce management groups under the root-level management group to represent
+ the types of workloads, based on their security, compliance, connectivity, and feature
+ needs.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 92481607-d5d1-4e4e-9146-58d3558fd772
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.07
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/management-groups/overview
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-RootManagementGroupSubscriptions.yaml b/v2/recos/Practices/Security/revcl-RootManagementGroupSubscriptions.yaml
new file mode 100644
index 000000000..f68ebe1e2
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-RootManagementGroupSubscriptions.yaml
@@ -0,0 +1,20 @@
+name: revcl-RootManagementGroupSubscriptions
+title: Enforce no subscriptions are placed under the root management group
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 33b6b780-8b9f-4e5c-9104-9d403a923c34
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.05
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group
+queries:
+ arg: resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend
+ ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain|
+ extend compliant = (array_length(mgmtChain) > 1)
diff --git a/v2/recos/Practices/Security/revcl-SandboxManagementGroupUsers.yaml b/v2/recos/Practices/Security/revcl-SandboxManagementGroupUsers.yaml
new file mode 100644
index 000000000..b814ce9b2
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SandboxManagementGroupUsers.yaml
@@ -0,0 +1,20 @@
+name: revcl-SandboxManagementGroupUsers
+title: Enforce a sandbox management group to allow users to immediately experiment
+ with Azure
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 667313b4-f566-44b5-b984-a859c773e7d2
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapAdminCustomRoleTimeAccess.yaml b/v2/recos/Practices/Security/revcl-SapAdminCustomRoleTimeAccess.yaml
new file mode 100644
index 000000000..2f6846734
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapAdminCustomRoleTimeAccess.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapAdminCustomRoleTimeAccess
+title: Delegate an SAP admin custom role with just-in-time access of Microsoft Defender
+ for Cloud.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 8fe72734-c486-4ba2-a0dc-0591cf65de8e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks
+- type: docs
+ url: https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapBtpSso.yaml b/v2/recos/Practices/Security/revcl-SapBtpSso.yaml
new file mode 100644
index 000000000..5e72cba4f
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapBtpSso.yaml
@@ -0,0 +1,14 @@
+name: revcl-SapBtpSso
+title: Implement SSO to SAP BTP
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: a709c664-317e-41e4-9e34-67d9016a86f4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapCloudApplicationCloudConnector.yaml b/v2/recos/Practices/Security/revcl-SapCloudApplicationCloudConnector.yaml
new file mode 100644
index 000000000..4b4d6e35c
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapCloudApplicationCloudConnector.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapCloudApplicationCloudConnector
+title: Enforce Principal propagation for forwarding the identity from SAP cloud application
+ to SAP on-premises (Including IaaS) through cloud connector
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 45911475-e39e-4530-accc-d979366bcda2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapCloudIdentityAuthenticationServicesSapIdentityAuthenticationService.yaml b/v2/recos/Practices/Security/revcl-SapCloudIdentityAuthenticationServicesSapIdentityAuthenticationService.yaml
new file mode 100644
index 000000000..76196168b
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapCloudIdentityAuthenticationServicesSapIdentityAuthenticationService.yaml
@@ -0,0 +1,18 @@
+name: revcl-SapCloudIdentityAuthenticationServicesSapIdentityAuthenticationService
+title: If you're using SAP BTP services or SaaS solutions that require SAP Identity
+ Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity
+ Authentication Services and Azure AD to access those SAP services. This integration
+ lets SAP IAS act as a proxy identity provider and forwards authentication requests
+ to Azure AD as the central user store and identity provider.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 59921095-4980-4fc1-a5b6-524a5a560c79
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapHanaNativeEncryptionTechnologySapHanaDatabaseServers.yaml b/v2/recos/Practices/Security/revcl-SapHanaNativeEncryptionTechnologySapHanaDatabaseServers.yaml
new file mode 100644
index 000000000..51ab109e2
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapHanaNativeEncryptionTechnologySapHanaDatabaseServers.yaml
@@ -0,0 +1,19 @@
+name: revcl-SapHanaNativeEncryptionTechnologySapHanaDatabaseServers
+title: Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption
+ technology. Additionally, if you are using SQL Server on Azure, use Transparent
+ Data Encryption (TDE) to protect your data and log files and ensure that your backups
+ are also encrypted.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: cf65de8e-1309-4ccc-b579-266bcca275fa
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapHanaSso.yaml b/v2/recos/Practices/Security/revcl-SapHanaSso.yaml
new file mode 100644
index 000000000..dc12d550b
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapHanaSso.yaml
@@ -0,0 +1,14 @@
+name: revcl-SapHanaSso
+title: Implement SSO to SAP HANA
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: a747c350-8d4c-449c-93af-393dbca77c48
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapNetweaverBasedWebApplicationsSapWebGui-1.yaml b/v2/recos/Practices/Security/revcl-SapNetweaverBasedWebApplicationsSapWebGui-1.yaml
new file mode 100644
index 000000000..11083d7c9
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapNetweaverBasedWebApplicationsSapWebGui-1.yaml
@@ -0,0 +1,15 @@
+name: revcl-SapNetweaverBasedWebApplicationsSapWebGui-1
+title: Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP
+ Web GUI by using SAML.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 9eb54dad-7861-4e1c-973a-f3bb003fc9c1
+links:
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapNetweaverBasedWebApplicationsSapWebGui.yaml b/v2/recos/Practices/Security/revcl-SapNetweaverBasedWebApplicationsSapWebGui.yaml
new file mode 100644
index 000000000..b9a8d86bb
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapNetweaverBasedWebApplicationsSapWebGui.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapNetweaverBasedWebApplicationsSapWebGui
+title: Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP
+ Web GUI by using SAML.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 325ae525-ba34-4d46-a5e2-213ace7bb122
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapNetweaverOdataServicesCustomApplications.yaml b/v2/recos/Practices/Security/revcl-SapNetweaverOdataServicesCustomApplications.yaml
new file mode 100644
index 000000000..c8d8ebb30
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapNetweaverOdataServicesCustomApplications.yaml
@@ -0,0 +1,15 @@
+name: revcl-SapNetweaverOdataServicesCustomApplications
+title: Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom
+ applications to access SAP NetWeaver OData services.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 16785d6f-a96c-496a-b885-18f482734c88
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapNetweaverSsoSapGui.yaml b/v2/recos/Practices/Security/revcl-SapNetweaverSsoSapGui.yaml
new file mode 100644
index 000000000..463901c08
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapNetweaverSsoSapGui.yaml
@@ -0,0 +1,16 @@
+name: revcl-SapNetweaverSsoSapGui
+title: You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: f29676ef-0c9c-4c4d-ab21-a55504c0c829
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapSaasApplicationsSapAnalyticsCloud.yaml b/v2/recos/Practices/Security/revcl-SapSaasApplicationsSapAnalyticsCloud.yaml
new file mode 100644
index 000000000..58fbb78fc
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapSaasApplicationsSapAnalyticsCloud.yaml
@@ -0,0 +1,15 @@
+name: revcl-SapSaasApplicationsSapAnalyticsCloud
+title: Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud
+ Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 750ab1ab-039d-495d-94c7-c8929cb107d5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapSecureLoginServerWebBrowserAccess-1.yaml b/v2/recos/Practices/Security/revcl-SapSecureLoginServerWebBrowserAccess-1.yaml
new file mode 100644
index 000000000..7052b790a
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapSecureLoginServerWebBrowserAccess-1.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapSecureLoginServerWebBrowserAccess-1
+title: For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO
+ (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration
+ and maintenance. For SSO with X.509 client certificates, consider the SAP Secure
+ Login Server, which is a component of the SAP SSO solution.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 6c8bcbf4-5bbe-4609-b8a0-3e97778424d6
+links:
+- type: docs
+ url: https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapSecureLoginServerWebBrowserAccess.yaml b/v2/recos/Practices/Security/revcl-SapSecureLoginServerWebBrowserAccess.yaml
new file mode 100644
index 000000000..af730b76b
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapSecureLoginServerWebBrowserAccess.yaml
@@ -0,0 +1,17 @@
+name: revcl-SapSecureLoginServerWebBrowserAccess
+title: For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO
+ (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration
+ and maintenance. For SSO with X.509 client certificates, consider the SAP Secure
+ Login Server, which is a component of the SAP SSO solution.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 23181aa4-1742-4694-9ff8-ae7d7d474317
+links:
+- type: docs
+ url: https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapSecurityOssNotesCriticalSecurityPatches.yaml b/v2/recos/Practices/Security/revcl-SapSecurityOssNotesCriticalSecurityPatches.yaml
new file mode 100644
index 000000000..f543a3a08
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapSecurityOssNotesCriticalSecurityPatches.yaml
@@ -0,0 +1,18 @@
+name: revcl-SapSecurityOssNotesCriticalSecurityPatches
+title: Routinely review the SAP security OSS notes because SAP releases highly critical
+ security patches, or hot fixes, that require immediate action to protect your SAP
+ systems.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 08951710-79a2-492a-adbc-06d7a401545b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations
+- type: docs
+ url: https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SapWebAppsSapWebDispatcher.yaml b/v2/recos/Practices/Security/revcl-SapWebAppsSapWebDispatcher.yaml
new file mode 100644
index 000000000..618f02b99
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SapWebAppsSapWebDispatcher.yaml
@@ -0,0 +1,18 @@
+name: revcl-SapWebAppsSapWebDispatcher
+title: Application Gateway and Web Application Firewall have limitations when Application
+ Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between
+ Application Gateway, SAP Web Dispatcher, and other third-party services.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 91a65e40-be90-45b3-9f73-f3edbf8dc324
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure
+- type: docs
+ url: https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SecureCommunicationAzureMonitor.yaml b/v2/recos/Practices/Security/revcl-SecureCommunicationAzureMonitor.yaml
new file mode 100644
index 000000000..568e7e910
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SecureCommunicationAzureMonitor.yaml
@@ -0,0 +1,18 @@
+name: revcl-SecureCommunicationAzureMonitor
+title: To enable secure communication in Azure Monitor for SAP solutions, you can
+ choose to use either a root certificate or a server certificate. We highly recommend
+ that you use root certificates.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 9fc945b9-0527-47af-8200-9d652fe02fcc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions
+- type: docs
+ url: https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SecureDeliveryHttpSApps.yaml b/v2/recos/Practices/Security/revcl-SecureDeliveryHttpSApps.yaml
new file mode 100644
index 000000000..e302fb323
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SecureDeliveryHttpSApps.yaml
@@ -0,0 +1,17 @@
+name: revcl-SecureDeliveryHttpSApps
+title: For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that
+ WAF protection and policies are enabled.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 5ba34d46-85e2-4213-ace7-bb122f7c95f0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SeparatePrivilegedAdminAccountsAzureAdministrativeTasks.yaml b/v2/recos/Practices/Security/revcl-SeparatePrivilegedAdminAccountsAzureAdministrativeTasks.yaml
new file mode 100644
index 000000000..00016d3cc
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SeparatePrivilegedAdminAccountsAzureAdministrativeTasks.yaml
@@ -0,0 +1,17 @@
+name: revcl-SeparatePrivilegedAdminAccountsAzureAdministrativeTasks
+title: Separate privileged admin accounts for Azure administrative tasks.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 6f704104-85c1-441f-96d3-c9819911645e
+ area: Security
+ subarea: Secure privileged access
+ id: G05.01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/roles/security-planning
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ServicePrincipalLoginsExistingServicePrincipals.yaml b/v2/recos/Practices/Security/revcl-ServicePrincipalLoginsExistingServicePrincipals.yaml
new file mode 100644
index 000000000..4890040ae
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ServicePrincipalLoginsExistingServicePrincipals.yaml
@@ -0,0 +1,21 @@
+name: revcl-ServicePrincipalLoginsExistingServicePrincipals
+title: Use managed identities instead of service principals for authentication to
+ Azure services. You can check for existing service principals via Entra ID > Sign
+ in Logs > Service principal logins.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 4348bf81-7573-4512-8f46-9061cc198fea
+ area: Identity and Access Management
+ subarea: Microsoft Entra ID and Hybrid Identity
+ id: B03.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ServiceRequestAzureServices.yaml b/v2/recos/Practices/Security/revcl-ServiceRequestAzureServices.yaml
new file mode 100644
index 000000000..26e074c3a
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ServiceRequestAzureServices.yaml
@@ -0,0 +1,17 @@
+name: revcl-ServiceRequestAzureServices
+title: Plan how service request will be fulfilled for Azure services
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: ae514b93-3d45-485e-8112-9bd7ba012f7b
+ area: Security
+ subarea: Service enablement framework
+ id: G06.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SqlServerInternalOperatingSystemCommandShellTheSqlServerFeature.yaml b/v2/recos/Practices/Security/revcl-SqlServerInternalOperatingSystemCommandShellTheSqlServerFeature.yaml
new file mode 100644
index 000000000..5820ff5ef
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SqlServerInternalOperatingSystemCommandShellTheSqlServerFeature.yaml
@@ -0,0 +1,17 @@
+name: revcl-SqlServerInternalOperatingSystemCommandShellTheSqlServerFeature
+title: Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server
+ internal operating system command shell. It's a potential risk in security audits.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 0
+labels:
+ guid: 5a76a033-ced9-4eef-9a43-5e4f96634c8e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security
+- type: docs
+ url: https://me.sap.com/notes/3019299/E
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-SqlServerSystemAdministratorAccountOriginalSystemAdministratorAccount.yaml b/v2/recos/Practices/Security/revcl-SqlServerSystemAdministratorAccountOriginalSystemAdministratorAccount.yaml
new file mode 100644
index 000000000..210f04fa5
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-SqlServerSystemAdministratorAccountOriginalSystemAdministratorAccount.yaml
@@ -0,0 +1,17 @@
+name: revcl-SqlServerSystemAdministratorAccountOriginalSystemAdministratorAccount
+title: For SAP on SQL Server, you can disable the SQL Server system administrator
+ account because the SAP systems on SQL Server don't use the account. Ensure that
+ another user with system administrator rights can access the server before disabling
+ the original system administrator account.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 2
+labels:
+ guid: 1b8b394e-ae64-4a74-8933-357b523ea0a0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-StorageCapacityMetricsDiskSpace.yaml b/v2/recos/Practices/Security/revcl-StorageCapacityMetricsDiskSpace.yaml
new file mode 100644
index 000000000..0005f772d
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-StorageCapacityMetricsDiskSpace.yaml
@@ -0,0 +1,20 @@
+name: revcl-StorageCapacityMetricsDiskSpace
+title: Establish dashboards and/or visualizations to monitor compute and storage capacity
+ metrics. (i.e. CPU, memory, disk space)
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: c773e7d2-6162-43a7-95a9-17e1f348ef25
+ area: Resource Organization
+ subarea: Subscriptions
+ id: C02.11
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-dashboards
+- type: docs
+ url: https://learn.microsoft.com/en-gb/training/modules/visualize-data-workbooks/
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ThirdPartySecurityProductSecureNetworkCommunications.yaml b/v2/recos/Practices/Security/revcl-ThirdPartySecurityProductSecureNetworkCommunications.yaml
new file mode 100644
index 000000000..1902882aa
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ThirdPartySecurityProductSecureNetworkCommunications.yaml
@@ -0,0 +1,17 @@
+name: revcl-ThirdPartySecurityProductSecureNetworkCommunications
+title: encrypt data in transit by integrating the third-party security product with
+ secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 2
+labels:
+ guid: 1309cccd-5792-466b-aca2-75faa1abfe9d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance
+- type: docs
+ url: https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ThirdPartyWebApplicationFirewallApplicationRequirements.yaml b/v2/recos/Practices/Security/revcl-ThirdPartyWebApplicationFirewallApplicationRequirements.yaml
new file mode 100644
index 000000000..1cb304531
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ThirdPartyWebApplicationFirewallApplicationRequirements.yaml
@@ -0,0 +1,19 @@
+name: revcl-ThirdPartyWebApplicationFirewallApplicationRequirements
+title: For internet-facing applications like SAP Fiori, make sure to distribute load
+ per application requirements while maintaining security levels. For Layer 7 security,
+ you can use a third-party Web Application Firewall (WAF) available in the Azure
+ Marketplace.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 2
+labels:
+ guid: 491ca1c4-3d40-42c0-9d85-b8933999590b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance
+- type: docs
+ url: https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-WebApplicationFirewallFirewallCapabilities.yaml b/v2/recos/Practices/Security/revcl-WebApplicationFirewallFirewallCapabilities.yaml
new file mode 100644
index 000000000..d020822c0
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-WebApplicationFirewallFirewallCapabilities.yaml
@@ -0,0 +1,19 @@
+name: revcl-WebApplicationFirewallFirewallCapabilities
+title: Use a web application firewall to scan your traffic when it's exposed to the
+ internet. Another option is to use it with your load balancer or with resources
+ that have built-in firewall capabilities like Application Gateway or third-party
+ solutions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 5ada4332-4e13-4811-9231-81aa41742694
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-WebApplicationFirewallPoliciesAzureFrontDoor.yaml b/v2/recos/Practices/Security/revcl-WebApplicationFirewallPoliciesAzureFrontDoor.yaml
new file mode 100644
index 000000000..b3b784623
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-WebApplicationFirewallPoliciesAzureFrontDoor.yaml
@@ -0,0 +1,18 @@
+name: revcl-WebApplicationFirewallPoliciesAzureFrontDoor
+title: Take advantage of Web Application Firewall policies in Azure Front Door when
+ you're using Azure Front Door and Application Gateway to protect HTTP/S applications.
+ Lock down Application Gateway to receive traffic only from Azure Front Door.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: b039d95d-54c7-4c89-89cb-107d5325ae52
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations
+queries: {}
diff --git a/v2/recos/Practices/Security/revcl-ZeroTrustApproachAzurePlatform.yaml b/v2/recos/Practices/Security/revcl-ZeroTrustApproachAzurePlatform.yaml
new file mode 100644
index 000000000..b663fcc5d
--- /dev/null
+++ b/v2/recos/Practices/Security/revcl-ZeroTrustApproachAzurePlatform.yaml
@@ -0,0 +1,17 @@
+name: revcl-ZeroTrustApproachAzurePlatform
+title: Implement a zero-trust approach for access to the Azure platform, where appropriate.
+source:
+ type: revcl
+ file: ./checklists/alz_checklist.en.json
+resourceTypes: []
+waf: Security
+severity: 1
+labels:
+ guid: 01365d38-e43f-49cc-ad86-8266abca264f
+ area: Security
+ subarea: Access control
+ id: G01.02
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security-zero-trust
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Cost/revcl-AzureLighthouseTenant.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Cost/revcl-AzureLighthouseTenant.yaml
new file mode 100644
index 000000000..122e0dcd8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Cost/revcl-AzureLighthouseTenant.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureLighthouseTenant
+title: Ensure that Azure Lighthouse is used for administering the tenant by partner
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Cost
+severity: 1
+labels:
+ guid: 5d82e6df-6f61-42f2-82e2-3132d293be3d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-LeverageAzureLighthouseMultiTenantManagement.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-LeverageAzureLighthouseMultiTenantManagement.yaml
new file mode 100644
index 000000000..7051506b1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-LeverageAzureLighthouseMultiTenantManagement.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageAzureLighthouseMultiTenantManagement
+title: Leverage Azure Lighthouse for Multi-Tenant Management
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Operations
+severity: 2
+labels:
+ guid: 78e11934-499a-45ed-8ef7-aae5578f0ecf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-MicrosoftEntraIdTenantsMultiTenantAutomationApproach.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-MicrosoftEntraIdTenantsMultiTenantAutomationApproach.yaml
new file mode 100644
index 000000000..4eb601c75
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-MicrosoftEntraIdTenantsMultiTenantAutomationApproach.yaml
@@ -0,0 +1,16 @@
+name: revcl-MicrosoftEntraIdTenantsMultiTenantAutomationApproach
+title: Ensure you have a Multi-Tenant Automation approach to managing your Microsoft
+ Entra ID Tenants
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Operations
+severity: 2
+labels:
+ guid: 6309957b-821a-43d1-b9d9-7fcf1802b747
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-OneEntraTenantAzureResources.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-OneEntraTenantAzureResources.yaml
new file mode 100644
index 000000000..03557bfe4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Operations/revcl-OneEntraTenantAzureResources.yaml
@@ -0,0 +1,16 @@
+name: revcl-OneEntraTenantAzureResources
+title: Use one Entra tenant for managing your Azure resources, unless you have a clear
+ regulatory or business requirement for multi-tenants.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Operations
+severity: 1
+labels:
+ guid: 70c15989-c726-42c7-b0d3-24b7375b9201
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-AzureAdDomainServiceStampsAdditionalRegions.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-AzureAdDomainServiceStampsAdditionalRegions.yaml
new file mode 100644
index 000000000..4f8dbd33d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-AzureAdDomainServiceStampsAdditionalRegions.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureAdDomainServiceStampsAdditionalRegions
+title: Add Azure AD Domain service stamps to additional regions and locations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Reliability
+severity: 1
+labels:
+ guid: 6b4bfd3d-5035-447c-8447-ec66128a71f0
+links:
+- type: docs
+ url: https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-MicrosoftIdentityLibraryLiveRevocableToken.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-MicrosoftIdentityLibraryLiveRevocableToken.yaml
new file mode 100644
index 000000000..5eb16f20e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-MicrosoftIdentityLibraryLiveRevocableToken.yaml
@@ -0,0 +1,16 @@
+name: revcl-MicrosoftIdentityLibraryLiveRevocableToken
+title: Use long-live revocable token, cache your token and acquire your silently using
+ Microsoft Identity Library
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Reliability
+severity: 1
+labels:
+ guid: bb235c70-5e17-496f-bedf-a8a4c8cdec4c
+links:
+- type: docs
+ url: https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-ReplicaSetsDr.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-ReplicaSetsDr.yaml
new file mode 100644
index 000000000..0a72a9faf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Reliability/revcl-ReplicaSetsDr.yaml
@@ -0,0 +1,15 @@
+name: revcl-ReplicaSetsDr
+title: Use Replica Sets for DR
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Reliability
+severity: 1
+labels:
+ guid: f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4
+links:
+- type: docs
+ url: https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-ActiveDirectoryDomainSerivcesEntraDomainServices.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-ActiveDirectoryDomainSerivcesEntraDomainServices.yaml
new file mode 100644
index 000000000..247a4b033
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-ActiveDirectoryDomainSerivcesEntraDomainServices.yaml
@@ -0,0 +1,18 @@
+name: revcl-ActiveDirectoryDomainSerivcesEntraDomainServices
+title: If planning to switch from Active Directory Domain Serivces to Entra domain
+ services, evaluate the compatibility of all workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 8b9fe5c4-1049-4d40-9a92-3c3474d00018
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory-domain-services/overview
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-AuthenticationTypeSchoolAccount.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-AuthenticationTypeSchoolAccount.yaml
new file mode 100644
index 000000000..cd7568260
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-AuthenticationTypeSchoolAccount.yaml
@@ -0,0 +1,18 @@
+name: revcl-AuthenticationTypeSchoolAccount
+title: Only use the authentication type Work or school account for all account types.
+ Avoid using the Microsoft account
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 0
+labels:
+ guid: 12e7f983-f630-4472-8dd6-9c5b5c2622f5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-CloudOperatingModelRbacModel.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-CloudOperatingModelRbacModel.yaml
new file mode 100644
index 000000000..43ea3ddf7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-CloudOperatingModelRbacModel.yaml
@@ -0,0 +1,18 @@
+name: revcl-CloudOperatingModelRbacModel
+title: Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign
+ across Management Groups and Subscriptions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 0
+labels:
+ guid: 348ef254-c27d-442e-abba-c7571559ab91
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/role-based-access-control/overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-GroupManagementSystemEntraId.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-GroupManagementSystemEntraId.yaml
new file mode 100644
index 000000000..609056812
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-GroupManagementSystemEntraId.yaml
@@ -0,0 +1,18 @@
+name: revcl-GroupManagementSystemEntraId
+title: Only use groups to assign permissions. Add on-premises groups to the Entra
+ ID only group if a group management system is already in place.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 4b69bad3-3aad-45e8-a68e-1d76667313b4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/manage-identity-and-access/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyAzureVirtualDesktop.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyAzureVirtualDesktop.yaml
new file mode 100644
index 000000000..099a865c4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyAzureVirtualDesktop.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftEntraIdApplicationProxyAzureVirtualDesktop
+title: If users only need access to internal applications, has Microsoft Entra ID
+ Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 2
+labels:
+ guid: 3b4b3e88-a459-4ed5-a22f-644dfbc58204
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyFirewallPorts.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyFirewallPorts.yaml
new file mode 100644
index 000000000..913e359c0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyFirewallPorts.yaml
@@ -0,0 +1,19 @@
+name: revcl-MicrosoftEntraIdApplicationProxyFirewallPorts
+title: To reduce the number of firewall ports open for incoming connections in your
+ network, consider using Microsoft Entra ID Application Proxy to give remote users
+ secure and authenticated access to internal applications.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 01ca7cf1-5754-442d-babb-8ba6772e5c30
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyRemoteUsers.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyRemoteUsers.yaml
new file mode 100644
index 000000000..9d4e8635b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdApplicationProxyRemoteUsers.yaml
@@ -0,0 +1,19 @@
+name: revcl-MicrosoftEntraIdApplicationProxyRemoteUsers
+title: Where required, use Microsoft Entra ID Application Proxy to give remote users
+ secure and authenticated access to internal applications (hosted in the cloud or
+ on-premises).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: d5d1e4e6-1465-48d3-958f-d77249b82111
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdConditionalAccessPoliciesAzureEnvironments.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdConditionalAccessPoliciesAzureEnvironments.yaml
new file mode 100644
index 000000000..cc7df7258
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdConditionalAccessPoliciesAzureEnvironments.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftEntraIdConditionalAccessPoliciesAzureEnvironments
+title: Enforce Microsoft Entra ID conditional-access policies for any user with rights
+ to Azure environments
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 2
+labels:
+ guid: 53e8908a-e28c-484c-93b6-b7808b9fe5c4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/conditional-access/overview
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdLogsCloudNativeOptions.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdLogsCloudNativeOptions.yaml
new file mode 100644
index 000000000..4a95997d1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdLogsCloudNativeOptions.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftEntraIdLogsCloudNativeOptions
+title: Integrate Microsoft Entra ID logs with the platform-central Azure Monitor.
+ Azure Monitor allows for a single source of truth around log and monitoring data
+ in Azure, giving organizations a cloud native options to meet requirements around
+ log collection and retention.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 1cf0b8da-70bd-44d0-94af-8d99cfc89ae1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdPrivilegedIdentityManagementZeroStandingAccess.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdPrivilegedIdentityManagementZeroStandingAccess.yaml
new file mode 100644
index 000000000..3d0015161
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdPrivilegedIdentityManagementZeroStandingAccess.yaml
@@ -0,0 +1,18 @@
+name: revcl-MicrosoftEntraIdPrivilegedIdentityManagementZeroStandingAccess
+title: Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish
+ zero standing access and least privilege
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 14658d35-58fd-4772-99b8-21112df27ee4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdReportingCapabilitiesAccessControlAuditReports.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdReportingCapabilitiesAccessControlAuditReports.yaml
new file mode 100644
index 000000000..f752dde29
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdReportingCapabilitiesAccessControlAuditReports.yaml
@@ -0,0 +1,16 @@
+name: revcl-MicrosoftEntraIdReportingCapabilitiesAccessControlAuditReports
+title: Use Microsoft Entra ID reporting capabilities to generate access control audit
+ reports.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 4e5695f2-223a-4ce8-ab12-308ca5017f15
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdRoleAssignmentsPremisesSyncedAccounts.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdRoleAssignmentsPremisesSyncedAccounts.yaml
new file mode 100644
index 000000000..9b2bf9cf5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MicrosoftEntraIdRoleAssignmentsPremisesSyncedAccounts.yaml
@@ -0,0 +1,17 @@
+name: revcl-MicrosoftEntraIdRoleAssignmentsPremisesSyncedAccounts
+title: Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 35037e68-9349-4c15-b371-228514f4cdff
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/roles/best-practices
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-identity-security-strategy/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MultiFactorAuthenticationAzureEnvironments.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MultiFactorAuthenticationAzureEnvironments.yaml
new file mode 100644
index 000000000..beb2febd0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-MultiFactorAuthenticationAzureEnvironments.yaml
@@ -0,0 +1,17 @@
+name: revcl-MultiFactorAuthenticationAzureEnvironments
+title: Enforce multi-factor authentication for any user with rights to the Azure environments
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 0
+labels:
+ guid: 1049d403-a923-4c34-94d0-0018ac6a9e01
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-SovereignLandingZoneEntraIdTenant-1.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-SovereignLandingZoneEntraIdTenant-1.yaml
new file mode 100644
index 000000000..4e06bd625
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-SovereignLandingZoneEntraIdTenant-1.yaml
@@ -0,0 +1,15 @@
+name: revcl-SovereignLandingZoneEntraIdTenant-1
+title: For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: d21a922d-5ca7-427a-82a6-35f7b21f1bfc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-SovereignLandingZoneEntraIdTenant.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-SovereignLandingZoneEntraIdTenant.yaml
new file mode 100644
index 000000000..5f3c722bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-SovereignLandingZoneEntraIdTenant.yaml
@@ -0,0 +1,15 @@
+name: revcl-SovereignLandingZoneEntraIdTenant
+title: For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 1
+labels:
+ guid: 1761e147-f65e-4d09-bbc2-f464f23e2eba
+links:
+- type: docs
+ url: https://learn.microsoft.com/industry/sovereignty/transparency-logs
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-TenantWideAccountLockoutEmergencyAccess.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-TenantWideAccountLockoutEmergencyAccess.yaml
new file mode 100644
index 000000000..1404eedf8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/Security/revcl-TenantWideAccountLockoutEmergencyAccess.yaml
@@ -0,0 +1,18 @@
+name: revcl-TenantWideAccountLockoutEmergencyAccess
+title: Implement an emergency access or break-glass accounts to prevent tenant-wide
+ account lockout
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.aad/domainservices
+waf: Security
+severity: 0
+labels:
+ guid: 984a859c-773e-47d2-9162-3a765a917e1f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/aprl-EnterpriseSkuManagedDomain.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/aprl-EnterpriseSkuManagedDomain.yaml
new file mode 100644
index 000000000..e9882f7e0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/aprl-EnterpriseSkuManagedDomain.yaml
@@ -0,0 +1,24 @@
+name: aprl-EnterpriseSkuManagedDomain
+title: Use at least the Enterprise SKU
+description: |-
+ You need to use a minimum of Enterprise SKU for your managed domain to support replica sets.
+source:
+ type: aprl
+ file: azure-resources/AAD/domainServices/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AAD/domainServices
+severity: 0
+labels:
+ guid: bb6deb9d-24fa-4ee8-bc23-ac3ebc7fdf8e
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Gets Entry Domain Services that are using the Standard SKU
+ resources
+ | where type == "microsoft.aad/domainservices"
+ | extend sku = properties.sku
+ | where sku =~ 'Standard'
+ | project recommendationId='bb6deb9d-24fa-4ee8-bc23-ac3ebc7fdf8e', name=name, id=id, tags=tags, param1=strcat('SKU:', sku)
diff --git a/v2/recos/Services/MicrosoftAAD-domainServices/aprl-MicrosoftEntraDomainServicesAdditionalGeographicLocations.yaml b/v2/recos/Services/MicrosoftAAD-domainServices/aprl-MicrosoftEntraDomainServicesAdditionalGeographicLocations.yaml
new file mode 100644
index 000000000..bec7a92ab
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAAD-domainServices/aprl-MicrosoftEntraDomainServicesAdditionalGeographicLocations.yaml
@@ -0,0 +1,25 @@
+name: aprl-MicrosoftEntraDomainServicesAdditionalGeographicLocations
+title: Use replica sets for resiliency or geolocation in Microsoft Entra Domain Services
+description: |-
+ To improve the resiliency of a Microsoft Entra Domain Services managed domain, or deploy to additional geographic locations close to your applications, you can use replica sets.
+ You can add a replica set to any peered virtual network in any Azure region that supports Domain Services.
+source:
+ type: aprl
+ file: azure-resources/AAD/domainServices/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AAD/domainServices
+severity: 0
+labels:
+ guid: a3058909-fcf8-4450-88b5-499f57449178
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Gets Entry Domain Services that are using only one replicaSet
+ resources
+ | where type == "microsoft.aad/domainservices"
+ | extend replicaSets = properties.replicaSets
+ | where array_length(replicaSets) < 2
+ | project recommendationId='a3058909-fcf8-4450-88b5-499f57449178', name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Cost/revcl-AzureVmwareSolutionInstances.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Cost/revcl-AzureVmwareSolutionInstances.yaml
new file mode 100644
index 000000000..ae08aae29
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Cost/revcl-AzureVmwareSolutionInstances.yaml
@@ -0,0 +1,13 @@
+name: revcl-AzureVmwareSolutionInstances
+title: Are Azure reserved instances used to optimize cost for using Azure VMware Solution
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Cost
+severity: 2
+labels:
+ guid: 6e043e2a-a359-4271-ae6e-205172676ae4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Cost/revcl-GoodCostManagementProcessAzureCostManagement.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Cost/revcl-GoodCostManagementProcessAzureCostManagement.yaml
new file mode 100644
index 000000000..e997bc36c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Cost/revcl-GoodCostManagementProcessAzureCostManagement.yaml
@@ -0,0 +1,14 @@
+name: revcl-GoodCostManagementProcessAzureCostManagement
+title: Ensure a good cost management process is in place for Azure VMware Solution
+ - Azure Cost Management can be used
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Cost
+severity: 1
+labels:
+ guid: 4ba34d45-85e1-4213-abd7-bb012f7b95ef
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AutomatedDeploymentsReserve.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AutomatedDeploymentsReserve.yaml
new file mode 100644
index 000000000..2e33d375c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AutomatedDeploymentsReserve.yaml
@@ -0,0 +1,14 @@
+name: revcl-AutomatedDeploymentsReserve
+title: For automated deployments, request or reserve quota prior to starting the
+ deployment
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: e6bfbb9e-d503-4547-ac44-7e826128a71f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AutomatedScalingOperationsAppropriateAutomatedResponses.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AutomatedScalingOperationsAppropriateAutomatedResponses.yaml
new file mode 100644
index 000000000..f9bf31ab1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AutomatedScalingOperationsAppropriateAutomatedResponses.yaml
@@ -0,0 +1,14 @@
+name: revcl-AutomatedScalingOperationsAppropriateAutomatedResponses
+title: Implement monitoring rules to monitor automated scaling operations and monitor
+ success and failure to enable appropriate (automated) responses
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 1dc15a1c-075e-4e9f-841a-cccd579376bc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureServiceHealthAlertsNotifications.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureServiceHealthAlertsNotifications.yaml
new file mode 100644
index 000000000..bb28dbb21
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureServiceHealthAlertsNotifications.yaml
@@ -0,0 +1,13 @@
+name: revcl-AzureServiceHealthAlertsNotifications
+title: Ensure alerts are configured for Azure Service Health alerts and notifications
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: 64b0d934-a348-4726-be79-d6b5c3a36495
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureArc-1.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureArc-1.yaml
new file mode 100644
index 000000000..6eb9a133a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureArc-1.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionAzureArc-1
+title: Ensure workloads running on Azure VMware Solution are hybrid managed using
+ Azure Arc for Servers (Arc for Azure VMware Solution is in preview)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 2aee3453-aec8-4339-848b-262d6cc5f512
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureLogAnalytics.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureLogAnalytics.yaml
new file mode 100644
index 000000000..81f3406f5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureLogAnalytics.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionAzureLogAnalytics
+title: Ensure workloads running on Azure VMware Solution are monitored using Azure
+ Log Analytics and Azure Monitor
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 925398e6-da9d-437d-ac43-bc6cd1d79a9b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureStorageAccount.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureStorageAccount.yaml
new file mode 100644
index 000000000..41463cd2d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionAzureStorageAccount.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionAzureStorageAccount
+title: Configure Azure VMware Solution logging to be send to an Azure Storage account
+ or Azure EventHub for processing
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: b6abad38-aad5-43cc-99e1-d86667357c54
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionGuestVmWorkloadsLogAnalyticsAgents.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionGuestVmWorkloadsLogAnalyticsAgents.yaml
new file mode 100644
index 000000000..1206063ff
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionGuestVmWorkloadsLogAnalyticsAgents.yaml
@@ -0,0 +1,13 @@
+name: revcl-AzureVmwareSolutionGuestVmWorkloadsLogAnalyticsAgents
+title: Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 4ed90dae-2cc8-44c4-9b6b-781cbafe6c46
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionMetricLogging.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionMetricLogging.yaml
new file mode 100644
index 000000000..cc9daf1ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionMetricLogging.yaml
@@ -0,0 +1,13 @@
+name: revcl-AzureVmwareSolutionMetricLogging
+title: Enable Diagnostic and metric logging on Azure VMware Solution
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: 88f03a4d-2cd4-463c-abbc-868295abc91a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionPerformanceWarningAlerts.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionPerformanceWarningAlerts.yaml
new file mode 100644
index 000000000..12565e876
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionPerformanceWarningAlerts.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionPerformanceWarningAlerts
+title: Create warning alerts for critical thresholds for automatic alerting on Azure
+ VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: 6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionPrivateCloudManualDeployments.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionPrivateCloudManualDeployments.yaml
new file mode 100644
index 000000000..8c0e587cb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionPrivateCloudManualDeployments.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionPrivateCloudManualDeployments
+title: For manual deployments, consider implementing resource locks to prevent accidental
+ actions on your Azure VMware Solution Private Cloud
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: 7e7a8d90-ae0e-437c-be29-711bd352caaa
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionResourceDependencies.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionResourceDependencies.yaml
new file mode 100644
index 000000000..290a791e1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionResourceDependencies.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureVmwareSolutionResourceDependencies
+title: Define resource dependencies for serializing actions in IaC when many resources
+ need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports
+ a limited number of parallel operations.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: cc5f5129-2539-48e6-bb9d-37dac43bc6cd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVirtualMachineAzureNativeResource.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVirtualMachineAzureNativeResource.yaml
new file mode 100644
index 000000000..77cd336ae
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVirtualMachineAzureNativeResource.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureVmwareSolutionVirtualMachineAzureNativeResource
+title: Ensure a connection monitor is created from an Azure native resource to an
+ Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end
+ ExpressRoute connection
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 976e24f2-a7f8-426c-9253-2a92a2a7ed99
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVirtualMachineConnectionMonitor.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVirtualMachineConnectionMonitor.yaml
new file mode 100644
index 000000000..596d49525
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVirtualMachineConnectionMonitor.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionVirtualMachineConnectionMonitor
+title: Ensure a connection monitor is created from an on-premises resource to an Azure
+ VMware Solution virtual machine to monitor end-2-end connectivity
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: f41ce6a0-64f3-4805-bc65-3ab50df01265
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVmWorkloadsBackupPolicy.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVmWorkloadsBackupPolicy.yaml
new file mode 100644
index 000000000..15737f29d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionVmWorkloadsBackupPolicy.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionVmWorkloadsBackupPolicy
+title: Ensure you have a documented and implemented backup policy and solution for
+ Azure VMware Solution VM workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 589d457a-927c-4397-9d11-02cad6aae11e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionWorkloadsAzurePolicy.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionWorkloadsAzurePolicy.yaml
new file mode 100644
index 000000000..de32be9d6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-AzureVmwareSolutionWorkloadsAzurePolicy.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionWorkloadsAzurePolicy
+title: Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management,
+ Monitoring and Security solutions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 17e7a8d9-0ae0-4e27-aee2-9711bd352caa
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-CoreAzureVmwareSolutionMonitoringInsightsDashboards.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-CoreAzureVmwareSolutionMonitoringInsightsDashboards.yaml
new file mode 100644
index 000000000..30199dddd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-CoreAzureVmwareSolutionMonitoringInsightsDashboards.yaml
@@ -0,0 +1,13 @@
+name: revcl-CoreAzureVmwareSolutionMonitoringInsightsDashboards
+title: Create dashboards to enable core Azure VMware Solution monitoring insights
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: e43a18a9-cd28-49ce-b6b1-7db8255461e2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-CriticalAlertVsanConsumption.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-CriticalAlertVsanConsumption.yaml
new file mode 100644
index 000000000..6a2a0bdaf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-CriticalAlertVsanConsumption.yaml
@@ -0,0 +1,14 @@
+name: revcl-CriticalAlertVsanConsumption
+title: Ensure critical alert is created to monitor if vSAN consumption is below 75%
+ as this is a support threshold from VMware
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: 9659e396-80e7-4828-ac93-5657d02bff45
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-DiskPoolBackedDatastoreDataRepositories.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-DiskPoolBackedDatastoreDataRepositories.yaml
new file mode 100644
index 000000000..80cdbbca4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-DiskPoolBackedDatastoreDataRepositories.yaml
@@ -0,0 +1,14 @@
+name: revcl-DiskPoolBackedDatastoreDataRepositories
+title: Ensure data repositories for the backup solution are stored outside of vSAN
+ storage. Either in Azure native or on a disk pool-backed datastore
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 0e43a18a-9cd2-489b-bd6b-17db8255461e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-EsxiHostDensityLeadTime.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-EsxiHostDensityLeadTime.yaml
new file mode 100644
index 000000000..27f49134e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-EsxiHostDensityLeadTime.yaml
@@ -0,0 +1,14 @@
+name: revcl-EsxiHostDensityLeadTime
+title: Ensure that you have a policy around ESXi host density and efficiency, keeping
+ in mind the lead time for requesting new nodes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: bf39d95d-44c7-4c89-89ca-1f6d5315ae52
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-ExistingUpdateManagementToolingAzureUpdateManagement.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-ExistingUpdateManagementToolingAzureUpdateManagement.yaml
new file mode 100644
index 000000000..f6135f58b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-ExistingUpdateManagementToolingAzureUpdateManagement.yaml
@@ -0,0 +1,14 @@
+name: revcl-ExistingUpdateManagementToolingAzureUpdateManagement
+title: Include workloads running on Azure VMware Solution in existing update management
+ tooling or in Azure Update Management
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 24604489-a8f4-42d7-ae78-cb6a33bd2a09
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-HumanUnderstandableNamesExrAuthorizationKeys.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-HumanUnderstandableNamesExrAuthorizationKeys.yaml
new file mode 100644
index 000000000..3b9b20270
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-HumanUnderstandableNamesExrAuthorizationKeys.yaml
@@ -0,0 +1,14 @@
+name: revcl-HumanUnderstandableNamesExrAuthorizationKeys
+title: Implement human understandable names for ExR authorization keys to allow for
+ easy identification of the keys purpose/use
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: e2cc95d4-8c6b-4791-bca0-f6c56589e558
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-ManualDeploymentsConfiguration.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-ManualDeploymentsConfiguration.yaml
new file mode 100644
index 000000000..6238c5786
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-ManualDeploymentsConfiguration.yaml
@@ -0,0 +1,13 @@
+name: revcl-ManualDeploymentsConfiguration
+title: For manual deployments, all configuration and deployments must be documented
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: 4604489a-8f42-4d78-b78c-b7a33bd2a0a1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-MinimalPrivateCloudAutomatedDeployments.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-MinimalPrivateCloudAutomatedDeployments.yaml
new file mode 100644
index 000000000..07fb4b027
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-MinimalPrivateCloudAutomatedDeployments.yaml
@@ -0,0 +1,13 @@
+name: revcl-MinimalPrivateCloudAutomatedDeployments
+title: For automated deployments, deploy a minimal private cloud and scale as needed
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: b79b198d-ab81-4932-a9fc-9d1bb78036f5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RdPartySolutionsAccessConstraints.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RdPartySolutionsAccessConstraints.yaml
new file mode 100644
index 000000000..b9bbb5ee0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RdPartySolutionsAccessConstraints.yaml
@@ -0,0 +1,14 @@
+name: revcl-RdPartySolutionsAccessConstraints
+title: Ensure that access constraints to ESXi are understood, there are access limits
+ which might affect 3rd party solutions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: 5d38e53f-9ccb-4d86-a266-acca274faa19
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RelevantResourceLocksAutomatedDeployment.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RelevantResourceLocksAutomatedDeployment.yaml
new file mode 100644
index 000000000..13f04e9d0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RelevantResourceLocksAutomatedDeployment.yaml
@@ -0,0 +1,14 @@
+name: revcl-RelevantResourceLocksAutomatedDeployment
+title: For automated deployment, ensure that relevant resource locks are created through
+ the automation or through Azure Policy for proper governance
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: 0f1cac6d-9ef1-4d5e-a32e-42e3611c818b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RouteServerExrGateway.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RouteServerExrGateway.yaml
new file mode 100644
index 000000000..b25ddbc1d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-RouteServerExrGateway.yaml
@@ -0,0 +1,14 @@
+name: revcl-RouteServerExrGateway
+title: When route server is used, ensure no more then 1000 routes are propagated from
+ route server to ExR gateway to on-premises (ARS limit).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: 563b4dc7-4a74-48b6-933a-d1a0916a6649
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-SeparateServicePrinciplesAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-SeparateServicePrinciplesAzureVmwareSolution.yaml
new file mode 100644
index 000000000..6ee259bae
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-SeparateServicePrinciplesAzureVmwareSolution.yaml
@@ -0,0 +1,14 @@
+name: revcl-SeparateServicePrinciplesAzureVmwareSolution
+title: Use Key vault to store secrets and authorization keys when separate Service
+ Principles are used for deploying Azure VMware Solution and ExpressRoute
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: 255461e2-aee3-4553-afc8-339248b262d6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-SingleTierGatewayAzurePortalApis.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-SingleTierGatewayAzurePortalApis.yaml
new file mode 100644
index 000000000..66ef9e2d7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-SingleTierGatewayAzurePortalApis.yaml
@@ -0,0 +1,14 @@
+name: revcl-SingleTierGatewayAzurePortalApis
+title: When performing automated configuration of NSX-T segments with a single Tier-1
+ gateway, use Azure Portal APIs instead of NSX-Manager APIs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: 1d79a9b2-4604-4489-a8f4-2d78e78cb7a3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VpnConnectionsConnectionMonitor.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VpnConnectionsConnectionMonitor.yaml
new file mode 100644
index 000000000..5d39b5f68
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VpnConnectionsConnectionMonitor.yaml
@@ -0,0 +1,14 @@
+name: revcl-VpnConnectionsConnectionMonitor
+title: Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored
+ using 'connection monitor'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: eb710a37-cbc1-4055-8dd5-a936a8bb7cf5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VrealizeNetworkInsightsVrealizeOperations.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VrealizeNetworkInsightsVrealizeOperations.yaml
new file mode 100644
index 000000000..9d74dcafc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VrealizeNetworkInsightsVrealizeOperations.yaml
@@ -0,0 +1,14 @@
+name: revcl-VrealizeNetworkInsightsVrealizeOperations
+title: 'If deep insight in VMware vSphere is required: Is vRealize Operations and/or
+ vRealize Network Insights used in the solution?'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 2
+labels:
+ guid: 9674c5ed-85b8-459c-9733-be2b1a27b775
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VsanStoragePolicyDefaultStoragePolicy.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VsanStoragePolicyDefaultStoragePolicy.yaml
new file mode 100644
index 000000000..b9f20abf8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VsanStoragePolicyDefaultStoragePolicy.yaml
@@ -0,0 +1,14 @@
+name: revcl-VsanStoragePolicyDefaultStoragePolicy
+title: Ensure the vSAN storage policy for VM's is NOT the default storage policy as
+ this policy applies thick provisioning
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 0
+labels:
+ guid: a91be1f3-88f0-43a4-b2cd-463cbbbc8682
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VsphereContentLibrariesFiniteResource.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VsphereContentLibrariesFiniteResource.yaml
new file mode 100644
index 000000000..d5b9d46fc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Operations/revcl-VsphereContentLibrariesFiniteResource.yaml
@@ -0,0 +1,14 @@
+name: revcl-VsphereContentLibrariesFiniteResource
+title: Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite
+ resource
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Operations
+severity: 1
+labels:
+ guid: d9ef1d5e-832d-442e-9611-c818b0afbc51
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-CorrectAzureVmwareSolutionConnectivityModelCustomerUseCase.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-CorrectAzureVmwareSolutionConnectivityModelCustomerUseCase.yaml
new file mode 100644
index 000000000..9a6e76811
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-CorrectAzureVmwareSolutionConnectivityModelCustomerUseCase.yaml
@@ -0,0 +1,16 @@
+name: revcl-CorrectAzureVmwareSolutionConnectivityModelCustomerUseCase
+title: Is the correct Azure VMware Solution connectivity model selected for the customer
+ use case at hand
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 0
+labels:
+ guid: 9ef1d5e8-32e4-42e3-911c-818b0a0bc510
+links:
+- type: docs
+ url: https://github.com/Azure/AzureCAT-AVS/tree/main/networking
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-HcxWanOptimizationApplianceLowConnectivityRegions.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-HcxWanOptimizationApplianceLowConnectivityRegions.yaml
new file mode 100644
index 000000000..a789abd0c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-HcxWanOptimizationApplianceLowConnectivityRegions.yaml
@@ -0,0 +1,14 @@
+name: revcl-HcxWanOptimizationApplianceLowConnectivityRegions
+title: For low connectivity regions connecting into Azure (500Mbps or less), considering
+ deploying the HCX WAN optimization appliance
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 1
+labels:
+ guid: e614658d-d457-4e92-9139-b821102cad6e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-MaximumLimitsScale.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-MaximumLimitsScale.yaml
new file mode 100644
index 000000000..0e46d8794
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-MaximumLimitsScale.yaml
@@ -0,0 +1,14 @@
+name: revcl-MaximumLimitsScale
+title: Define and enforce scale in/out maximum limits for your environment in the
+ automations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 1
+labels:
+ guid: d20b56c5-7be5-4851-a0f8-3835c586cb29
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-OneScaleOperationScalingOperations.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-OneScaleOperationScalingOperations.yaml
new file mode 100644
index 000000000..043140ce5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-OneScaleOperationScalingOperations.yaml
@@ -0,0 +1,15 @@
+name: revcl-OneScaleOperationScalingOperations
+title: Scaling operations always need to be serialized within a single SDDC as only
+ one scale operation can be performed at a time (even when multiple clusters are
+ used)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 1
+labels:
+ guid: b78036f5-e6bf-4bb9-bd50-3547cc447e82
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-RdPartySolutionsOperations.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-RdPartySolutionsOperations.yaml
new file mode 100644
index 000000000..f7e07123d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-RdPartySolutionsOperations.yaml
@@ -0,0 +1,14 @@
+name: revcl-RdPartySolutionsOperations
+title: Consider and validate scaling operations on 3rd party solutions used in the
+ architecture (supported or not)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 1
+labels:
+ guid: bf15bce2-19e4-4a0e-a588-79424d226786
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-SameAzureAvailabilityZoneRequiredResource.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-SameAzureAvailabilityZoneRequiredResource.yaml
new file mode 100644
index 000000000..74af0cc30
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-SameAzureAvailabilityZoneRequiredResource.yaml
@@ -0,0 +1,13 @@
+name: revcl-SameAzureAvailabilityZoneRequiredResource
+title: Ensure all required resource reside within the same Azure availability zone(s)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 0
+labels:
+ guid: db611712-6904-40b4-aa3d-3e0803276d4b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-StoragePolicyRequirementsAutomated.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-StoragePolicyRequirementsAutomated.yaml
new file mode 100644
index 000000000..7ad48d8f2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-StoragePolicyRequirementsAutomated.yaml
@@ -0,0 +1,14 @@
+name: revcl-StoragePolicyRequirementsAutomated
+title: When intending to use automated scale-in, be sure to take storage policy requirements
+ into account before performing such action
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 1
+labels:
+ guid: d352caaa-b79b-4198-bab8-1932c9fc9d1b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-SufficientAzureVmwareSolutionQuotaAutomatedScaleOut.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-SufficientAzureVmwareSolutionQuotaAutomatedScaleOut.yaml
new file mode 100644
index 000000000..93c392178
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-SufficientAzureVmwareSolutionQuotaAutomatedScaleOut.yaml
@@ -0,0 +1,14 @@
+name: revcl-SufficientAzureVmwareSolutionQuotaAutomatedScaleOut
+title: When intending to use automated scale-out, be sure to apply for sufficient
+ Azure VMware Solution quota for the subscriptions running Azure VMware Solution
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 1
+labels:
+ guid: 3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-VpnConnectionMtuSize.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-VpnConnectionMtuSize.yaml
new file mode 100644
index 000000000..969c320e2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Performance/revcl-VpnConnectionMtuSize.yaml
@@ -0,0 +1,13 @@
+name: revcl-VpnConnectionMtuSize
+title: If using a VPN connection for migrations, adjust your MTU size accordingly.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Performance
+severity: 1
+labels:
+ guid: bc91a43d-90da-4e2c-a881-4706f7c1cbaf
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AppropriateVsanDataRedundancyMethodRaidSpecification.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AppropriateVsanDataRedundancyMethodRaidSpecification.yaml
new file mode 100644
index 000000000..d05511559
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AppropriateVsanDataRedundancyMethodRaidSpecification.yaml
@@ -0,0 +1,13 @@
+name: revcl-AppropriateVsanDataRedundancyMethodRaidSpecification
+title: Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: 3ef7ad7c-6d37-4331-95c7-acbe44bbe609
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AutomatedRecoveryPlansDisasterSolutions.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AutomatedRecoveryPlansDisasterSolutions.yaml
new file mode 100644
index 000000000..f63815617
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AutomatedRecoveryPlansDisasterSolutions.yaml
@@ -0,0 +1,14 @@
+name: revcl-AutomatedRecoveryPlansDisasterSolutions
+title: Use Automated recovery plans with either of the Disaster solutions, avoid manual
+ tasks as much as possible
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: b0afbc51-0e43-4a18-a9cd-289bed6b17db
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureNetappFilesAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureNetappFilesAzureVmwareSolution.yaml
new file mode 100644
index 000000000..58ddce355
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureNetappFilesAzureVmwareSolution.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureNetappFilesAzureVmwareSolution
+title: When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider
+ using this as a VMware datastore instead of attaching directly to a VM.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: e54a29a9-de39-4ac0-b7c2-8dc935657202
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureVmwareSolutionPrivateCloudBackupSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureVmwareSolutionPrivateCloudBackupSolution.yaml
new file mode 100644
index 000000000..f16402b40
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureVmwareSolutionPrivateCloudBackupSolution.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionPrivateCloudBackupSolution
+title: Deploy your backup solution in the same region as your Azure VMware Solution
+ private cloud
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: bd352caa-ab79-4b18-adab-81932c9fc9d1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureVmwareSolutionPrivateCloudsExpressrouteGlobalReach.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureVmwareSolutionPrivateCloudsExpressrouteGlobalReach.yaml
new file mode 100644
index 000000000..e9ccdbdbd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-AzureVmwareSolutionPrivateCloudsExpressrouteGlobalReach.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureVmwareSolutionPrivateCloudsExpressrouteGlobalReach
+title: Will ExpressRoute Global Reach be used for connectivity between the primary
+ and secondary Azure VMware Solution Private Clouds or is routing done through network
+ virtual appliances?
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: d1d79a9b-2460-4448-aa8f-42d78e78cb6a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-BackupSolutionNativeComponents.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-BackupSolutionNativeComponents.yaml
new file mode 100644
index 000000000..c9f678fc6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-BackupSolutionNativeComponents.yaml
@@ -0,0 +1,13 @@
+name: revcl-BackupSolutionNativeComponents
+title: Deploy your backup solution outside of vSan, on Azure native components
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: bb77036f-5e6b-4fbb-aed5-03547cc447e8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-BackupSolutionsBusiness.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-BackupSolutionsBusiness.yaml
new file mode 100644
index 000000000..0aef8bcec
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-BackupSolutionsBusiness.yaml
@@ -0,0 +1,15 @@
+name: revcl-BackupSolutionsBusiness
+title: "Have all Backup solutions been considered and a solution that is best for\
+ \ your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/\xEF\xBF\xBD\
+ . ]"
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: 33bd2a09-17e7-4a8d-a0ae-0e27cee29711
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DifferentAddressSpacesDifferentRegions.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DifferentAddressSpacesDifferentRegions.yaml
new file mode 100644
index 000000000..0d8da2feb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DifferentAddressSpacesDifferentRegions.yaml
@@ -0,0 +1,14 @@
+name: revcl-DifferentAddressSpacesDifferentRegions
+title: 'Use 2 different address spaces between the regions, for example: 10.0.0.0/16
+ and 192.168.0.0/16 for the different regions'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: 6cc5f512-9253-498e-9da9-d37dac43bc6c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoveryRequirementEnoughQuota.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoveryRequirementEnoughQuota.yaml
new file mode 100644
index 000000000..598c1880e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoveryRequirementEnoughQuota.yaml
@@ -0,0 +1,14 @@
+name: revcl-DisasterRecoveryRequirementEnoughQuota
+title: Ensure that you have requested enough quota, ensuring you have considered growth
+ and Disaster Recovery requirement
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: d89f2e87-7784-424d-9167-85c6fa95b96a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoverySolutionStretchedCluster.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoverySolutionStretchedCluster.yaml
new file mode 100644
index 000000000..37fa791b9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoverySolutionStretchedCluster.yaml
@@ -0,0 +1,16 @@
+name: revcl-DisasterRecoverySolutionStretchedCluster
+title: If using stretched cluster, ensure that your selected Disaster Recovery solution
+ is supported by the vendor
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: 571549ab-8153-4d89-b89d-c7b33be2b1a2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoveryTechnologyAzureSiteRecovery.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoveryTechnologyAzureSiteRecovery.yaml
new file mode 100644
index 000000000..3fc94e521
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DisasterRecoveryTechnologyAzureSiteRecovery.yaml
@@ -0,0 +1,14 @@
+name: revcl-DisasterRecoveryTechnologyAzureSiteRecovery
+title: Use Azure Site Recovery when the Disaster Recovery technology is native Azure
+ IaaS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: f0f1cac6-d9ef-41d5-b832-d42e3611c818
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DrSolutionsBusiness.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DrSolutionsBusiness.yaml
new file mode 100644
index 000000000..fdf7232b4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-DrSolutionsBusiness.yaml
@@ -0,0 +1,14 @@
+name: revcl-DrSolutionsBusiness
+title: Have all DR solutions been considered and a solution that is best for your
+ business been decided upon? [SRM/JetStream/Zerto/Veeam/...]
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: 5e6bfbb9-ed50-4354-9cc4-47e826028a71
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-ExternalDataStorageSolutionsDedicatedExpressrouteGateway.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-ExternalDataStorageSolutionsDedicatedExpressrouteGateway.yaml
new file mode 100644
index 000000000..ea605bed8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-ExternalDataStorageSolutionsDedicatedExpressrouteGateway.yaml
@@ -0,0 +1,16 @@
+name: revcl-ExternalDataStorageSolutionsDedicatedExpressrouteGateway
+title: Ensure that a dedicated ExpressRoute Gateway is being used for external data
+ storage solutions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: bff4564b-0d93-44a3-98b2-63e7dd60513a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-ExternalDataStorageSolutionsExpressrouteGateway.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-ExternalDataStorageSolutionsExpressrouteGateway.yaml
new file mode 100644
index 000000000..71de12b6c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-ExternalDataStorageSolutionsExpressrouteGateway.yaml
@@ -0,0 +1,16 @@
+name: revcl-ExternalDataStorageSolutionsExpressrouteGateway
+title: Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used
+ for external data storage solutions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: 3649906e-bad3-48ea-b53c-c7de1d8aaab3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-FiniteResourceBackups.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-FiniteResourceBackups.yaml
new file mode 100644
index 000000000..5bd3d61f4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-FiniteResourceBackups.yaml
@@ -0,0 +1,13 @@
+name: revcl-FiniteResourceBackups
+title: Ensure backups are not stored on vSAN as vSAN is a finite resource
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: 25398e6d-b9d3-47da-a43b-c6cd1d79a9b2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-LargerApplianceMonLimit.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-LargerApplianceMonLimit.yaml
new file mode 100644
index 000000000..fb5244079
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-LargerApplianceMonLimit.yaml
@@ -0,0 +1,18 @@
+name: revcl-LargerApplianceMonLimit
+title: When using MON, be aware of the limits of simulataneously configured VMs (MON
+ Limit for HCX [400 - standard, 1000 - Larger appliance])
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-NetworkExtensionsMon.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-NetworkExtensionsMon.yaml
new file mode 100644
index 000000000..6425a3cce
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-NetworkExtensionsMon.yaml
@@ -0,0 +1,17 @@
+name: revcl-NetworkExtensionsMon
+title: When using MON, you cannot enable MON on more than 100 Network extensions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: be1f38cf-03a8-422b-b463-cbbbc8ac299e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-PremisesApplianceCloudAppliance.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-PremisesApplianceCloudAppliance.yaml
new file mode 100644
index 000000000..4130eff53
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-PremisesApplianceCloudAppliance.yaml
@@ -0,0 +1,14 @@
+name: revcl-PremisesApplianceCloudAppliance
+title: Ensure that migrations are started from the on-premises appliance and NOT from
+ the Cloud appliance (do NOT perform a reverse migration)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: ae01e6e8-43e5-42f4-922d-928c1b1cd521
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-SecondaryDisasterRecoveryEnvironmentGeopoliticalRegionPair.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-SecondaryDisasterRecoveryEnvironmentGeopoliticalRegionPair.yaml
new file mode 100644
index 000000000..8e7c0413f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-SecondaryDisasterRecoveryEnvironmentGeopoliticalRegionPair.yaml
@@ -0,0 +1,13 @@
+name: revcl-SecondaryDisasterRecoveryEnvironmentGeopoliticalRegionPair
+title: Use the geopolitical region pair as the secondary disaster recovery environment
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 1
+labels:
+ guid: 8255461e-2aee-4345-9aec-8339248b262d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-SiteDisasterToleranceSettingsBusiness.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-SiteDisasterToleranceSettingsBusiness.yaml
new file mode 100644
index 000000000..b5da576b2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-SiteDisasterToleranceSettingsBusiness.yaml
@@ -0,0 +1,16 @@
+name: revcl-SiteDisasterToleranceSettingsBusiness
+title: Have site disaster tolerance settings been properly considered and changed
+ for your business if needed.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: dce9793b-7bcd-4b3b-91eb-2ec14eea6e59
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterExpressrouteCircuits-1.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterExpressrouteCircuits-1.yaml
new file mode 100644
index 000000000..526c51d7c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterExpressrouteCircuits-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-StretchedClusterExpressrouteCircuits-1
+title: If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach
+ enabled.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: c49d987c-b3d1-4325-aa12-4b6e4d0685ed
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterExpressrouteCircuits.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterExpressrouteCircuits.yaml
new file mode 100644
index 000000000..0b9ff8651
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterExpressrouteCircuits.yaml
@@ -0,0 +1,16 @@
+name: revcl-StretchedClusterExpressrouteCircuits
+title: If using stretched cluster, ensure that both ExpressRoute circuits are connected
+ to your connectivity hub.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: 9579d66b-896d-471f-a6ca-7be9955d04c3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterSla.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterSla.yaml
new file mode 100644
index 000000000..1121eaeaf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-StretchedClusterSla.yaml
@@ -0,0 +1,15 @@
+name: revcl-StretchedClusterSla
+title: If using stretched cluster, ensure that the SLA provided will meet your requirements
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: 4c486b6d-8bdc-4059-acf7-5ee8a1309888
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-VmwareComponentsAzurePlatform.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-VmwareComponentsAzurePlatform.yaml
new file mode 100644
index 000000000..7b98248fa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-VmwareComponentsAzurePlatform.yaml
@@ -0,0 +1,14 @@
+name: revcl-VmwareComponentsAzurePlatform
+title: Is a process in place to request a restore of the VMware components managed
+ by the Azure Platform?
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 2
+labels:
+ guid: 26028a71-f0f1-4cac-9d9e-f1d5e832d42e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-VsanStorageNeedsToleratePolicy.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-VsanStorageNeedsToleratePolicy.yaml
new file mode 100644
index 000000000..d1bbaffe0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Reliability/revcl-VsanStorageNeedsToleratePolicy.yaml
@@ -0,0 +1,14 @@
+name: revcl-VsanStorageNeedsToleratePolicy
+title: Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage
+ needs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Reliability
+severity: 0
+labels:
+ guid: d88408f3-7273-44c8-96ba-280214590146
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AddsDomainControllerSIdentitySubscription.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AddsDomainControllerSIdentitySubscription.yaml
new file mode 100644
index 000000000..eb6365240
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AddsDomainControllerSIdentitySubscription.yaml
@@ -0,0 +1,14 @@
+name: revcl-AddsDomainControllerSIdentitySubscription
+title: Ensure ADDS domain controller(s) are deployed in the identity subscription
+ in native Azure
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: 32e42e36-11c8-418b-8a0b-c510e43a18a9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AdvancedThreatDetectionAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AdvancedThreatDetectionAzureVmwareSolution.yaml
new file mode 100644
index 000000000..39c837352
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AdvancedThreatDetectionAzureVmwareSolution.yaml
@@ -0,0 +1,14 @@
+name: revcl-AdvancedThreatDetectionAzureVmwareSolution
+title: Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for
+ workloads running on Azure VMware Solution
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 9ccbd869-266a-4cca-874f-aa19bf39d95d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ApplicableComplianceBaselinesMicrosoftDefender.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ApplicableComplianceBaselinesMicrosoftDefender.yaml
new file mode 100644
index 000000000..831a583ee
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ApplicableComplianceBaselinesMicrosoftDefender.yaml
@@ -0,0 +1,13 @@
+name: revcl-ApplicableComplianceBaselinesMicrosoftDefender
+title: Are the applicable compliance baselines added to Microsoft Defender for Cloud
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: c9fc9d1b-b780-436f-9e6b-fbb9ed503547
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureKeyVaultGuestEncryption.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureKeyVaultGuestEncryption.yaml
new file mode 100644
index 000000000..41305c480
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureKeyVaultGuestEncryption.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureKeyVaultGuestEncryption
+title: When in-guest encryption is used, store encryption keys in Azure Key vault
+ when possible
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 2
+labels:
+ guid: a3592718-e6e2-4051-9267-6ae46691e883
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAddsSites.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAddsSites.yaml
new file mode 100644
index 000000000..0e298aa9d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAddsSites.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionAddsSites
+title: Ensure ADDS sites and services is configured to keep authentication requests
+ from Azure-based resources (including Azure VMware Solution) local to Azure
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 75089c20-990d-4927-b105-885576f76fc2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAutomaticHostReplacementNotificationsValidEntraIdEnabledAccount.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAutomaticHostReplacementNotificationsValidEntraIdEnabledAccount.yaml
new file mode 100644
index 000000000..25054a7e6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAutomaticHostReplacementNotificationsValidEntraIdEnabledAccount.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureVmwareSolutionAutomaticHostReplacementNotificationsValidEntraIdEnabledAccount
+title: If using Privileged Identity Management is being used, ensure that a valid
+ Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution
+ Automatic Host replacement notifications. (standing permissions required)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 78c447a8-26b2-4863-af0f-1cac599ef1d5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAzureArc.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAzureArc.yaml
new file mode 100644
index 000000000..6478e42b6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionAzureArc.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureVmwareSolutionAzureArc
+title: Use Azure ARC for Servers to properly govern workloads running on Azure VMware
+ Solution using Azure native technologies (Azure ARC for Azure VMware Solution is
+ not yet available)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 44c7c891-9ca1-4f6d-9315-ae524ba34d45
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionDeploymentAzureRegions.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionDeploymentAzureRegions.yaml
new file mode 100644
index 000000000..e2fdd04f9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionDeploymentAzureRegions.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionDeploymentAzureRegions
+title: Was data residency evaluated when selecting Azure regions to use for Azure
+ VMware Solution deployment
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: cc447e82-6128-4a71-b0f1-cac6d9ef1d5e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionGuestVmWorkloadsAzureArc.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionGuestVmWorkloadsAzureArc.yaml
new file mode 100644
index 000000000..d9a4c25d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionGuestVmWorkloadsAzureArc.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionGuestVmWorkloadsAzureArc
+title: Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM
+ workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 41741583-3ef7-4ad7-a6d3-733165c7acbe
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionGuestVmWorkloadsMicrosoftDefender.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionGuestVmWorkloadsMicrosoftDefender.yaml
new file mode 100644
index 000000000..f58f5ced8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionGuestVmWorkloadsMicrosoftDefender.yaml
@@ -0,0 +1,13 @@
+name: revcl-AzureVmwareSolutionGuestVmWorkloadsMicrosoftDefender
+title: Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 48b262d6-cc5f-4512-a253-98e6db9d37da
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionMicrosoftDefender-1.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionMicrosoftDefender-1.yaml
new file mode 100644
index 000000000..ab9f48d58
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionMicrosoftDefender-1.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionMicrosoftDefender-1
+title: Ensure workloads running on Azure VMware Solution are onboarded to Microsoft
+ Defender for Cloud
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: aee3553a-fc83-4392-98b2-62d6cc5f5129
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionMicrosoftDefender.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionMicrosoftDefender.yaml
new file mode 100644
index 000000000..b8f2bc23d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionMicrosoftDefender.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionMicrosoftDefender
+title: Use Microsoft Defender for Cloud for compliance monitoring of workloads running
+ on Azure VMware Solution
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: ee29711b-d352-4caa-ab79-b198dab81932
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionResourceAzurePortal.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionResourceAzurePortal.yaml
new file mode 100644
index 000000000..97586718d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionResourceAzurePortal.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionResourceAzurePortal
+title: Is Privileged Identity Management implemented for roles managing the Azure
+ VMware Solution resource in the Azure Portal (no standing permissions allowed)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: 6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionResourceRbacPermissions.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionResourceRbacPermissions.yaml
new file mode 100644
index 000000000..c14ddd5ef
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-AzureVmwareSolutionResourceRbacPermissions.yaml
@@ -0,0 +1,14 @@
+name: revcl-AzureVmwareSolutionResourceRbacPermissions
+title: RBAC permissions on the Azure VMware Solution resource in Azure are 'locked
+ down' to a limited set of owners only
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: d503547c-c447-4e82-9128-a71f0f1cac6d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CentralizedIdentityProviderAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CentralizedIdentityProviderAzureVmwareSolution.yaml
new file mode 100644
index 000000000..d904af750
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CentralizedIdentityProviderAzureVmwareSolution.yaml
@@ -0,0 +1,14 @@
+name: revcl-CentralizedIdentityProviderAzureVmwareSolution
+title: Use a centralized identity provider to be used for workloads (VM's) running
+ on Azure VMware Solution
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: 586cb291-ec16-4a1d-876e-f9f141acdce5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CloudadminAccountVcenterIdp.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CloudadminAccountVcenterIdp.yaml
new file mode 100644
index 000000000..16f0defd0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CloudadminAccountVcenterIdp.yaml
@@ -0,0 +1,13 @@
+name: revcl-CloudadminAccountVcenterIdp
+title: CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: b9d37dac-43bc-46cd-8d79-a9b24604489a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CloudadminPermittedAuthorizationsCustomRoles.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CloudadminPermittedAuthorizationsCustomRoles.yaml
new file mode 100644
index 000000000..930502477
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CloudadminPermittedAuthorizationsCustomRoles.yaml
@@ -0,0 +1,13 @@
+name: revcl-CloudadminPermittedAuthorizationsCustomRoles
+title: Ensure all custom roles are scoped with CloudAdmin permitted authorizations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: fd9f0df4-68dc-4976-b9a9-e6a79f7682c5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CustomRbacRolesPrivilegeModel.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CustomRbacRolesPrivilegeModel.yaml
new file mode 100644
index 000000000..f978165f1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CustomRbacRolesPrivilegeModel.yaml
@@ -0,0 +1,14 @@
+name: revcl-CustomRbacRolesPrivilegeModel
+title: Create custom RBAC roles in vCenter to implement a least-privilege model inside
+ vCenter
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: d329f798-bc17-48bd-a5a0-6ca7144351d1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CustomerManagedKeyComplianceReason.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CustomerManagedKeyComplianceReason.yaml
new file mode 100644
index 000000000..e27e753c1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-CustomerManagedKeyComplianceReason.yaml
@@ -0,0 +1,14 @@
+name: revcl-CustomerManagedKeyComplianceReason
+title: Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance
+ reason(s).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 547c1747-dc56-4068-a714-435cd19dd244
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DataProcessingImplicationsServiceConsumerModel.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DataProcessingImplicationsServiceConsumerModel.yaml
new file mode 100644
index 000000000..4e81829d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DataProcessingImplicationsServiceConsumerModel.yaml
@@ -0,0 +1,14 @@
+name: revcl-DataProcessingImplicationsServiceConsumerModel
+title: Are data processing implications (service provider / service consumer model)
+ clear and documented
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: 832e42e3-611c-4818-a0a0-bc510e43a18a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DdosStandardProtectionExrVpnGatewaySubnet.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DdosStandardProtectionExrVpnGatewaySubnet.yaml
new file mode 100644
index 000000000..4c279a4d1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DdosStandardProtectionExrVpnGatewaySubnet.yaml
@@ -0,0 +1,13 @@
+name: revcl-DdosStandardProtectionExrVpnGatewaySubnet
+title: Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 334fdf91-c234-4182-a652-75269440b4be
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DedicatedPrivilegedAccessWorkstationAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DedicatedPrivilegedAccessWorkstationAzureVmwareSolution.yaml
new file mode 100644
index 000000000..8bdfeb879
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-DedicatedPrivilegedAccessWorkstationAzureVmwareSolution.yaml
@@ -0,0 +1,14 @@
+name: revcl-DedicatedPrivilegedAccessWorkstationAzureVmwareSolution
+title: Use a dedicated privileged access workstation (PAW) to manage Azure VMware
+ Solution, vCenter, NSX manager and HCX manager
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 3d3e0843-276d-44bd-a015-bcf219e4a1eb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-EastWestTrafficFilteringNsxT.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-EastWestTrafficFilteringNsxT.yaml
new file mode 100644
index 000000000..362dffb64
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-EastWestTrafficFilteringNsxT.yaml
@@ -0,0 +1,13 @@
+name: revcl-EastWestTrafficFilteringNsxT
+title: Is East-West traffic filtering implemented within NSX-T
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 79377bcd-b375-41ab-8ab0-ead66e15d3d4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ExtendedSecurityUpdateSupportAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ExtendedSecurityUpdateSupportAzureVmwareSolution.yaml
new file mode 100644
index 000000000..de22cd73d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ExtendedSecurityUpdateSupportAzureVmwareSolution.yaml
@@ -0,0 +1,14 @@
+name: revcl-ExtendedSecurityUpdateSupportAzureVmwareSolution
+title: Consider using extended security update support for workloads running on Azure
+ VMware Solution (Azure VMware Solution is eligible for ESU)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 5ac94222-3e13-4810-9230-81a941741583
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ExternalIdentityProviderNsxManager.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ExternalIdentityProviderNsxManager.yaml
new file mode 100644
index 000000000..56ad419d1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-ExternalIdentityProviderNsxManager.yaml
@@ -0,0 +1,13 @@
+name: revcl-ExternalIdentityProviderNsxManager
+title: Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: 53d88e89-d17b-473b-82a5-a67e7a9ed5b3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-InboundInternetRequestsAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-InboundInternetRequestsAzureVmwareSolution.yaml
new file mode 100644
index 000000000..4e6be9609
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-InboundInternetRequestsAzureVmwareSolution.yaml
@@ -0,0 +1,14 @@
+name: revcl-InboundInternetRequestsAzureVmwareSolution
+title: Auditing and logging is implemented for inbound internet requests to Azure
+ VMware Solution and Azure VMware Solution based workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: eace4cb1-deb4-4c65-8c3f-c14eeab36938
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-LimitUseCloudadminAccount.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-LimitUseCloudadminAccount.yaml
new file mode 100644
index 000000000..bc429e067
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-LimitUseCloudadminAccount.yaml
@@ -0,0 +1,13 @@
+name: revcl-LimitUseCloudadminAccount
+title: Limit use of CloudAdmin account to emergency access only
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: 8defc4d7-21d3-41d2-90fb-707ae9eab40e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-NsxCredentialsProcess.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-NsxCredentialsProcess.yaml
new file mode 100644
index 000000000..b83986484
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-NsxCredentialsProcess.yaml
@@ -0,0 +1,14 @@
+name: revcl-NsxCredentialsProcess
+title: Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX)
+ credentials
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 9dd24429-eb72-4281-97a1-51c5bb4e4f18
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-OtherAzureNativeServicesAzurePrivateLink.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-OtherAzureNativeServicesAzurePrivateLink.yaml
new file mode 100644
index 000000000..bf04d36e7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-OtherAzureNativeServicesAzurePrivateLink.yaml
@@ -0,0 +1,13 @@
+name: revcl-OtherAzureNativeServicesAzurePrivateLink
+title: Consider the use of Azure Private-Link when using other Azure Native Services
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 6691e883-5ac9-4422-83e1-3810523081a9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-OutboundInternetConnectionsAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-OutboundInternetConnectionsAzureVmwareSolution.yaml
new file mode 100644
index 000000000..bec27f7bb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-OutboundInternetConnectionsAzureVmwareSolution.yaml
@@ -0,0 +1,15 @@
+name: revcl-OutboundInternetConnectionsAzureVmwareSolution
+title: Session monitoring is implemented for outbound internet connections from Azure
+ VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious
+ activity
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: 29e3eec2-1836-487a-8077-a2b5945bda43
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-PrivilegedIdentityManagementAuditReportingAzureVmwareSolutionPimRoles.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-PrivilegedIdentityManagementAuditReportingAzureVmwareSolutionPimRoles.yaml
new file mode 100644
index 000000000..c6d1f25b1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-PrivilegedIdentityManagementAuditReportingAzureVmwareSolutionPimRoles.yaml
@@ -0,0 +1,14 @@
+name: revcl-PrivilegedIdentityManagementAuditReportingAzureVmwareSolutionPimRoles
+title: Privileged Identity Management audit reporting should be implemented for the
+ Azure VMware Solution PIM roles
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: c4e2436b-b336-4d71-9f17-960eee0b9b5c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RbacModelVmwareVsphere.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RbacModelVmwareVsphere.yaml
new file mode 100644
index 000000000..45bd4b58e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RbacModelVmwareVsphere.yaml
@@ -0,0 +1,13 @@
+name: revcl-RbacModelVmwareVsphere
+title: Has an RBAC model been created for use within VMware vSphere
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: ae0e37ce-e297-411b-b352-caaab79b198d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RbacPermissionsAddsGroups.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RbacPermissionsAddsGroups.yaml
new file mode 100644
index 000000000..796c14a11
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RbacPermissionsAddsGroups.yaml
@@ -0,0 +1,13 @@
+name: revcl-RbacPermissionsAddsGroups
+title: RBAC permissions should be granted on ADDS groups and not on specific users
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RdPartySolutionsAzureVmwareSolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RdPartySolutionsAzureVmwareSolution.yaml
new file mode 100644
index 000000000..a4645f324
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-RdPartySolutionsAzureVmwareSolution.yaml
@@ -0,0 +1,15 @@
+name: revcl-RdPartySolutionsAzureVmwareSolution
+title: Workloads on Azure VMware Solution are not directly exposed to the internet.
+ Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or
+ 3rd party solutions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: a2adb1c3-d232-46af-825c-a44e1695fddd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-SecureProtocolConnection.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-SecureProtocolConnection.yaml
new file mode 100644
index 000000000..3f3108b92
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-SecureProtocolConnection.yaml
@@ -0,0 +1,14 @@
+name: revcl-SecureProtocolConnection
+title: Ensure that the connection from vCenter to ADDS is using a secure protocol
+ (LDAPS)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 1
+labels:
+ guid: cd289ced-6b17-4db8-8554-61e2aee3553a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-SufficientDataEncryptionGuestDiskEncryption.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-SufficientDataEncryptionGuestDiskEncryption.yaml
new file mode 100644
index 000000000..1a249585e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-SufficientDataEncryptionGuestDiskEncryption.yaml
@@ -0,0 +1,15 @@
+name: revcl-SufficientDataEncryptionGuestDiskEncryption
+title: Ensure workloads on Azure VMware Solution use sufficient data encryption during
+ run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is
+ default)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 2
+labels:
+ guid: 85e12139-bd7b-4b01-8f7b-95ef6e043e2a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-UserAccountsVcenter.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-UserAccountsVcenter.yaml
new file mode 100644
index 000000000..3db3a54ef
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/Security/revcl-UserAccountsVcenter.yaml
@@ -0,0 +1,14 @@
+name: revcl-UserAccountsVcenter
+title: Ensure that vCenter is connected to ADDS to enable authentication based on
+ 'named user accounts'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.avs/privateclouds
+waf: Security
+severity: 0
+labels:
+ guid: de3aad1e-7c28-4ec9-9666-b7570449aa80
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureMonitorAlertWarningThresholdsVmwareVsanDatastoreSlackSpace.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureMonitorAlertWarningThresholdsVmwareVsanDatastoreSlackSpace.yaml
new file mode 100644
index 000000000..c4f4d66d8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureMonitorAlertWarningThresholdsVmwareVsanDatastoreSlackSpace.yaml
@@ -0,0 +1,61 @@
+name: aprl-AzureMonitorAlertWarningThresholdsVmwareVsanDatastoreSlackSpace
+title: Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization
+description: |-
+ Ensure VMware vSAN datastore slack space is maintained for SLA by monitoring storage utilization and setting alerts at 70% and 75% utilization to allow for capacity planning. To expand, add hosts or external storage like Azure Elastic SAN, Azure NetApp Files, if CPU and RAM requirements are met.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 0
+labels:
+ guid: 4232eb32-3241-4049-9e14-9b8005817b56
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure VMware Solution resources that don't have a vSAN capacity critical alert with a threshold of 75% or a warning capacity of 70%.
+ (
+ resources
+ | where ['type'] == "microsoft.avs/privateclouds"
+ | extend scopeId = tolower(tostring(id))
+ | project ['scopeId'], name, id, tags
+ | join kind=leftouter (
+ resources
+ | where type == "microsoft.insights/metricalerts"
+ | extend alertProperties = todynamic(properties)
+ | mv-expand alertProperties.scopes
+ | mv-expand alertProperties.criteria.allOf
+ | extend scopeId = tolower(tostring(alertProperties_scopes))
+ | extend metric = alertProperties_criteria_allOf.metricName
+ | extend threshold = alertProperties_criteria_allOf.threshold
+ | project scopeId, tostring(metric), toint(['threshold'])
+ | where metric == "DiskUsedPercentage"
+ | where threshold == 75
+ ) on scopeId
+ | where isnull(['threshold'])
+ | project recommendationId = "4232eb32-3241-4049-9e14-9b8005817b56", name, id, tags, param1 = "vsanCapacityCriticalAlert: isNull or threshold != 75"
+ )
+ | union (
+ resources
+ | where ['type'] == "microsoft.avs/privateclouds"
+ | extend scopeId = tolower(tostring(id))
+ | project ['scopeId'], name, id, tags
+ | join kind=leftouter (
+ resources
+ | where type == "microsoft.insights/metricalerts"
+ | extend alertProperties = todynamic(properties)
+ | mv-expand alertProperties.scopes
+ | mv-expand alertProperties.criteria.allOf
+ | extend scopeId = tolower(tostring(alertProperties_scopes))
+ | extend metric = alertProperties_criteria_allOf.metricName
+ | extend threshold = alertProperties_criteria_allOf.threshold
+ | project scopeId, tostring(metric), toint(['threshold'])
+ | where metric == "DiskUsedPercentage"
+ | where threshold == 70
+ ) on scopeId
+ | where isnull(['threshold'])
+ | project recommendationId = "4232eb32-3241-4049-9e14-9b8005817b56", name, id, tags, param1 = "vsanCapacityWarningAlert: isNull or threshold != 70"
+ )
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureServiceHealthNotificationsServiceRequestSubmissions.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureServiceHealthNotificationsServiceRequestSubmissions.yaml
new file mode 100644
index 000000000..3901d0bb6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureServiceHealthNotificationsServiceRequestSubmissions.yaml
@@ -0,0 +1,56 @@
+name: aprl-AzureServiceHealthNotificationsServiceRequestSubmissions
+title: Configure Azure Service Health notifications and alerts for Azure VMware Solution
+description: |-
+ Ensure Azure Service Health notifications are set for Azure VMware Solution across all used regions and subscriptions. This communicates service/security issues and maintenance activities like host replacements and upgrades, reducing service request submissions.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 0
+labels:
+ guid: 74fcb9f2-9a25-49a6-8c42-d32851c4afb7
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure VMware Solution resources that don't have one or more service health alerts covering AVS private clouds in the deployed subscription and region pairs.
+ //full list of private clouds
+ (resources
+ | where ['type'] == "microsoft.avs/privateclouds"
+ | extend locale = tolower(location)
+ | extend subscriptionId = tolower(subscriptionId)
+ | project id, name, tags, subscriptionId, locale)
+ | join kind=leftouter
+ //Alert ID's that include all incident types filtered by AVS Service Health alerts
+ ((resources
+ | where type == "microsoft.insights/activitylogalerts"
+ | extend alertproperties = todynamic(properties)
+ | where alertproperties.condition.allOf[0].field == "category" and alertproperties.condition.allOf[0].equals == "ServiceHealth"
+ | where alertproperties.condition.allOf[1].field == "properties.impactedServices[*].ServiceName" and set_has_element(alertproperties.condition.allOf[1].containsAny, "Azure VMware Solution")
+ | extend locale = strcat_array(split(tolower(alertproperties.condition.allOf[2].containsAny),' '), '')
+ | mv-expand todynamic(locale)
+ | where locale != "global"
+ | project subscriptionId, tostring(locale) )
+ | union
+ //Alert ID's that include only some of the incident types after filtering by service health alerts covering AVS private clouds.
+ (resources
+ | where type == "microsoft.insights/activitylogalerts"
+ | extend subscriptionId = tolower(subscriptionId)
+ | extend alertproperties = todynamic(properties)
+ | where alertproperties.condition.allOf[0].field == "category" and alertproperties.condition.allOf[0].equals == "ServiceHealth"
+ | where alertproperties.condition.allOf[2].field == "properties.impactedServices[*].ServiceName" and set_has_element(alertproperties.condition.allOf[2].containsAny, "Azure VMware Solution")
+ | extend locale = strcat_array(split(tolower(alertproperties.condition.allOf[3].containsAny),' '), '')
+ | mv-expand todynamic(locale)
+ | mv-expand alertproperties.condition.allOf[1].anyOf
+ | extend incidentType = alertproperties_condition_allOf_1_anyOf.equals
+ | where locale != "global"
+ | project id, subscriptionId, locale, incidentType
+ | distinct subscriptionId, tostring(locale), tostring(incidentType)
+ | summarize incidentTypes=count() by subscriptionId, locale
+ | where incidentTypes == 5 //only include this subscription, region pair if it includes all the incident types.
+ | project subscriptionId, locale)) on subscriptionId, locale
+ | where subscriptionId1 == "" or locale1 == "" or isnull(subscriptionId1) or isnull(locale1)
+ | project recommendationId = "74fcb9f2-9a25-49a6-8c42-d32851c4afb7", name, id, tags, param1 = "avsServiceHealthAlertsAllIncidentTypesConfigured: False"
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionClusterSizeProactiveResourceMonitoring.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionClusterSizeProactiveResourceMonitoring.yaml
new file mode 100644
index 000000000..3d41b8654
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionClusterSizeProactiveResourceMonitoring.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureVmwareSolutionClusterSizeProactiveResourceMonitoring
+title: Monitor when Azure VMware Solution Cluster Size is approaching the host limit
+description: |-
+ Alert when the cluster size reaches 14 hosts. Set up periodic alerts for planning new clusters or datastores due to growth, especially from storage needs. Beyond 14 hosts, trigger alerts for each new host addition for proactive resource monitoring.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 1
+labels:
+ guid: f86355e3-de7c-4dad-8080-1b0b411e66c8
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudNewPrivateCloud.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudNewPrivateCloud.yaml
new file mode 100644
index 000000000..a74e8a50c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudNewPrivateCloud.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureVmwareSolutionPrivateCloudNewPrivateCloud
+title: Monitor when Azure VMware Solution Private Cloud is reaching the capacity limit
+description: |-
+ Set an alert for when the node count in Azure VMware Solution Private Cloud hits or exceeds 90 hosts, enabling timely planning for a new private cloud.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 1
+labels:
+ guid: 29d7a115-dfb6-4df1-9205-04824109548f
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudResourceGroupResourceDeleteLock.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudResourceGroupResourceDeleteLock.yaml
new file mode 100644
index 000000000..d5178f3cb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudResourceGroupResourceDeleteLock.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureVmwareSolutionPrivateCloudResourceGroupResourceDeleteLock
+title: Apply Resource delete lock on the resource group hosting the private cloud
+description: |-
+ Applying a resource delete lock to the Azure VMware Solution Private Cloud resource group prevents unauthorized or accidental deletion by anyone with contributor access, ensuring the protection and reliability of the Azure VMware Solution Private Cloud.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 0
+labels:
+ guid: a5ef7c05-c611-4842-9af5-11efdc99123a
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudsMultipleDnsServers.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudsMultipleDnsServers.yaml
new file mode 100644
index 000000000..b76a1869d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionPrivateCloudsMultipleDnsServers.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureVmwareSolutionPrivateCloudsMultipleDnsServers
+title: Use multiple DNS servers per private FQDN zone
+description: |-
+ Azure VMware Solution private clouds support up to three DNS servers for a single FQDN, preventing a single DNS server from becoming a point of failure. It's crucial to use multiple DNS servers for on-premises FQDN resolution from each private cloud.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 0
+labels:
+ guid: fcc2e257-23af-4c68-aac8-9cc03033c939
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionSynchronousStorageReplication.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionSynchronousStorageReplication.yaml
new file mode 100644
index 000000000..26529be34
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionSynchronousStorageReplication.yaml
@@ -0,0 +1,25 @@
+name: aprl-AzureVmwareSolutionSynchronousStorageReplication
+title: Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore
+description: |-
+ For Azure VMware Solution, enabling Stretched Clusters offers 99.99% SLA, synchronous storage replication (RPO=0), and spreads vSAN datastore across two AZs. Must be done at initial setup, needing double quota due to extension across AZs.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 2
+labels:
+ guid: 9ec5b4c8-3dd8-473a-86ee-3273290331b9
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure VMware Solution resources that aren't configured as stretched clusters and in supported regions.
+ resources
+ | where ['type'] == "microsoft.avs/privateclouds"
+ | extend avsproperties = todynamic(properties)
+ | where avsproperties.availability.strategy != "DualZone"
+ | where location in ("uksouth", "westeurope", "germanywestcentral", "australiaeast")
+ | project recommendationId = "9ec5b4c8-3dd8-473a-86ee-3273290331b9", name, id, tags, param1 = "stretchClusters: Disabled"
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionSyslogsQuickerIssueResolution.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionSyslogsQuickerIssueResolution.yaml
new file mode 100644
index 000000000..da60b5d02
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-AzureVmwareSolutionSyslogsQuickerIssueResolution.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureVmwareSolutionSyslogsQuickerIssueResolution
+title: Configure Syslog in Diagnostic Settings for Azure VMware Solution
+description: |-
+ Ensure Diagnostic Settings are configured for each private cloud to send syslogs to external sources for analysis and/or archiving. Azure VMware Solution Syslogs contain data for troubleshooting and performance, aiding quicker issue resolution and early detection of issues.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 0
+labels:
+ guid: fa4ab927-bced-429a-971a-53350de7f14b
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-DynamicWorkloadResourceManagementHostResourceExhaustion.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-DynamicWorkloadResourceManagementHostResourceExhaustion.yaml
new file mode 100644
index 000000000..b57e7f5f0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-DynamicWorkloadResourceManagementHostResourceExhaustion.yaml
@@ -0,0 +1,38 @@
+name: aprl-DynamicWorkloadResourceManagementHostResourceExhaustion
+title: Monitor CPU Utilization to ensure sufficient resources for workloads
+description: |-
+ Ensure sufficient compute resources to avoid host resource exhaustion in Azure VMware Solution, which utilizes vSphere DRS and HA for dynamic workload resource management. However, sustained CPU utilization over 95% may increase CPU Ready times, impacting workloads.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 1
+labels:
+ guid: 4ee5d535-c47b-470a-9557-4a3dd297d62f
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure VMware Solution resources that don't have a Cluster CPU capacity critical alert with a threshold of 95%.
+ resources
+ | where ['type'] == "microsoft.avs/privateclouds"
+ | extend scopeId = tolower(tostring(id))
+ | project ['scopeId'], name, id, tags
+ | join kind=leftouter (
+ resources
+ | where type == "microsoft.insights/metricalerts"
+ | extend alertProperties = todynamic(properties)
+ | mv-expand alertProperties.scopes
+ | mv-expand alertProperties.criteria.allOf
+ | extend scopeId = tolower(tostring(alertProperties_scopes))
+ | extend metric = alertProperties_criteria_allOf.metricName
+ | extend threshold = alertProperties_criteria_allOf.threshold
+ | project scopeId, tostring(metric), toint(['threshold'])
+ | where metric == "EffectiveCpuAverage"
+ | where threshold == 95
+ ) on scopeId
+ | where isnull(['threshold'])
+ | project recommendationId = "4ee5d535-c47b-470a-9557-4a3dd297d62f", name, id, tags, param1 = "hostCpuCriticalAlert: isNull or threshold != 95"
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-HostResourceExhaustionDynamicWorkloadManagement.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-HostResourceExhaustionDynamicWorkloadManagement.yaml
new file mode 100644
index 000000000..cebcf7bf2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-HostResourceExhaustionDynamicWorkloadManagement.yaml
@@ -0,0 +1,38 @@
+name: aprl-HostResourceExhaustionDynamicWorkloadManagement
+title: Monitor Memory Utilization to ensure sufficient resources for workloads
+description: |-
+ Ensure sufficient memory resources to prevent host resource exhaustion in Azure VMware Solution. It uses vSphere DRS and vSphere HA for dynamic workload management. Yet, continuous memory use over 95% leads to disk swapping, affecting workloads.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 1
+labels:
+ guid: 029208c8-5186-4a76-8ee8-6e3445fef4dd
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure VMware Solution resources that don't have a cluster host memory critical alert with a threshold of 95%.
+ resources
+ | where ['type'] == "microsoft.avs/privateclouds"
+ | extend scopeId = tolower(tostring(id))
+ | project ['scopeId'], name, id, tags
+ | join kind=leftouter (
+ resources
+ | where type == "microsoft.insights/metricalerts"
+ | extend alertProperties = todynamic(properties)
+ | mv-expand alertProperties.scopes
+ | mv-expand alertProperties.criteria.allOf
+ | extend scopeId = tolower(tostring(alertProperties_scopes))
+ | extend metric = alertProperties_criteria_allOf.metricName
+ | extend threshold = alertProperties_criteria_allOf.threshold
+ | project scopeId, tostring(metric), toint(['threshold'])
+ | where metric == "UsageAverage"
+ | where threshold == 95
+ ) on scopeId
+ | where isnull(['threshold'])
+ | project recommendationId = "029208c8-5186-4a76-8ee8-6e3445fef4dd", name, id, tags, param1 = "hostMemoryCriticalAlert: isNull or threshold != 95"
diff --git a/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-VsanDatastoreCustomerManagedKeysAzureKeyVault.yaml b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-VsanDatastoreCustomerManagedKeysAzureKeyVault.yaml
new file mode 100644
index 000000000..05a0da21d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAVS-privateClouds/aprl-VsanDatastoreCustomerManagedKeysAzureKeyVault.yaml
@@ -0,0 +1,18 @@
+name: aprl-VsanDatastoreCustomerManagedKeysAzureKeyVault
+title: Use key autorotation for vSAN datastore customer-managed keys
+description: |-
+ When using customer-managed keys for encrypting vSAN datastores, leveraging Azure Key Vault for central management and accessing them via a managed identity linked to the private cloud is advised. The expiration of these keys can render the vSAN datastore and its associated workloads inaccessible.
+source:
+ type: aprl
+ file: azure-resources/AVS/privateClouds/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AVS/privateClouds
+severity: 0
+labels:
+ guid: e0ac2f57-c8c0-4b8c-a7c8-19e5797828b5
+ area: Security
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApimLandingZoneAcceleratorCloudAdaptionFramework.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApimLandingZoneAcceleratorCloudAdaptionFramework.yaml
new file mode 100644
index 000000000..2903a0067
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApimLandingZoneAcceleratorCloudAdaptionFramework.yaml
@@ -0,0 +1,16 @@
+name: revcl-ApimLandingZoneAcceleratorCloudAdaptionFramework
+title: Configure APIM via Infrastructure-as-code. Review DevOps best practices from
+ the Cloud Adaption Framework APIM Landing Zone Accelerator
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: c385bfcd-49fd-4786-81ba-cedbb4c57345
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApisPoliciesBaseElement.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApisPoliciesBaseElement.yaml
new file mode 100644
index 000000000..d00fad61f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApisPoliciesBaseElement.yaml
@@ -0,0 +1,15 @@
+name: revcl-ApisPoliciesBaseElement
+title: Ensure all APIs policies include a element.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: 0b0c0765-ff37-4369-90bd-3eb23ce71b08
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApplicationInsightsDetailedTelemetry.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApplicationInsightsDetailedTelemetry.yaml
new file mode 100644
index 000000000..e05087934
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ApplicationInsightsDetailedTelemetry.yaml
@@ -0,0 +1,15 @@
+name: revcl-ApplicationInsightsDetailedTelemetry
+title: Enable Application Insights for more detailed telemetry
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: 8691fa38-45ed-4299-a247-fecd98d35deb
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-CriticalMetricsAlerts.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-CriticalMetricsAlerts.yaml
new file mode 100644
index 000000000..105020a41
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-CriticalMetricsAlerts.yaml
@@ -0,0 +1,15 @@
+name: revcl-CriticalMetricsAlerts
+title: Configure alerts on the most critical metrics
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 0
+labels:
+ guid: 55fd27bb-76ac-4a91-bc37-049e885be6b7
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-DevopsCiCd.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-DevopsCiCd.yaml
new file mode 100644
index 000000000..3841888d8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-DevopsCiCd.yaml
@@ -0,0 +1,15 @@
+name: revcl-DevopsCiCd
+title: Implement DevOps and CI/CD in your workflow
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: 354f1c03-8112-4965-85ad-c0074bddf231
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/devops-api-development-templates
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-DiagnosticsSettingsAzureMonitor.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-DiagnosticsSettingsAzureMonitor.yaml
new file mode 100644
index 000000000..90ca07e62
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-DiagnosticsSettingsAzureMonitor.yaml
@@ -0,0 +1,15 @@
+name: revcl-DiagnosticsSettingsAzureMonitor
+title: Enable Diagnostics Settings to export logs to Azure Monitor
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 0
+labels:
+ guid: a7d0840a-c8c4-4e83-adec-5ca578eb4049
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ErrorHandlingPolicyGlobalLevel.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ErrorHandlingPolicyGlobalLevel.yaml
new file mode 100644
index 000000000..c3039847c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-ErrorHandlingPolicyGlobalLevel.yaml
@@ -0,0 +1,15 @@
+name: revcl-ErrorHandlingPolicyGlobalLevel
+title: Implement an error handling policy at the global level
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: d7941d4a-7b6f-458f-8714-2f8f8c059ad4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-HighPerformanceLevelsEventHubsPolicy.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-HighPerformanceLevelsEventHubsPolicy.yaml
new file mode 100644
index 000000000..f6a951695
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-HighPerformanceLevelsEventHubsPolicy.yaml
@@ -0,0 +1,15 @@
+name: revcl-HighPerformanceLevelsEventHubsPolicy
+title: If you need to log at high performance levels, consider Event Hubs policy
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 2
+labels:
+ guid: 8210699f-8d43-45c2-8f19-57e54134bd8f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-MonetizationSupportArticleBestPractices.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-MonetizationSupportArticleBestPractices.yaml
new file mode 100644
index 000000000..22d848c39
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-MonetizationSupportArticleBestPractices.yaml
@@ -0,0 +1,16 @@
+name: revcl-MonetizationSupportArticleBestPractices
+title: If you are planning to monetize your APIs, review the 'monetization support'
+ article for best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: c3818a95-6ff3-4474-88dc-e809b46dad6a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/monetization-support
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-NamedValuesCommonValues.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-NamedValuesCommonValues.yaml
new file mode 100644
index 000000000..dfceddc58
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-NamedValuesCommonValues.yaml
@@ -0,0 +1,15 @@
+name: revcl-NamedValuesCommonValues
+title: Use Named Values to store common values that can be used in policies
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: 03b125d5-b69b-4739-b7fd-84b86da4933e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-PowershellAutomationScriptsManagement.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-PowershellAutomationScriptsManagement.yaml
new file mode 100644
index 000000000..a31c1dd86
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-PowershellAutomationScriptsManagement.yaml
@@ -0,0 +1,15 @@
+name: revcl-PowershellAutomationScriptsManagement
+title: Simplify management with PowerShell automation scripts
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: 0674d750-0c6f-4ac0-8717-ceec04d0bdbd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/automation-manage-api-management
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-RedundantApiBackendConfigurationsBackendsFeature.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-RedundantApiBackendConfigurationsBackendsFeature.yaml
new file mode 100644
index 000000000..f3b131986
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-RedundantApiBackendConfigurationsBackendsFeature.yaml
@@ -0,0 +1,15 @@
+name: revcl-RedundantApiBackendConfigurationsBackendsFeature
+title: Use Backends feature to eliminate redundant API backend configurations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: 06862505-2d9a-4874-9491-2837b00a3475
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/backends
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-SamePoliciesDefinitionsPolicyFragments.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-SamePoliciesDefinitionsPolicyFragments.yaml
new file mode 100644
index 000000000..2715bd8b5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-SamePoliciesDefinitionsPolicyFragments.yaml
@@ -0,0 +1,16 @@
+name: revcl-SamePoliciesDefinitionsPolicyFragments
+title: Use Policy Fragments to avoid repeating same policies definitions across multiple
+ APIs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: a5c45b03-93b6-42fe-b16b-8fccb6a79902
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/policy-fragments
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-VisualStudioCodeApimExtensionFasterApiDevelopment.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-VisualStudioCodeApimExtensionFasterApiDevelopment.yaml
new file mode 100644
index 000000000..c1b37edce
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Operations/revcl-VisualStudioCodeApimExtensionFasterApiDevelopment.yaml
@@ -0,0 +1,15 @@
+name: revcl-VisualStudioCodeApimExtensionFasterApiDevelopment
+title: Promote usage of Visual Studio Code APIM extension for faster API development
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Operations
+severity: 1
+labels:
+ guid: 6c3a27c0-197f-426c-9ffa-86fed51d9ab6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-AutoscalingNumber.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-AutoscalingNumber.yaml
new file mode 100644
index 000000000..53a3b2399
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-AutoscalingNumber.yaml
@@ -0,0 +1,15 @@
+name: revcl-AutoscalingNumber
+title: Configure autoscaling to scale out the number of instances when the load increases
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Performance
+severity: 1
+labels:
+ guid: bb5f356b-3daf-47a2-a9ee-867a8100bbd5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-AzureFrontDoorMultiRegionDeployment.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-AzureFrontDoorMultiRegionDeployment.yaml
new file mode 100644
index 000000000..a6c5e9a87
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-AzureFrontDoorMultiRegionDeployment.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFrontDoorMultiRegionDeployment
+title: Use Azure Front Door in front of APIM for multi-region deployment
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Performance
+severity: 1
+labels:
+ guid: 7519e385-a88b-4d34-966b-6269d686e890
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/front-door-api-management
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-SelfHostedGatewaysBackendApis.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-SelfHostedGatewaysBackendApis.yaml
new file mode 100644
index 000000000..5394edc48
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-SelfHostedGatewaysBackendApis.yaml
@@ -0,0 +1,16 @@
+name: revcl-SelfHostedGatewaysBackendApis
+title: Deploy self-hosted gateways where Azure doesn't have a region close to the
+ backend APIs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Performance
+severity: 1
+labels:
+ guid: 84b94abb-59b6-4b9d-8587-3413669468e8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-ThrottlingPoliciesNumber.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-ThrottlingPoliciesNumber.yaml
new file mode 100644
index 000000000..87a7051a1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Performance/revcl-ThrottlingPoliciesNumber.yaml
@@ -0,0 +1,17 @@
+name: revcl-ThrottlingPoliciesNumber
+title: Apply throttling policies to control the number of requests per second
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Performance
+severity: 1
+labels:
+ guid: 121bfc39-fa7b-4096-b93b-ab56c1bc0bed
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling
+- type: docs
+ url: https://learn.microsoft.com/training/modules/protect-apis-on-api-management/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-ApimLimits.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-ApimLimits.yaml
new file mode 100644
index 000000000..16267e46e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-ApimLimits.yaml
@@ -0,0 +1,15 @@
+name: revcl-ApimLimits
+title: Be aware of APIM's limits
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 0
+labels:
+ guid: 46f07d33-ef9a-44e8-8f98-67c097c5d8cd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-AutomatedBackupRoutine.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-AutomatedBackupRoutine.yaml
new file mode 100644
index 000000000..cb11ac10e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-AutomatedBackupRoutine.yaml
@@ -0,0 +1,15 @@
+name: revcl-AutomatedBackupRoutine
+title: Ensure there is an automated backup routine
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 0
+labels:
+ guid: 8d2db6e8-85c6-4118-a52c-ae76a4f27934
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-MultiRegionModelRegionalBackends.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-MultiRegionModelRegionalBackends.yaml
new file mode 100644
index 000000000..568881d32
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-MultiRegionModelRegionalBackends.yaml
@@ -0,0 +1,16 @@
+name: revcl-MultiRegionModelRegionalBackends
+title: In multi-region model, use Policies to route the requests to regional backends
+ based on availability or latency.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 1
+labels:
+ guid: 1b8d68a4-66cd-44d5-ba94-3ee94440e8d6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-OneUnitAvailabilityZones.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-OneUnitAvailabilityZones.yaml
new file mode 100644
index 000000000..b92213ec8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-OneUnitAvailabilityZones.yaml
@@ -0,0 +1,16 @@
+name: revcl-OneUnitAvailabilityZones
+title: Deploy at least one unit in two or more availability zones for an increased
+ SLA of 99.99%
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 1
+labels:
+ guid: 9c8d1664-dd9a-49d4-bd83-950af0af4044
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/high-availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-OverBackendUrlFailingCalls.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-OverBackendUrlFailingCalls.yaml
new file mode 100644
index 000000000..a7c514370
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-OverBackendUrlFailingCalls.yaml
@@ -0,0 +1,15 @@
+name: revcl-OverBackendUrlFailingCalls
+title: Use Policies to add a fail-over backend URL and caching to reduce failing calls.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 1
+labels:
+ guid: 43e60b94-7bca-43a2-aadf-efb04d63a485
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/retry-policy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-PremiumTierDr.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-PremiumTierDr.yaml
new file mode 100644
index 000000000..ce0ef92a4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-PremiumTierDr.yaml
@@ -0,0 +1,16 @@
+name: revcl-PremiumTierDr
+title: For DR, leverage the premium tier with deployments scaled across two or more
+ regions for 99.99% SLA
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 1
+labels:
+ guid: beae759e-4ddb-4326-bf26-47f87d3454b6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-PremiumTierProductionWorkloads.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-PremiumTierProductionWorkloads.yaml
new file mode 100644
index 000000000..a128bad6b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-PremiumTierProductionWorkloads.yaml
@@ -0,0 +1,15 @@
+name: revcl-PremiumTierProductionWorkloads
+title: Use the premium tier for production workloads.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 1
+labels:
+ guid: 1fe8db45-a017-4888-8c4d-4422583cfae0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-SelfHostedGatewayDeployments.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-SelfHostedGatewayDeployments.yaml
new file mode 100644
index 000000000..78bcd9939
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Reliability/revcl-SelfHostedGatewayDeployments.yaml
@@ -0,0 +1,15 @@
+name: revcl-SelfHostedGatewayDeployments
+title: Ensure that the self-hosted gateway deployments are resilient.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Reliability
+severity: 0
+labels:
+ guid: 10f58602-f0f9-4d77-972a-956f6e0f2600
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AppropriateGroupsVisibility.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AppropriateGroupsVisibility.yaml
new file mode 100644
index 000000000..267d5011c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AppropriateGroupsVisibility.yaml
@@ -0,0 +1,15 @@
+name: revcl-AppropriateGroupsVisibility
+title: Create appropriate groups to control the visibility of the products
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: f8e574ce-280f-49c8-b2ef-68279b081cf3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AuthorizationsFeatureOauthToken.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AuthorizationsFeatureOauthToken.yaml
new file mode 100644
index 000000000..832960f19
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AuthorizationsFeatureOauthToken.yaml
@@ -0,0 +1,16 @@
+name: revcl-AuthorizationsFeatureOauthToken
+title: Use Authorizations feature to simplify management of OAuth 2.0 token for your
+ backend APIs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: 5507c4b8-a7f8-41d6-9661-418c987100c9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/authorizations-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AzureKeyVaultNamedValues.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AzureKeyVaultNamedValues.yaml
new file mode 100644
index 000000000..7cf2ede4c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-AzureKeyVaultNamedValues.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureKeyVaultNamedValues
+title: Ensure that secrets (Named values) are stored an Azure Key Vault so they can
+ be securely accessed and updated
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 0
+labels:
+ guid: f8af3d94-1d2b-4070-846f-849197524258
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-ClientCertificateAuthenticationSecureApis.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-ClientCertificateAuthenticationSecureApis.yaml
new file mode 100644
index 000000000..df904d619
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-ClientCertificateAuthenticationSecureApis.yaml
@@ -0,0 +1,15 @@
+name: revcl-ClientCertificateAuthenticationSecureApis
+title: Secure APIs using client certificate authentication
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: b6439493-426a-45f3-9697-cf65baee208d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-CustomSslCertificatesAzureKeyVault.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-CustomSslCertificatesAzureKeyVault.yaml
new file mode 100644
index 000000000..0f69b53cf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-CustomSslCertificatesAzureKeyVault.yaml
@@ -0,0 +1,16 @@
+name: revcl-CustomSslCertificatesAzureKeyVault
+title: Ensure that custom SSL certificates are stored an Azure Key Vault so they can
+ be securely accessed and updated
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 0
+labels:
+ guid: 39460bdb-156f-4dc2-a87f-1e8c11ab0998
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-IncomingRequestsDataPlane.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-IncomingRequestsDataPlane.yaml
new file mode 100644
index 000000000..4160b1fb3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-IncomingRequestsDataPlane.yaml
@@ -0,0 +1,15 @@
+name: revcl-IncomingRequestsDataPlane
+title: Protect incoming requests to APIs (data plane) with Azure AD
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 0
+labels:
+ guid: e9217997-5f6c-479d-8576-8f2adf706ec8
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-LatestTlsVersionUnnecessaryProtocols.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-LatestTlsVersionUnnecessaryProtocols.yaml
new file mode 100644
index 000000000..f88d907da
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-LatestTlsVersionUnnecessaryProtocols.yaml
@@ -0,0 +1,16 @@
+name: revcl-LatestTlsVersionUnnecessaryProtocols
+title: Use the latest TLS version when encrypting information in transit. Disable
+ outdated and unnecessary protocols and ciphers when possible.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 0
+labels:
+ guid: 2deee033-b906-4bc2-9f26-c8d3699fe091
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-MicrosoftEntraIdDeveloperPortal.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-MicrosoftEntraIdDeveloperPortal.yaml
new file mode 100644
index 000000000..c66d3cb14
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-MicrosoftEntraIdDeveloperPortal.yaml
@@ -0,0 +1,15 @@
+name: revcl-MicrosoftEntraIdDeveloperPortal
+title: Use Microsoft Entra ID to authenticate users in the Developer Portal
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: 5e5f64ba-c90e-480e-8888-398d96cf0bfb
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-aad
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-NetworkSecurityGroupsNsg.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-NetworkSecurityGroupsNsg.yaml
new file mode 100644
index 000000000..61d544c69
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-NetworkSecurityGroupsNsg.yaml
@@ -0,0 +1,16 @@
+name: revcl-NetworkSecurityGroupsNsg
+title: Deploy network security groups (NSG) to your subnets to restrict or monitor
+ traffic to/from APIM.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: 02661582-b3d1-48d1-9d7b-c6a918a0ca33
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-OtherAzureResourcesManagedIdentities.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-OtherAzureResourcesManagedIdentities.yaml
new file mode 100644
index 000000000..58421c082
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-OtherAzureResourcesManagedIdentities.yaml
@@ -0,0 +1,15 @@
+name: revcl-OtherAzureResourcesManagedIdentities
+title: Use managed identities to authenticate to other Azure resources whenever possible
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: 791abd8b-7706-4e31-9569-afefde724be3
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-OwaspApiSecurityTopThreatsArticleReview.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-OwaspApiSecurityTopThreatsArticleReview.yaml
new file mode 100644
index 000000000..ea1ebc85d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-OwaspApiSecurityTopThreatsArticleReview.yaml
@@ -0,0 +1,16 @@
+name: revcl-OwaspApiSecurityTopThreatsArticleReview
+title: Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article
+ and check what is applicable to your APIs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: 074435f5-4a46-41ac-b521-d6114cb5d845
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-PrivateEndpointsIncomingTraffic.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-PrivateEndpointsIncomingTraffic.yaml
new file mode 100644
index 000000000..ca8b869d5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-PrivateEndpointsIncomingTraffic.yaml
@@ -0,0 +1,16 @@
+name: revcl-PrivateEndpointsIncomingTraffic
+title: Deploy Private Endpoints to filter incoming traffic when APIM is not deployed
+ to a VNet.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: 67437a28-2721-4a2c-becd-caa54c8237a5
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-PublicNetworkAccess.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-PublicNetworkAccess.yaml
new file mode 100644
index 000000000..9245d4452
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-PublicNetworkAccess.yaml
@@ -0,0 +1,15 @@
+name: revcl-PublicNetworkAccess
+title: Disable Public Network Access
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 0
+labels:
+ guid: d698adbd-3288-44cb-b10a-9b572da395ae
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-SecureBackendServicesClientCertificateAuthentication.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-SecureBackendServicesClientCertificateAuthentication.yaml
new file mode 100644
index 000000000..1e6c5d88a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-SecureBackendServicesClientCertificateAuthentication.yaml
@@ -0,0 +1,15 @@
+name: revcl-SecureBackendServicesClientCertificateAuthentication
+title: Secure backend services using client certificate authentication
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: 2a67d143-1033-4c0a-8732-680896478f08
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-VirtualNetworkService.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-VirtualNetworkService.yaml
new file mode 100644
index 000000000..6bdb62ba3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-VirtualNetworkService.yaml
@@ -0,0 +1,15 @@
+name: revcl-VirtualNetworkService
+title: Deploy the service within a Virtual Network (VNet)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 1
+labels:
+ guid: cd45c90e-7690-4753-930b-bf290c69c074
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-WebApplicationFirewallApplicationGateway.yaml b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-WebApplicationFirewallApplicationGateway.yaml
new file mode 100644
index 000000000..1055f9959
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/Security/revcl-WebApplicationFirewallApplicationGateway.yaml
@@ -0,0 +1,16 @@
+name: revcl-WebApplicationFirewallApplicationGateway
+title: Use web application firewall (WAF) by deploying Application Gateway in front
+ of APIM
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.apimanagement/service
+waf: Security
+severity: 0
+labels:
+ guid: 220c4ca6-6688-476b-b2b5-425a78e6fb87
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/aprl-ApiManagementInstanceApiManagementServices.yaml b/v2/recos/Services/MicrosoftApiManagement-service/aprl-ApiManagementInstanceApiManagementServices.yaml
new file mode 100644
index 000000000..41f5a5995
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/aprl-ApiManagementInstanceApiManagementServices.yaml
@@ -0,0 +1,24 @@
+name: aprl-ApiManagementInstanceApiManagementServices
+title: Migrate API Management services to Premium SKU to support Availability Zones
+description: |-
+ Upgrading the API Management instance to the Premium SKU adds support for Availability Zones, enhancing availability and resilience by distributing services across physically separate locations within Azure regions.
+source:
+ type: aprl
+ file: azure-resources/ApiManagement/service/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ApiManagement/service
+severity: 0
+labels:
+ guid: baf3bfc0-32a2-4c0c-926d-c9bf0b49808e
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all API Management instances that aren't Premium
+ resources
+ | where type =~ 'Microsoft.ApiManagement/service'
+ | extend skuName = sku.name
+ | where tolower(skuName) != tolower('premium')
+ | project recommendationId = "baf3bfc0-32a2-4c0c-926d-c9bf0b49808e", name, id, tags, param1=strcat("SKU: ", skuName)
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/aprl-AzureApiManagementPlatformVersionApiManagementStv.yaml b/v2/recos/Services/MicrosoftApiManagement-service/aprl-AzureApiManagementPlatformVersionApiManagementStv.yaml
new file mode 100644
index 000000000..af2fb82c1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/aprl-AzureApiManagementPlatformVersionApiManagementStv.yaml
@@ -0,0 +1,25 @@
+name: aprl-AzureApiManagementPlatformVersionApiManagementStv
+title: Azure API Management platform version should be stv2
+description: |-
+ Upgrading to API Management stv2 is required as stv1 retires on 31 Aug 2024, offering enhanced capabilities with the new platform version.
+source:
+ type: aprl
+ file: azure-resources/ApiManagement/service/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ApiManagement/service
+severity: 0
+labels:
+ guid: e35cf148-8eee-49d1-a1c9-956160f99e0b
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all API Management instances that aren't upgraded to platform version stv2
+ resources
+ | where type =~ 'Microsoft.ApiManagement/service'
+ | extend plat_version = properties.platformVersion
+ | extend skuName = sku.name
+ | where tolower(plat_version) != tolower('stv2')
+ | project recommendationId = "e35cf148-8eee-49d1-a1c9-956160f99e0b", name, id, tags, param1=strcat("Platform Version: ", plat_version) , param2=strcat("SKU: ", skuName)
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/aprl-PremiumApiManagementInstancesManagementApi.yaml b/v2/recos/Services/MicrosoftApiManagement-service/aprl-PremiumApiManagementInstancesManagementApi.yaml
new file mode 100644
index 000000000..89c2f1158
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/aprl-PremiumApiManagementInstancesManagementApi.yaml
@@ -0,0 +1,26 @@
+name: aprl-PremiumApiManagementInstancesManagementApi
+title: Enable Availability Zones on Premium API Management instances
+description: |-
+ Zone redundancy for APIM instances ensures the gateway and control plane (Management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, boosting resilience to zone failures.
+source:
+ type: aprl
+ file: azure-resources/ApiManagement/service/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ApiManagement/service
+severity: 0
+labels:
+ guid: 740f2c1c-8857-4648-80eb-47d2c56d5a50
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Premium API Management instances that aren't zone redundant
+ resources
+ | where type =~ 'Microsoft.ApiManagement/service'
+ | extend skuName = sku.name
+ | where tolower(skuName) == tolower('premium')
+ | where isnull(zones) or array_length(zones) < 2
+ | extend zoneValue = iff((isnull(zones)), "null", zones)
+ | project recommendationId = "740f2c1c-8857-4648-80eb-47d2c56d5a50", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Zones value: ", zoneValue )
diff --git a/v2/recos/Services/MicrosoftApiManagement-service/aprl-VariableTrafficPatternsApiManagementServices.yaml b/v2/recos/Services/MicrosoftApiManagement-service/aprl-VariableTrafficPatternsApiManagementServices.yaml
new file mode 100644
index 000000000..37063d2f5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApiManagement-service/aprl-VariableTrafficPatternsApiManagementServices.yaml
@@ -0,0 +1,18 @@
+name: aprl-VariableTrafficPatternsApiManagementServices
+title: Enable auto-scale for production workloads on API Management services
+description: |-
+ Use API Management with auto-scale for high availability in workloads that experience variable traffic patterns. There are several limitations with auto-scale, so review the documentation to ensure it meets your requirements.
+source:
+ type: aprl
+ file: azure-resources/ApiManagement/service/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ApiManagement/service
+severity: 2
+labels:
+ guid: c79680ea-de85-44fa-a596-f31fa17a952f
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-ActivePassiveApplicationGuidanceCrossRegionDr.yaml b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-ActivePassiveApplicationGuidanceCrossRegionDr.yaml
new file mode 100644
index 000000000..e3a23c5e7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-ActivePassiveApplicationGuidanceCrossRegionDr.yaml
@@ -0,0 +1,16 @@
+name: revcl-ActivePassiveApplicationGuidanceCrossRegionDr
+title: For cross-region DR, deploy container apps in multiple regions and follow active/active
+ or active/passive application guidance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.app/containerapps
+waf: Reliability
+severity: 0
+labels:
+ guid: ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-FrontDoorClosestRegion.yaml b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-FrontDoorClosestRegion.yaml
new file mode 100644
index 000000000..f611b1b4b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-FrontDoorClosestRegion.yaml
@@ -0,0 +1,15 @@
+name: revcl-FrontDoorClosestRegion
+title: Use Front Door or Traffic Manager to route traffic to the closest region
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.app/containerapps
+waf: Reliability
+severity: 0
+labels:
+ guid: 2ffada86-c031-4933-bf7d-0c45bc4e5919
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-LeverageAvailabilityZones.yaml b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-LeverageAvailabilityZones.yaml
new file mode 100644
index 000000000..26fa658c8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-LeverageAvailabilityZones.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageAvailabilityZones
+title: Leverage Availability Zones if regionally applicable
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.app/containerapps
+waf: Reliability
+severity: 0
+labels:
+ guid: af416482-663c-4ed6-b195-b44c7068e09c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-OneReplicaZoneRedundancy.yaml b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-OneReplicaZoneRedundancy.yaml
new file mode 100644
index 000000000..4a55bd02a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApp-containerApps/Reliability/revcl-OneReplicaZoneRedundancy.yaml
@@ -0,0 +1,15 @@
+name: revcl-OneReplicaZoneRedundancy
+title: Use more than one replica and enable Zone Redundancy.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.app/containerapps
+waf: Reliability
+severity: 0
+labels:
+ guid: 95bc80ec-6499-4d14-a7d2-7d296b1d8abc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment
+queries: {}
diff --git a/v2/recos/Services/MicrosoftApp-containerApps/aprl-ContainerHealthProbesContainerApps.yaml b/v2/recos/Services/MicrosoftApp-containerApps/aprl-ContainerHealthProbesContainerApps.yaml
new file mode 100644
index 000000000..87b6d3835
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApp-containerApps/aprl-ContainerHealthProbesContainerApps.yaml
@@ -0,0 +1,18 @@
+name: aprl-ContainerHealthProbesContainerApps
+title: Enable container health probes
+description: |-
+ Enable container health probes to monitor the health of your container apps and ensure that unhealthy containers are restarted automatically.
+source:
+ type: aprl
+ file: azure-resources/App/containerApps/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.App/containerApps
+severity: 0
+labels:
+ guid: 8dbcd94b-0948-4df3-b608-1946726c3abf
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftApp-managedenvironments/aprl-ZoneRedundantContainerAppEnvironmentsContainerAppsEnvironment.yaml b/v2/recos/Services/MicrosoftApp-managedenvironments/aprl-ZoneRedundantContainerAppEnvironmentsContainerAppsEnvironment.yaml
new file mode 100644
index 000000000..34692dd9c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftApp-managedenvironments/aprl-ZoneRedundantContainerAppEnvironmentsContainerAppsEnvironment.yaml
@@ -0,0 +1,24 @@
+name: aprl-ZoneRedundantContainerAppEnvironmentsContainerAppsEnvironment
+title: Deploy zone redundant Container app environments
+description: |-
+ To take advantage of availability zones, you must enable zone redundancy when you create a Container Apps environment. The environment must include a virtual network with an available subnet. To ensure proper distribution of replicas, set your app's minimum replica count to three.
+source:
+ type: aprl
+ file: azure-resources/App/managedEnvironments/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.App/managedenvironments
+severity: 0
+labels:
+ guid: f4201965-a88d-449d-b3b4-021394719eb2
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // The query filters the qualified Container app environments that do not have Zone Redundancy enabled.
+ resources
+ | where type =~ "microsoft.app/managedenvironments"
+ | where tobool(properties.zoneRedundant) == false
+ | project recommendationId = "f4201965-a88d-449d-b3b4-021394719eb2", name, id, tags, param1 = "AvailabilityZones: Single Zone"
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftAppConfiguration-configurationStores/aprl-AppConfigurationStandardTierFreeTier.yaml b/v2/recos/Services/MicrosoftAppConfiguration-configurationStores/aprl-AppConfigurationStandardTierFreeTier.yaml
new file mode 100644
index 000000000..b36896a16
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppConfiguration-configurationStores/aprl-AppConfigurationStandardTierFreeTier.yaml
@@ -0,0 +1,23 @@
+name: aprl-AppConfigurationStandardTierFreeTier
+title: Upgrade to App Configuration Standard tier
+description: |-
+ SLA is not available for Free tier. Upgrade to the Standard tier to get an SLA of 99.9%
+source:
+ type: aprl
+ file: azure-resources/AppConfiguration/configurationStores/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AppConfiguration/configurationStores
+severity: 0
+labels:
+ guid: 2102a57a-a056-4d5e-afe5-9df9f92177ca
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Upgrade to App Configuration Standard tier
+ resources
+ | where type =~ "Microsoft.AppConfiguration/configurationStores"
+ | where sku.name == "free"
+ | project recommendationId = "2102a57a-a056-4d5e-afe5-9df9f92177ca", name, id, tags, param1 = "Upgrade to Standard SKU"
diff --git a/v2/recos/Services/MicrosoftAppConfiguration-configurationStores/aprl-AzureAppConfigurationSoftDeletedStores.yaml b/v2/recos/Services/MicrosoftAppConfiguration-configurationStores/aprl-AzureAppConfigurationSoftDeletedStores.yaml
new file mode 100644
index 000000000..3b84a37f0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppConfiguration-configurationStores/aprl-AzureAppConfigurationSoftDeletedStores.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureAppConfigurationSoftDeletedStores
+title: Enable Purge protection for Azure App Configuration
+description: |-
+ With Purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires.
+source:
+ type: aprl
+ file: azure-resources/AppConfiguration/configurationStores/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.AppConfiguration/configurationStores
+severity: 2
+labels:
+ guid: bb4c8db4-f821-475b-b1ea-16e95358665e
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Purge protection should be enabled for App Configuration stores to prevent accidental deletion of configuration data.
+ resources
+ | where type =~ "Microsoft.AppConfiguration/configurationStores"
+ | where sku.name <> "free"
+ | where (properties.enablePurgeProtection <> true) or isnull(properties.enablePurgeProtection )
+ | project recommendationId = "bb4c8db4-f821-475b-b1ea-16e95358665e", name, id, tags, param1 = "Enable purge protection"
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AppInstanceApps.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AppInstanceApps.yaml
new file mode 100644
index 000000000..102ab3fd9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AppInstanceApps.yaml
@@ -0,0 +1,15 @@
+name: revcl-AppInstanceApps
+title: Use more than 1 app instance for your apps
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 1
+labels:
+ guid: ffc735ad-fbb1-4802-b43f-ad6387c4c066
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsApplicationInsights.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsApplicationInsights.yaml
new file mode 100644
index 000000000..8d08735c3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsApplicationInsights.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureSpringAppsApplicationInsights
+title: Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with
+ application insights and track failures and create workbooks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 1
+labels:
+ guid: 7504c230-6035-4183-95a5-85762acc6075
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/spring-apps/diagnostic-services
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsAvailabilityZones.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsAvailabilityZones.yaml
new file mode 100644
index 000000000..fd804e554
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsAvailabilityZones.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureSpringAppsAvailabilityZones
+title: In supported region, Azure Spring Apps can be deployed as zone redundant, which
+ means that instances are automatically distributed across availability zones. This
+ feature is only available in Standard and Enterprise tiers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 1
+labels:
+ guid: ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/reliability-spring-apps
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsInstancesMultipleRegions.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsInstancesMultipleRegions.yaml
new file mode 100644
index 000000000..757177dcc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-AzureSpringAppsInstancesMultipleRegions.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureSpringAppsInstancesMultipleRegions
+title: Azure Spring Apps instances could be created in multiple regions for your applications
+ and traffic could be routed by Traffic Manager/Front Door.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 1
+labels:
+ guid: fbcb40ac-9480-4a6d-bcf4-8081252a6716
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-BlueGreenDeploymentStrategiesAzureSpringApps.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-BlueGreenDeploymentStrategiesAzureSpringApps.yaml
new file mode 100644
index 000000000..d7571ca80
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-BlueGreenDeploymentStrategiesAzureSpringApps.yaml
@@ -0,0 +1,18 @@
+name: revcl-BlueGreenDeploymentStrategiesAzureSpringApps
+title: Azure Spring Apps permits two deployments for every app, only one of which
+ receives production traffic. You can achieve zero downtime with blue green deployment
+ strategies. Blue green deployment is only available in Standard and Enterprise tiers.
+ You could automate deployment using CI/CD with ADO/GitHub actions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 1
+labels:
+ guid: 6d8e32a8-3892-479d-a40b-10f6b4f6f298
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-MissionCriticalAppsEnterprisePlan.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-MissionCriticalAppsEnterprisePlan.yaml
new file mode 100644
index 000000000..c876f1f00
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-MissionCriticalAppsEnterprisePlan.yaml
@@ -0,0 +1,16 @@
+name: revcl-MissionCriticalAppsEnterprisePlan
+title: Use Enterprise plan for commercial support of spring boot for mission critical
+ apps. With other tiers you get OSS support.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 1
+labels:
+ guid: dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/spring-apps/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-SpringCloudGateway.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-SpringCloudGateway.yaml
new file mode 100644
index 000000000..1b340b58d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-SpringCloudGateway.yaml
@@ -0,0 +1,15 @@
+name: revcl-SpringCloudGateway
+title: Set up autoscaling in Spring Cloud Gateway
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 1
+labels:
+ guid: 1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-StandardConsumptionDedicatedPlan.yaml b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-StandardConsumptionDedicatedPlan.yaml
new file mode 100644
index 000000000..eb6463e98
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAppPlatform-Spring/Reliability/revcl-StandardConsumptionDedicatedPlan.yaml
@@ -0,0 +1,15 @@
+name: revcl-StandardConsumptionDedicatedPlan
+title: Enable autoscale for the apps with Standard consumption & dedicated plan.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.appplatform/spring
+waf: Reliability
+severity: 2
+labels:
+ guid: 97411607-b6fd-4335-99d1-9885faf4e392
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-AzurePolicyDefinitionsAzureRoleAssignments.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-AzurePolicyDefinitionsAzureRoleAssignments.yaml
new file mode 100644
index 000000000..d0810e102
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-AzurePolicyDefinitionsAzureRoleAssignments.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzurePolicyDefinitionsAzureRoleAssignments
+title: Map regulatory and compliance requirements to Azure Policy definitions and
+ Azure role assignments.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: d8a2adb1-17d6-4326-af62-5ca44e5695f2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-DataSovereigntyRequirementsAzurePolicies.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-DataSovereigntyRequirementsAzurePolicies.yaml
new file mode 100644
index 000000000..b4d3b263d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-DataSovereigntyRequirementsAzurePolicies.yaml
@@ -0,0 +1,18 @@
+name: revcl-DataSovereigntyRequirementsAzurePolicies
+title: If any data sovereignty requirements exist, Azure Policies can be deployed
+ to enforce them
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: 5a917e1f-348e-4f25-9c27-d42e8bbac757
+links:
+- type: docs
+ url: https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-your-cloud-data/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-HighestAppropriateLevelPolicyAssignments.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-HighestAppropriateLevelPolicyAssignments.yaml
new file mode 100644
index 000000000..af0922c40
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-HighestAppropriateLevelPolicyAssignments.yaml
@@ -0,0 +1,16 @@
+name: revcl-HighestAppropriateLevelPolicyAssignments
+title: Manage policy assignments at the highest appropriate level with exclusions
+ at bottom levels, if required.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: 3829e7e3-1618-4368-9a04-77a209945bda
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-IntermediateRootManagementGroupAzurePolicyDefinitions.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-IntermediateRootManagementGroupAzurePolicyDefinitions.yaml
new file mode 100644
index 000000000..9150860f4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-IntermediateRootManagementGroupAzurePolicyDefinitions.yaml
@@ -0,0 +1,16 @@
+name: revcl-IntermediateRootManagementGroupAzurePolicyDefinitions
+title: Establish Azure Policy definitions at the intermediate root management group
+ so that they can be assigned at inherited scopes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: 223ace8c-b123-408c-a501-7f154e3ab369
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-LeverageAzurePolicyPolicyInitiatives.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-LeverageAzurePolicyPolicyInitiatives.yaml
new file mode 100644
index 000000000..1235990a0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-LeverageAzurePolicyPolicyInitiatives.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAzurePolicyPolicyInitiatives
+title: Leverage Azure Policy strategically, define controls for your environment,
+ using Policy Initiatives to group related policies.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 0
+labels:
+ guid: 5c986cb2-9131-456a-8247-6e49f541acdc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-OperationalOverheadPolicies.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-OperationalOverheadPolicies.yaml
new file mode 100644
index 000000000..cc85c6f5d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-OperationalOverheadPolicies.yaml
@@ -0,0 +1,15 @@
+name: revcl-OperationalOverheadPolicies
+title: Use built-in policies where possible to minimize operational overhead.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: be7d7e48-4327-46d8-adc0-55bcf619e8a1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-ResourcePolicyContributorRoleCentralItTeam.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-ResourcePolicyContributorRoleCentralItTeam.yaml
new file mode 100644
index 000000000..63f988c8b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-ResourcePolicyContributorRoleCentralItTeam.yaml
@@ -0,0 +1,21 @@
+name: revcl-ResourcePolicyContributorRoleCentralItTeam
+title: Assign the built-in Resource Policy Contributor role at a particular scope
+ to enable application-level governance.
+description: Assigning the Resource Policy Contributor role to specific scopes allows
+ you to delegate policy management to relevant teams. For instance, a central IT
+ team may oversee management group-level policies, while application teams handle
+ policies for their subscriptions, enabling distributed governance with adherence
+ to organizational standards.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: 3f988795-25d6-4268-a6d7-0ba6c97be995
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-RootManagementGroupScopeAzurePolicyAssignments.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-RootManagementGroupScopeAzurePolicyAssignments.yaml
new file mode 100644
index 000000000..5ed9e122c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-RootManagementGroupScopeAzurePolicyAssignments.yaml
@@ -0,0 +1,16 @@
+name: revcl-RootManagementGroupScopeAzurePolicyAssignments
+title: Limit the number of Azure Policy assignments made at the root management group
+ scope to avoid managing through exclusions at inherited scopes.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: 19048384-5c98-46cb-8913-156a12476e49
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereignLandingZoneSovereignControlObjectives-1.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereignLandingZoneSovereignControlObjectives-1.yaml
new file mode 100644
index 000000000..f27ab95fb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereignLandingZoneSovereignControlObjectives-1.yaml
@@ -0,0 +1,14 @@
+name: revcl-SovereignLandingZoneSovereignControlObjectives-1
+title: For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control
+ objectives to policy mapping'.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: 9b461617-db7b-4399-8ac6-d4eb7153893a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereignLandingZoneSovereignControlObjectives.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereignLandingZoneSovereignControlObjectives.yaml
new file mode 100644
index 000000000..0113f232c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereignLandingZoneSovereignControlObjectives.yaml
@@ -0,0 +1,16 @@
+name: revcl-SovereignLandingZoneSovereignControlObjectives
+title: For Sovereign Landing Zone, sovereign Control objectives to policy mapping'
+ is documented.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: caeea0e9-1024-41df-a52e-d99c3f22a6f4
+links:
+- type: docs
+ url: https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereigntyPolicyBaselinePolicyInitiativeSovereignLandingZone.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereigntyPolicyBaselinePolicyInitiativeSovereignLandingZone.yaml
new file mode 100644
index 000000000..9b85545ee
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SovereigntyPolicyBaselinePolicyInitiativeSovereignLandingZone.yaml
@@ -0,0 +1,16 @@
+name: revcl-SovereigntyPolicyBaselinePolicyInitiativeSovereignLandingZone
+title: For Sovereign Landing Zone, sovereignty policy baseline' policy initiative
+ is deployed and and assigned at correct MG level.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 1
+labels:
+ guid: 78b22132-b41c-460b-a4d3-df8f73a67dc2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SubscriptionManagementGroupLevelAzurePolicy.yaml b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SubscriptionManagementGroupLevelAzurePolicy.yaml
new file mode 100644
index 000000000..d59539404
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAuthorization-policyDefinitions/Security/revcl-SubscriptionManagementGroupLevelAzurePolicy.yaml
@@ -0,0 +1,16 @@
+name: revcl-SubscriptionManagementGroupLevelAzurePolicy
+title: Use Azure Policy to control which services users can provision at the subscription/management
+ group level
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.authorization/policydefinitions
+waf: Security
+severity: 2
+labels:
+ guid: 43334f24-9116-4341-a2ba-527526944008
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services
+queries: {}
diff --git a/v2/recos/Services/MicrosoftAutomation-automationAccounts/aprl-ReplicaAutomationAccountAutomationAccounts.yaml b/v2/recos/Services/MicrosoftAutomation-automationAccounts/aprl-ReplicaAutomationAccountAutomationAccounts.yaml
new file mode 100644
index 000000000..054f4cfdf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftAutomation-automationAccounts/aprl-ReplicaAutomationAccountAutomationAccounts.yaml
@@ -0,0 +1,18 @@
+name: aprl-ReplicaAutomationAccountAutomationAccounts
+title: Set up disaster recovery of Automation accounts and its dependent resources
+description: |-
+ Set up disaster recovery for Automation accounts and resources like Modules, Connections, Credentials, Certificates, Variables, and Schedules to deal with region or zone failures. A replica Automation account should be ready in a secondary region for failover.
+source:
+ type: aprl
+ file: azure-resources/Automation/automationAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Automation/automationAccounts
+severity: 0
+labels:
+ guid: 67205887-0733-466e-b50e-b1cd7316c514
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftBatch-batchAccounts/aprl-CrossRegionDisasterRecoveryNecessaryCoreNumbers.yaml b/v2/recos/Services/MicrosoftBatch-batchAccounts/aprl-CrossRegionDisasterRecoveryNecessaryCoreNumbers.yaml
new file mode 100644
index 000000000..081700771
--- /dev/null
+++ b/v2/recos/Services/MicrosoftBatch-batchAccounts/aprl-CrossRegionDisasterRecoveryNecessaryCoreNumbers.yaml
@@ -0,0 +1,18 @@
+name: aprl-CrossRegionDisasterRecoveryNecessaryCoreNumbers
+title: Monitor Batch Account quota
+description: |-
+ To ensure cross-region disaster recovery and business continuity, set the right quotas for all Batch accounts to allocate necessary core numbers upfront, preventing execution interruptions from reaching quota limits.
+source:
+ type: aprl
+ file: azure-resources/Batch/batchAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Batch/batchAccounts
+severity: 1
+labels:
+ guid: 3464854d-6f75-4922-95e4-a2a308b53ce6
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftBatch-batchAccounts/aprl-VirtualMachineConfigurationAzureBatchPools.yaml b/v2/recos/Services/MicrosoftBatch-batchAccounts/aprl-VirtualMachineConfigurationAzureBatchPools.yaml
new file mode 100644
index 000000000..6667e70c5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftBatch-batchAccounts/aprl-VirtualMachineConfigurationAzureBatchPools.yaml
@@ -0,0 +1,18 @@
+name: aprl-VirtualMachineConfigurationAzureBatchPools
+title: Create an Azure Batch pool across Availability Zones
+description: |-
+ When using Virtual Machine Configuration for Azure Batch pools, opting to distribute your pool across Availability Zones bolsters your compute nodes against Azure datacenter failures.
+source:
+ type: aprl
+ file: azure-resources/Batch/batchAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Batch/batchAccounts
+severity: 0
+labels:
+ guid: 71cfab8f-d588-4742-b175-b6e07ae48dbd
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-EuBotRegionalServiceAzureBotService.yaml b/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-EuBotRegionalServiceAzureBotService.yaml
new file mode 100644
index 000000000..232e81c95
--- /dev/null
+++ b/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-EuBotRegionalServiceAzureBotService.yaml
@@ -0,0 +1,21 @@
+name: revcl-EuBotRegionalServiceAzureBotService
+title: Azure Bot Service runs in active-active mode for both global and regional services.
+ When an outage occurs, you don't need to detect errors or manage the service. Azure
+ Bot Service automatically performs auto failover and auto recovery in a multi-region
+ geographical architecture. For the EU bot regional service, Azure Bot Service provides
+ two full regions inside Europe with active/active replication to ensure redundancy.
+ For the global bot service, all available regions/geographies can be served as the
+ global footprint.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.botservice/botservices
+waf: Reliability
+severity: 1
+labels:
+ guid: 19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography
+queries: {}
diff --git a/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-LocalDataResidencyRegionalCompliance.yaml b/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-LocalDataResidencyRegionalCompliance.yaml
new file mode 100644
index 000000000..741646013
--- /dev/null
+++ b/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-LocalDataResidencyRegionalCompliance.yaml
@@ -0,0 +1,15 @@
+name: revcl-LocalDataResidencyRegionalCompliance
+title: Deploying bots with local data residency and regional compliance
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.botservice/botservices
+waf: Reliability
+severity: 1
+labels:
+ guid: e65de8e1-3f9c-4cbd-9682-66abca264f9a
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization
+queries: {}
diff --git a/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-ReliabilitySupportRecommendationsAzureBotService.yaml b/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-ReliabilitySupportRecommendationsAzureBotService.yaml
new file mode 100644
index 000000000..4c05e557b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftBotService-botServices/Reliability/revcl-ReliabilitySupportRecommendationsAzureBotService.yaml
@@ -0,0 +1,15 @@
+name: revcl-ReliabilitySupportRecommendationsAzureBotService
+title: Follow reliability support recommendations in Azure Bot Service
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.botservice/botservices
+waf: Reliability
+severity: 1
+labels:
+ guid: 6ad48408-ee72-4734-a476-ba28fdcf590c
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/reliability/reliability-bot
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorCustomAccessRules.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorCustomAccessRules.yaml
new file mode 100644
index 000000000..99f090eb5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorCustomAccessRules.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureFrontDoorCustomAccessRules
+title: Use geo-filtering in Azure Front Door
+description: |-
+ Azure Front Door's geo-filtering through WAF enables defining custom access rules by country/region to restrict or allow web app access.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: b515690d-3bf9-3a49-8d38-188e0fd45896
+ area: Security
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorHeadHttpMethods.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorHeadHttpMethods.yaml
new file mode 100644
index 000000000..ed67911ee
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorHeadHttpMethods.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureFrontDoorHeadHttpMethods
+title: Use HEAD health probes
+description: |-
+ Health probes in Azure Front Door can use GET or HEAD HTTP methods. Using the HEAD method for health probes is a recommended practice because it reduces the traffic load on your origins, being less resource-intensive.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: 5783defe-b49e-d947-84f7-d8677593f324
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorImportantSecurityPatches.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorImportantSecurityPatches.yaml
new file mode 100644
index 000000000..8619e93d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorImportantSecurityPatches.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureFrontDoorImportantSecurityPatches
+title: Use the latest API version and SDK version
+description: |-
+ When working with Azure Front Door through APIs, ARM templates, Bicep, or SDKs, using the latest API or SDK version is crucial. Updates bring new functions, important security patches, and bug fixes.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: 52bc9a7b-23c8-bc4c-9d2a-7bc43b50104a
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorMicrosoftBackboneNetwork.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorMicrosoftBackboneNetwork.yaml
new file mode 100644
index 000000000..096067f92
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorMicrosoftBackboneNetwork.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureFrontDoorMicrosoftBackboneNetwork
+title: Secure your Origin with Private Link in Azure Front Door
+description: |-
+ Azure Private Link enables secure access to Azure PaaS and services over a private endpoint in your virtual network, ensuring traffic goes over the Microsoft backbone network, not the public internet.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: 1cfe7834-56ec-ff41-b11d-993734705dba
+ area: Security
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorSecureConnections.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorSecureConnections.yaml
new file mode 100644
index 000000000..bf3922efd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-AzureFrontDoorSecureConnections.yaml
@@ -0,0 +1,25 @@
+name: aprl-AzureFrontDoorSecureConnections
+title: Use HTTP to HTTPS redirection
+description: |-
+ Using HTTPS is ideal for secure connections. However, for compatibility with older clients, HTTP requests may be necessary. Azure Front Door enables auto redirection of HTTP to HTTPS, enhancing security without sacrificing accessibility.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 0
+labels:
+ guid: 24ab9f11-a3e4-3043-a985-22cf94c4933a
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Use HTTP to HTTPS redirection
+ cdnresources
+ | where type == "microsoft.cdn/profiles/afdendpoints/routes"
+ | extend httpsRedirect=tostring(properties.httpsRedirect)
+ | project id,name,httpsRedirect,tags
+ | where httpsRedirect !~ "enabled"
+ | project recommendationId= "24ab9f11-a3e4-3043-a985-22cf94c4933a", name,id,tags,param1=strcat("httpsRedirect:",httpsRedirect)
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorAzureHostedOrigins.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorAzureHostedOrigins.yaml
new file mode 100644
index 000000000..a1b63b5f8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorAzureHostedOrigins.yaml
@@ -0,0 +1,25 @@
+name: aprl-FrontDoorAzureHostedOrigins
+title: Use end-to-end TLS
+description: |-
+ Front Door terminates TCP and TLS connections from clients and establishes new connections from each PoP to the origin. Securing these connections with TLS, even for Azure-hosted origins, ensures data is always encrypted during transit.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 0
+labels:
+ guid: d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Use end-to-end TLS
+ cdnresources
+ | where type == "microsoft.cdn/profiles/afdendpoints/routes"
+ | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols
+ | project id,name,forwardingProtocol,supportedProtocols,tags
+ | where forwardingProtocol !~ "httpsonly" or supportedProtocols has "http"
+ | project recommendationId= "d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1", name,id,tags,param1=strcat("forwardingProtocol:",forwardingProtocol),param2=strcat("supportedProtocols:",supportedProtocols)
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorHealthProbesOneOrigin.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorHealthProbesOneOrigin.yaml
new file mode 100644
index 000000000..575345bab
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorHealthProbesOneOrigin.yaml
@@ -0,0 +1,38 @@
+name: aprl-FrontDoorHealthProbesOneOrigin
+title: Disable health probes when there is only one origin in an origin group
+description: |-
+ Front Door health probes help detect unavailable or unhealthy origins, directing traffic to alternate origins if needed.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 2
+labels:
+ guid: 38f3d542-6de6-a44b-86c6-97e3be690281
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Disable health probes when there is only one origin in an origin group
+ cdnresources
+ | where type =~ "microsoft.cdn/profiles/origingroups"
+ | extend healthprobe=tostring(properties.healthProbeSettings)
+ | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe
+ | join (
+ cdnresources
+ | where type =~ "microsoft.cdn/profiles/origingroups/Origins"
+ | extend origingroupname = tostring(properties.originGroupName)
+ )
+ on origingroupname
+ | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != "") by origingroupname, id, tostring(tags), resourceGroup, subscriptionId
+ | where origincount == 1 and enabledhealthprobecount != 0
+ | project
+ recommendationId = "38f3d542-6de6-a44b-86c6-97e3be690281",
+ name=origingroupname,
+ id,
+ todynamic(tags),
+ param1 = strcat("origincount:", origincount),
+ param2 = strcat("enabledhealthprobecount:", enabledhealthprobecount)
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorLogsComprehensiveTelemetry.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorLogsComprehensiveTelemetry.yaml
new file mode 100644
index 000000000..fd1da0e94
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorLogsComprehensiveTelemetry.yaml
@@ -0,0 +1,18 @@
+name: aprl-FrontDoorLogsComprehensiveTelemetry
+title: Configure logs
+description: |-
+ Front Door logs offer comprehensive telemetry on each request, crucial for understanding your solution's performance and responses, especially when caching is enabled, as origin servers might not receive every request.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: 1ad74c3c-e3d7-0046-b83f-a2199974ef15
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorTraffic.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorTraffic.yaml
new file mode 100644
index 000000000..e00ef034c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorTraffic.yaml
@@ -0,0 +1,18 @@
+name: aprl-FrontDoorTraffic
+title: Restrict traffic to your origins
+description: |-
+ Front Door's features perform optimally when traffic exclusively comes through Front Door. It's advised to set up your origin to deny access to traffic that bypasses Front Door.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 0
+labels:
+ guid: 6c40b7ae-2bea-5748-be1a-9e9e3b834649
+ area: Security
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorWebApplicationFirewallInternetFacingApplications.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorWebApplicationFirewallInternetFacingApplications.yaml
new file mode 100644
index 000000000..262fdc1f3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-FrontDoorWebApplicationFirewallInternetFacingApplications.yaml
@@ -0,0 +1,56 @@
+name: aprl-FrontDoorWebApplicationFirewallInternetFacingApplications
+title: Enable the WAF
+description: |-
+ For internet-facing applications, enabling the Front Door web application firewall (WAF) and configuring it to use managed rules is recommended for protection against a wide range of attacks using Microsoft-managed rules.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: 1bd2b7e8-400f-e64a-99a2-c572f7b08a62
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Enable the WAF
+
+ resources
+ | where type =~ "microsoft.cdn/profiles" and sku has "AzureFrontDoor"
+ | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name)
+ | join kind= fullouter (
+ cdnresources
+ | where type == "microsoft.cdn/profiles/securitypolicies"
+ | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id'])
+ | extend splitid=split(id, "/")
+ | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+ | project secpolname=name, cdnprofileid, wafpolicyid
+ )
+ on cdnprofileid
+ | project name, cdnprofileid, secpolname, wafpolicyid,skuname
+ | join kind = fullouter (
+ resources
+ | where type == "microsoft.network/frontdoorwebapplicationfirewallpolicies"
+ | extend
+ managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != "[]", true, false),
+ enabledState = tostring(properties.policySettings.enabledState)
+ | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags)
+ )
+ on wafpolicyid
+ | where name != ""
+ | summarize
+ associatedsecuritypolicies=countif(secpolname != ""),
+ wafswithmanagedrules=countif(managedrulesenabled == 1)
+ by name, id=cdnprofileid, tags,skuname
+ | where associatedsecuritypolicies == 0 or wafswithmanagedrules == 0
+ | project
+ recommendationId = "1bd2b7e8-400f-e64a-99a2-c572f7b08a62",
+ name,
+ id,
+ todynamic(tags),
+ param1 = strcat("associatedsecuritypolicies:", associatedsecuritypolicies),
+ param2 = strcat("wafswithmanagedrules:", wafswithmanagedrules),
+ param3 = strcat("skuname:",skuname)
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-GoodHealthProbeEndpointsAzureFrontDoor.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-GoodHealthProbeEndpointsAzureFrontDoor.yaml
new file mode 100644
index 000000000..9a8b5a717
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-GoodHealthProbeEndpointsAzureFrontDoor.yaml
@@ -0,0 +1,18 @@
+name: aprl-GoodHealthProbeEndpointsAzureFrontDoor
+title: Select good health probe endpoints
+description: |-
+ Consider selecting a webpage or location specifically designed for health monitoring as the endpoint for Azure Front Door's health probes. This should encompass the status of critical components like application servers, databases, and caches to serve production traffic efficiently.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: 5225bba3-28ec-1e43-8986-7eedfd466d65
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-KeyVaultCertificateVersionNewCertificateVersions.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-KeyVaultCertificateVersionNewCertificateVersions.yaml
new file mode 100644
index 000000000..bc4ddbadd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-KeyVaultCertificateVersionNewCertificateVersions.yaml
@@ -0,0 +1,18 @@
+name: aprl-KeyVaultCertificateVersionNewCertificateVersions
+title: Use latest version for customer-managed certificates
+description: |-
+ If you use your own TLS certificates, set the Key Vault certificate version to 'Latest' to avoid reconfiguring Azure Front Door for new certificate versions and waiting for deployment across Front Door's environments.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: 4638c2c0-03de-6d42-9e09-82ee4478cbf3
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-ManagedTlsCertificatesFrontDoor.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-ManagedTlsCertificatesFrontDoor.yaml
new file mode 100644
index 000000000..cce2e3f3e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-ManagedTlsCertificatesFrontDoor.yaml
@@ -0,0 +1,18 @@
+name: aprl-ManagedTlsCertificatesFrontDoor
+title: Use managed TLS certificates
+description: |-
+ When Front Door manages your TLS certificates, it reduces your operational costs and helps you to avoid costly outages caused by forgetting to renew a certificate. Front Door automatically issues and rotates the managed TLS certificates.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 0
+labels:
+ guid: 29d65c41-2fad-d142-95eb-9eab95f6c0a5
+ area: Security
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-SameDomainNameCustomDomainNames.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-SameDomainNameCustomDomainNames.yaml
new file mode 100644
index 000000000..6bd3be15b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-SameDomainNameCustomDomainNames.yaml
@@ -0,0 +1,18 @@
+name: aprl-SameDomainNameCustomDomainNames
+title: Use the same domain name on Front Door and your origin
+description: |-
+ Front Door can rewrite Host headers for custom domain names routing to a single origin, useful for avoiding custom domain configuration at both Front Door and the origin.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 1
+labels:
+ guid: cd6a32af-747a-e649-82a7-a98f528ca842
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCdn-profiles/aprl-SimpleGlobalLoadBalancingAzureFrontDoor.yaml b/v2/recos/Services/MicrosoftCdn-profiles/aprl-SimpleGlobalLoadBalancingAzureFrontDoor.yaml
new file mode 100644
index 000000000..2a2d5cb7e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCdn-profiles/aprl-SimpleGlobalLoadBalancingAzureFrontDoor.yaml
@@ -0,0 +1,47 @@
+name: aprl-SimpleGlobalLoadBalancingAzureFrontDoor
+title: Avoid combining Traffic Manager and Front Door
+description: |-
+ For most solutions, choose either Azure Front Door for content caching, CDN, TLS termination, and WAF, or Traffic Manager for simple global load balancing.
+source:
+ type: aprl
+ file: azure-resources/Cdn/profiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cdn/profiles
+severity: 0
+labels:
+ guid: 9437634c-d69e-2747-b13e-631c13182150
+ area: Business Continuity
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Avoid combining Traffic Manager and Front Door
+ resources
+ | where type == "microsoft.network/trafficmanagerprofiles"
+ | mvexpand(properties.endpoints)
+ | extend endpoint=tostring(properties_endpoints.properties.target)
+ | project name, trafficmanager=id, matchname=endpoint, tags
+ | join (
+ resources
+ | where type =~ "microsoft.cdn/profiles/afdendpoints"
+ | extend matchname= tostring(properties.hostName)
+ | extend splitid=split(id, "/")
+ | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+ | project name, id, matchname, frontdoorid, type
+ | union
+ (cdnresources
+ | where type =~ "Microsoft.Cdn/Profiles/CustomDomains"
+ | extend matchname= tostring(properties.hostName)
+ | extend splitid=split(id, "/")
+ | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+ | project name, id, matchname, frontdoorid, type)
+ )
+ on matchname
+ | project
+ recommendationId = "9437634c-d69e-2747-b13e-631c13182150",
+ name=split(trafficmanager, "/")[-1],
+ id=trafficmanager,
+ tags,
+ param1=strcat("hostname:", matchname),
+ param2=strcat("frontdoorid:", frontdoorid)
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AppropriateAccountabilityProcessesCostManagementFeatures.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AppropriateAccountabilityProcessesCostManagementFeatures.yaml
new file mode 100644
index 000000000..e916ddf8a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AppropriateAccountabilityProcessesCostManagementFeatures.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AppropriateAccountabilityProcessesCostManagementFeatures
+title: 'Cost management: Use cost management features with OpenAI to monitor costs,
+ set budgets to manage costs, and create alerts to notify stakeholders of risks or
+ anomalies.'
+description: Cost monitoring, setting budgets, and setting alerts provides governance
+ with the appropriate accountability processes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 0c5365cb-838b-4dfb-9608-0bcfabe98460
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ArchitecturalDesignDecisionsAzureOpenaiModels.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ArchitecturalDesignDecisionsAzureOpenaiModels.yaml
new file mode 100644
index 000000000..ce6f52e5b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ArchitecturalDesignDecisionsAzureOpenaiModels.yaml
@@ -0,0 +1,19 @@
+name: wafsg-ArchitecturalDesignDecisionsAzureOpenaiModels
+title: 'Monitor pay-as-you-go usage: If you use the pay-as-you-go approach, monitor
+ usage of TPM and RPM. Use that information to inform architectural design decisions
+ such as what models to use, and to optimize prompt sizes.'
+description: Continuously monitoring TPM and RPM gives you relevant metrics to optimize
+ the cost of Azure OpenAI models. You can couple this monitoring with model features
+ and model pricing to optimize model usage. You can also use this monitoring to optimize
+ prompt sizes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 0d6d5b07-c475-408c-8f6a-fa8c92b96957
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AzureOpenaiCompletionsApiDesignClientCode.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AzureOpenaiCompletionsApiDesignClientCode.yaml
new file mode 100644
index 000000000..2f691860f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AzureOpenaiCompletionsApiDesignClientCode.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureOpenaiCompletionsApiDesignClientCode
+title: 'Design client code to set limits: Your custom clients should use the limit
+ features of the Azure OpenAI completions API, such as maximum limit on the number
+ of tokens per model (`max_tokens`) or number of completions to generation (`n`).
+ Setting limits ensures that the server doesn''t produce more than the client needs.'
+description: Using API features to restrict usage aligns service consumption with
+ client needs. This saves money by ensuring the model doesn't generate an overly
+ long response that consumes more tokens than necessary.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 550bf6a6-0fd6-4f5e-a447-fefda36067bc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AzureOpenaiPriceBreakpointsNextBillingPeriod.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AzureOpenaiPriceBreakpointsNextBillingPeriod.yaml
new file mode 100644
index 000000000..dcfe8a55f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-AzureOpenaiPriceBreakpointsNextBillingPeriod.yaml
@@ -0,0 +1,20 @@
+name: wafsg-AzureOpenaiPriceBreakpointsNextBillingPeriod
+title: 'Usage optimization: Maximize Azure OpenAI price breakpoints, for example,
+ fine-tuning and model breakpoints like image generation. Because fine-tuning is
+ charged per hour, use as much time as you have available per hour to improve fine-tuning
+ results while avoiding slipping into the next billing period. Similarly, the cost
+ for generating 100 images is the same as the cost for 1 image. Maximize price breakpoints
+ to your advantage.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 73965cc9-1763-43c1-82aa-549b3ea75f4e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-CostEfficiencyBatchRequests.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-CostEfficiencyBatchRequests.yaml
new file mode 100644
index 000000000..a0b7455ee
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-CostEfficiencyBatchRequests.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CostEfficiencyBatchRequests
+title: 'Cost efficiency: Batch requests where possible to minimize the per-call overhead,
+ which can reduce overall costs. Ensure that you optimize batch size.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 3100afcf-2db1-4f14-901c-bd5e33bc29ff
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-CostTrackingSystemModelUsage.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-CostTrackingSystemModelUsage.yaml
new file mode 100644
index 000000000..5ed1cd56e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-CostTrackingSystemModelUsage.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CostTrackingSystemModelUsage
+title: 'Monitor and optimize: Set up a cost-tracking system that monitors model usage.
+ Use that information to help inform model choices and prompt sizes.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 6ebaa528-2e34-4366-b8cb-6bc3318ec624
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-DifferentFineTuningCostsCostEfficiency.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-DifferentFineTuningCostsCostEfficiency.yaml
new file mode 100644
index 000000000..c269f6c52
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-DifferentFineTuningCostsCostEfficiency.yaml
@@ -0,0 +1,16 @@
+name: wafsg-DifferentFineTuningCostsCostEfficiency
+title: 'Cost efficiency: Because models have different fine-tuning costs, consider
+ these costs if your solution requires fine-tuning.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 15ea2d47-0659-4906-a1ec-d26a00aa4237
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-MaximumTokenUsageLimitsDesiredApplicationPerformance.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-MaximumTokenUsageLimitsDesiredApplicationPerformance.yaml
new file mode 100644
index 000000000..a8321e83c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-MaximumTokenUsageLimitsDesiredApplicationPerformance.yaml
@@ -0,0 +1,22 @@
+name: wafsg-MaximumTokenUsageLimitsDesiredApplicationPerformance
+title: 'Usage optimization: Consider model pricing and capabilities when you choose
+ models. Start with less-costly models for less-complex tasks like text generation
+ or completion tasks. For more complex tasks like language translation or content
+ understanding, consider using more advanced models. Consider different model capabilities
+ and maximum token usage limits when you choose a model that''s appropriate for use
+ cases like text embedding, image generation, or transcription scenarios. By carefully
+ selecting the model that best fits your needs, you can optimize costs while still
+ achieving the desired application performance.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: e65920ea-b7aa-4eda-bfc8-36746c74933a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-PromptInputResponseLength.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-PromptInputResponseLength.yaml
new file mode 100644
index 000000000..741dfa7d0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-PromptInputResponseLength.yaml
@@ -0,0 +1,19 @@
+name: wafsg-PromptInputResponseLength
+title: 'Adjust usage: Optimize prompt input and response length. Longer prompts raise
+ costs by consuming more tokens. However, prompts that are missing sufficient context
+ don''t help the models yield good results. Create concise prompts that provide enough
+ context for the model to generate a useful response. Also ensure that you optimize
+ the limit of the response length.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 9e2fb33a-0e01-43c6-9de0-2409778ad08d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ProvisionManagedUtilizationThroughputUsage.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ProvisionManagedUtilizationThroughputUsage.yaml
new file mode 100644
index 000000000..dcce9bc26
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ProvisionManagedUtilizationThroughputUsage.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ProvisionManagedUtilizationThroughputUsage
+title: 'Monitor provisioned throughput usage: If you use provisioned throughput, monitor
+ provision-managed utilization to ensure you''re not underutilizing the provisioned
+ throughput you purchased.'
+description: Continuously monitoring provision-managed utilization gives you the information
+ you need to understand if you're underutilizing your provisioned throughput.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 25a3468e-92d0-4aa3-bb5f-c1214eee958b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ThroughputPricingModelRateOptimization.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ThroughputPricingModelRateOptimization.yaml
new file mode 100644
index 000000000..b062d555b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ThroughputPricingModelRateOptimization.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ThroughputPricingModelRateOptimization
+title: 'Rate optimization: When your token usage is sufficiently high and predictable
+ over a period of time, use the provisioned throughput pricing model for better cost
+ optimization.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 8c51bdd3-d4cb-4742-a323-89917c6ac87e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UnusedFineTunedModelsOngoingHostingFee.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UnusedFineTunedModelsOngoingHostingFee.yaml
new file mode 100644
index 000000000..9ebec1c61
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UnusedFineTunedModelsOngoingHostingFee.yaml
@@ -0,0 +1,16 @@
+name: wafsg-UnusedFineTunedModelsOngoingHostingFee
+title: 'Usage optimization: Remove unused fine-tuned models when they''re no longer
+ being consumed to avoid incurring an ongoing hosting fee.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: a1abac7c-cce9-4443-97e8-2faf150559d4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UsageOptimizationAzureOpenai.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UsageOptimizationAzureOpenai.yaml
new file mode 100644
index 000000000..60be167af
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UsageOptimizationAzureOpenai.yaml
@@ -0,0 +1,16 @@
+name: wafsg-UsageOptimizationAzureOpenai
+title: 'Usage optimization: Start with pay-as-you-go pricing for Azure OpenAI until
+ your token usage is predictable.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: 48e39691-9809-4ab1-86fb-857d47e4163e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UsageOptimizationTokenLimitingConstraints.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UsageOptimizationTokenLimitingConstraints.yaml
new file mode 100644
index 000000000..882ff9295
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-UsageOptimizationTokenLimitingConstraints.yaml
@@ -0,0 +1,17 @@
+name: wafsg-UsageOptimizationTokenLimitingConstraints
+title: 'Usage optimization: Use the token-limiting constraints offered by the API
+ calls, such as `max_tokens` and `n`, which indicate the number of completions to
+ generate.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: d310e9bc-ae3d-4eff-90a1-8356d72a1376
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ViableCostModelCostManagement.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ViableCostModelCostManagement.yaml
new file mode 100644
index 000000000..a8d75526f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Cost/wafsg-ViableCostModelCostManagement.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ViableCostModelCostManagement
+title: 'Cost management: Develop your cost model, considering prompt sizes. Understanding
+ prompt input and response sizes and how text translates into tokens helps you create
+ a viable cost model.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Cost
+severity: 1
+labels:
+ guid: fb012775-b93d-442c-916c-81ca72d7bc91
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AppropriateMetricsObservability.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AppropriateMetricsObservability.yaml
new file mode 100644
index 000000000..d79e8963b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AppropriateMetricsObservability.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AppropriateMetricsObservability
+title: 'Observability: Monitor, aggregate, and visualize appropriate metrics.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Operations
+severity: 1
+labels:
+ guid: f9637ddc-7d73-4efd-86f1-75d9d122f943
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AutomatedKeyRotationStrategyKeyBasedAuthentication.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AutomatedKeyRotationStrategyKeyBasedAuthentication.yaml
new file mode 100644
index 000000000..a9e1d5fd6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AutomatedKeyRotationStrategyKeyBasedAuthentication.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AutomatedKeyRotationStrategyKeyBasedAuthentication
+title: 'Automate for efficiency: If you use key-based authentication, implement an
+ automated key-rotation strategy.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Operations
+severity: 1
+labels:
+ guid: 406ddc6b-7ccc-4262-8c11-e00714f74590
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureApiManagementAzureOpenaiDiagnostics.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureApiManagementAzureOpenaiDiagnostics.yaml
new file mode 100644
index 000000000..ebdbd3343
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureApiManagementAzureOpenaiDiagnostics.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureApiManagementAzureOpenaiDiagnostics
+title: 'Observability: If Azure OpenAI diagnostics are insufficient for your needs,
+ consider using a gateway like Azure API Management in front of Azure OpenAI to log
+ both incoming prompts and outgoing responses where permitted. This information can
+ help you understand the effectiveness of the model for incoming prompts.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Operations
+severity: 1
+labels:
+ guid: eff14512-adda-441e-a2af-7a6589c330d5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureDevopsCultureAzureOpenaiInstances.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureDevopsCultureAzureOpenaiInstances.yaml
new file mode 100644
index 000000000..c5e186116
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureDevopsCultureAzureOpenaiInstances.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureDevopsCultureAzureOpenaiInstances
+title: 'Azure DevOps culture: Ensure deployment of Azure OpenAI instances across your
+ various environments, such as development, test, and production. Ensure that you
+ have environments to support continuous learning and experimentation throughout
+ the development cycle.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Operations
+severity: 1
+labels:
+ guid: be37d987-ea7b-4f82-b63a-49384a95b30b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureOpenaiModelDeployments.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureOpenaiModelDeployments.yaml
new file mode 100644
index 000000000..298abb65d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureOpenaiModelDeployments.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureOpenaiModelDeployments
+title: 'Deploy with confidence: Use infrastructure as code (IaC) to deploy Azure OpenAI,
+ model deployments, and other infrastructure required for fine-tuning models.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Operations
+severity: 1
+labels:
+ guid: 79634884-f1b8-4cbb-8583-e0ca1f41dd4d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureOpenaiServiceAzureDiagnostics.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureOpenaiServiceAzureDiagnostics.yaml
new file mode 100644
index 000000000..c265cd57d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-AzureOpenaiServiceAzureDiagnostics.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureOpenaiServiceAzureDiagnostics
+title: 'Enable and configure Azure Diagnostics: Enable and configure Diagnostics for
+ the Azure OpenAI Service.'
+description: Diagnostics collects and analyzes metrics and logs, helping you monitor
+ the availability, performance, and operation of Azure OpenAI.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Operations
+severity: 1
+labels:
+ guid: c5ac80e5-9b95-4205-a5c7-d8d8702ed00b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-LargeLanguageModelOperationsAzureOpenaiLlms.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-LargeLanguageModelOperationsAzureOpenaiLlms.yaml
new file mode 100644
index 000000000..ddb6665f2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Operations/wafsg-LargeLanguageModelOperationsAzureOpenaiLlms.yaml
@@ -0,0 +1,17 @@
+name: wafsg-LargeLanguageModelOperationsAzureOpenaiLlms
+title: 'Deploy with confidence: Follow large language model operations (LLMOps) practices
+ to operationalize the management of your Azure OpenAI LLMs, including deployment,
+ fine-tuning, and prompt engineering.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Operations
+severity: 1
+labels:
+ guid: 8863b916-2b11-4d2f-a468-110900f06f11
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiApplicationsAchievePerformance.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiApplicationsAchievePerformance.yaml
new file mode 100644
index 000000000..5d5cd9182
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiApplicationsAchievePerformance.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureOpenaiApplicationsAchievePerformance
+title: 'Achieve performance: For applications like chatbots or conversational interfaces,
+ consider implementing streaming. Streaming can enhance the perceived performance
+ of Azure OpenAI applications by delivering responses to users in an incremental
+ manner, improving the user experience.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 3bbf1b68-e6d6-475b-9406-9271cdee6454
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiBenchmarkingToolTokenConsumptionRequirements.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiBenchmarkingToolTokenConsumptionRequirements.yaml
new file mode 100644
index 000000000..69cae309e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiBenchmarkingToolTokenConsumptionRequirements.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureOpenaiBenchmarkingToolTokenConsumptionRequirements
+title: 'Capacity: Benchmark token consumption requirements based on estimated demands
+ from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate
+ the throughput if you''re using provisioned throughput unit (PTU) deployments.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 1238d615-b520-4de2-a8db-5da3156ea687
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiDeploymentsAppropriateGateways.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiDeploymentsAppropriateGateways.yaml
new file mode 100644
index 000000000..c0cf17d7a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-AzureOpenaiDeploymentsAppropriateGateways.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureOpenaiDeploymentsAppropriateGateways
+title: 'Capacity: Add the appropriate gateways in front of your Azure OpenAI deployments.
+ Ensure that the gateway can route to multiple instances in the same or different
+ regions.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 39601e61-c985-4ac6-9269-9f7edff4ca1e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-ConsumersElasticityDemandsHighPriorityTraffic.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-ConsumersElasticityDemandsHighPriorityTraffic.yaml
new file mode 100644
index 000000000..ba86c02e4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-ConsumersElasticityDemandsHighPriorityTraffic.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ConsumersElasticityDemandsHighPriorityTraffic
+title: 'Capacity: Estimate consumers'' elasticity demands. Identify high-priority
+ traffic that requires synchronous responses and low-priority traffic that can be
+ asynchronous and batched.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: c8f369bf-bb71-4c71-bec6-a9806f071d66
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-CustomGatewayImplementationTpmDeployment.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-CustomGatewayImplementationTpmDeployment.yaml
new file mode 100644
index 000000000..1241637da
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-CustomGatewayImplementationTpmDeployment.yaml
@@ -0,0 +1,19 @@
+name: wafsg-CustomGatewayImplementationTpmDeployment
+title: 'Capacity: Allocate PTUs to cover your predicted usage, and complement these
+ PTUs with a TPM deployment to handle elasticity above that limit. This approach
+ combines base throughput with elastic throughput for efficiency. Like other considerations,
+ this approach requires a custom gateway implementation to route requests to the
+ TPM deployment when the PTU limits are reached.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 2153dc0b-41f7-4470-abd1-c6ac7522537c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-DedicatedModelDeploymentsModelUsageIsolation.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-DedicatedModelDeploymentsModelUsageIsolation.yaml
new file mode 100644
index 000000000..839c49685
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-DedicatedModelDeploymentsModelUsageIsolation.yaml
@@ -0,0 +1,17 @@
+name: wafsg-DedicatedModelDeploymentsModelUsageIsolation
+title: 'Achieve performance: Consider using dedicated model deployments per consumer
+ group to provide per-model usage isolation that can help prevent noisy neighbors
+ between your consumer groups.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 21a63a3a-9e5d-4a7d-9825-636f4012fbcf
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-FasterResponseTimesPerformanceRequirements.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-FasterResponseTimesPerformanceRequirements.yaml
new file mode 100644
index 000000000..6f92e6de2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-FasterResponseTimesPerformanceRequirements.yaml
@@ -0,0 +1,20 @@
+name: wafsg-FasterResponseTimesPerformanceRequirements
+title: 'Capacity: Select a model that aligns with your performance requirements, considering
+ the tradeoff between speed and output complexity. Model performance can vary significantly
+ based on the chosen model type. Models designed for speed offer faster response
+ times, which can be beneficial for applications that require quick interactions.
+ Conversely, more sophisticated models might deliver higher-quality outputs at the
+ expense of increased response time.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 6fd43871-d247-42ea-b468-dcf25d2d4e68
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-HighPriorityRequestsLowPriorityRequests.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-HighPriorityRequestsLowPriorityRequests.yaml
new file mode 100644
index 000000000..912c7bb48
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-HighPriorityRequestsLowPriorityRequests.yaml
@@ -0,0 +1,16 @@
+name: wafsg-HighPriorityRequestsLowPriorityRequests
+title: 'Capacity: Send high-priority requests synchronously. Queue low-priority requests
+ and send them through in batches when demand is low.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 4d0ffbf1-3c3b-4ea3-8a58-05fac3a22e33
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-NoisyNeighborProblemsConsistentMaximumLatency.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-NoisyNeighborProblemsConsistentMaximumLatency.yaml
new file mode 100644
index 000000000..4c29a4a7b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-NoisyNeighborProblemsConsistentMaximumLatency.yaml
@@ -0,0 +1,19 @@
+name: wafsg-NoisyNeighborProblemsConsistentMaximumLatency
+title: 'Capacity: Use provisioned throughput for production workloads. Provisioned
+ throughput offers dedicated memory and compute, reserved capacity, and consistent
+ maximum latency for the specified model version. The pay-as-you-go offering can
+ suffer from noisy neighbor problems like increased latency and throttling in regions
+ under heavy use. Also, the pay-as-you-go approach doesn''t offer guaranteed capacity.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 2b52edf1-c7bc-4108-90c0-d3df81bff610
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-RetrievalAugmentedGenerationRagApproachesGoodUseCases.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-RetrievalAugmentedGenerationRagApproachesGoodUseCases.yaml
new file mode 100644
index 000000000..464806257
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Performance/wafsg-RetrievalAugmentedGenerationRagApproachesGoodUseCases.yaml
@@ -0,0 +1,19 @@
+name: wafsg-RetrievalAugmentedGenerationRagApproachesGoodUseCases
+title: 'Achieve performance: Determine when to use fine-tuning before you commit to
+ fine-tuning. Although there are good use cases for fine-tuning, such as when the
+ information needed to steer the model is too long or complex to fit into the prompt,
+ make sure that prompt engineering and retrieval-augmented generation (RAG) approaches
+ don''t work or are demonstrably more expensive.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Performance
+severity: 1
+labels:
+ guid: 50fa9db0-6a80-446b-8eca-32b51efb14b5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-BusinessContinuityDisasterRecovery.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-BusinessContinuityDisasterRecovery.yaml
new file mode 100644
index 000000000..96b893a5f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-BusinessContinuityDisasterRecovery.yaml
@@ -0,0 +1,16 @@
+name: revcl-BusinessContinuityDisasterRecovery
+title: Business Continuity and Disaster Recovery (BCDR) considerations with Azure
+ OpenAI Service
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 0
+labels:
+ guid: 750ab2ab-039d-4a6d-95d7-c892adb107d5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-ChatgptConversations.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-ChatgptConversations.yaml
new file mode 100644
index 000000000..a2cb07ff6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-ChatgptConversations.yaml
@@ -0,0 +1,15 @@
+name: revcl-ChatgptConversations
+title: Backup Your ChatGPT conversations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 325af625-ca44-4e46-a5e2-223ace8bb123
+links:
+- type: docs
+ url: https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-CustomSpeechCiCd.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-CustomSpeechCiCd.yaml
new file mode 100644
index 000000000..219ac527d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-CustomSpeechCiCd.yaml
@@ -0,0 +1,15 @@
+name: revcl-CustomSpeechCiCd
+title: CI/CD for custom speech
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 07ca5f17-f154-4e3a-a369-2829e7e31618
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-KnowledgeBaseExportImport.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-KnowledgeBaseExportImport.yaml
new file mode 100644
index 000000000..8eb4fdf92
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-KnowledgeBaseExportImport.yaml
@@ -0,0 +1,15 @@
+name: revcl-KnowledgeBaseExportImport
+title: Move a knowledge base using export-import
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 3687a046-7a1f-4893-9bda-43324f248116
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-LeverageFtaHandbookCognitiveServices.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-LeverageFtaHandbookCognitiveServices.yaml
new file mode 100644
index 000000000..387454657
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-LeverageFtaHandbookCognitiveServices.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageFtaHandbookCognitiveServices
+title: Leverage FTA HandBook for Cognitive Services
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 21c30d25-ffb7-4f6a-b9ea-b3fec328f787
+links:
+- type: docs
+ url: https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-Prompts.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-Prompts.yaml
new file mode 100644
index 000000000..7f940666a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/revcl-Prompts.yaml
@@ -0,0 +1,15 @@
+name: revcl-Prompts
+title: Backup Your Prompts
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 78c34698-16b2-4763-aefe-1b9b599de0d5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-AppropriateDeploymentOptionUseCase.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-AppropriateDeploymentOptionUseCase.yaml
new file mode 100644
index 000000000..1f81d043a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-AppropriateDeploymentOptionUseCase.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AppropriateDeploymentOptionUseCase
+title: 'Resiliency: Choose the appropriate deployment option of either pay-as-you-go
+ or provisioned throughput based on your use case. Because reserved capacity increases
+ resiliency, choose provisioned throughput for production solutions. The pay-as-you-go
+ approach is ideal for dev/test environments.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 9d3622f2-e644-41df-8909-d30ac168fd6e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-AzureBlobStoreLargeDataFiles.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-AzureBlobStoreLargeDataFiles.yaml
new file mode 100644
index 000000000..289da14ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-AzureBlobStoreLargeDataFiles.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureBlobStoreLargeDataFiles
+title: 'Resiliency: Follow the guidance for large data files and import the data from
+ an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded
+ through multipart forms because the requests are atomic and can''t be retried or
+ resumed.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 544e8c7d-450b-4e55-aaec-1a75f667db90
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-CapacityUsageThroughputLimits.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-CapacityUsageThroughputLimits.yaml
new file mode 100644
index 000000000..72cb865b2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-CapacityUsageThroughputLimits.yaml
@@ -0,0 +1,17 @@
+name: wafsg-CapacityUsageThroughputLimits
+title: 'Resiliency: Monitor capacity usage to ensure you aren''t exceeding throughput
+ limits. Regularly review capacity usage to achieve more accurate forecasting and
+ help prevent service interruptions due to capacity constraints.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: fca027d7-7acf-497a-b915-52872ab724a4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ImportantThroughputInformationRateLimits.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ImportantThroughputInformationRateLimits.yaml
new file mode 100644
index 000000000..d55bfb501
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ImportantThroughputInformationRateLimits.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ImportantThroughputInformationRateLimits
+title: 'Monitor rate limits for pay-as-you-go: If you''re using the pay-as-you-go
+ approach, manage rate limits for your model deployments and monitor usage of tokens
+ per minute (TPM) and requests per minute (RPM).'
+description: This important throughput information provides information required to
+ ensure that you assign enough TPM from your quota to meet the demand for your deployments.Assigning
+ enough quota prevents throttling of calls to your deployed models.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: b1f8cbf7-e5d5-47cd-b8c6-dcece4ef10bf
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-MultipleAzureOpenaiInstancesAzureOpenaiDeployments.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-MultipleAzureOpenaiInstancesAzureOpenaiDeployments.yaml
new file mode 100644
index 000000000..2a903ef70
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-MultipleAzureOpenaiInstancesAzureOpenaiDeployments.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MultipleAzureOpenaiInstancesAzureOpenaiDeployments
+title: 'Redundancy: Add the appropriate gateways in front of your Azure OpenAI deployments.
+ The gateway must have the capability to withstand transient failures like throttling
+ and also route to multiple Azure OpenAI instances. Consider routing to instances
+ in different regions to build regional redundancy.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: bb8e46b8-026e-44ed-9218-cc86ac5f82dc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-OpaqueRiskAnalysisTuneContentFilters.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-OpaqueRiskAnalysisTuneContentFilters.yaml
new file mode 100644
index 000000000..b4009c85e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-OpaqueRiskAnalysisTuneContentFilters.yaml
@@ -0,0 +1,16 @@
+name: wafsg-OpaqueRiskAnalysisTuneContentFilters
+title: 'Tune content filters: Tune content filters to minimize false positives from
+ overly aggressive filters.'
+description: Content filters block prompts or completions based on an opaque risk
+ analysis. Ensure content filters are tuned to allow expected usage for your workload.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 3b329988-97cb-40c6-b139-17089897a9a1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ThroughputModelResiliency.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ThroughputModelResiliency.yaml
new file mode 100644
index 000000000..5ede36191
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ThroughputModelResiliency.yaml
@@ -0,0 +1,19 @@
+name: wafsg-ThroughputModelResiliency
+title: 'Resiliency: If you''re using provisioned throughput, consider also deploying
+ a pay-as-you-go instance to handle overflow. You can route calls to the pay-as-you-go
+ instance via your gateway when your provisioned throughput model is throttled. You
+ can also use monitoring to predict when the model will be throttled and preemptively
+ route calls to the pay-as-you-go instance.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 9ba430a3-7386-4b44-8e19-26470b015bb8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ThroughputPaymentModelProvisionedThroughput.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ThroughputPaymentModelProvisionedThroughput.yaml
new file mode 100644
index 000000000..c6a61d672
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-ThroughputPaymentModelProvisionedThroughput.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ThroughputPaymentModelProvisionedThroughput
+title: 'Monitor provision-managed utilization for provisioned throughput: If you''re
+ using the provisioned throughput payment model, monitor provision-managed utilization.'
+description: It's important to monitor provision-managed utilization to ensure it
+ doesn't exceed 100%, to prevent throttling of calls to your deployed models.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: a7585b62-bb9f-4b4f-8491-13e9728a0865
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-TrainingDataAzureOpenai.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-TrainingDataAzureOpenai.yaml
new file mode 100644
index 000000000..b45395299
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Reliability/wafsg-TrainingDataAzureOpenai.yaml
@@ -0,0 +1,19 @@
+name: wafsg-TrainingDataAzureOpenai
+title: 'Recovery: Define a recovery strategy that includes a recovery plan for models
+ that are fine-tuned and for training data uploaded to Azure OpenAI. Because Azure
+ OpenAI doesn''t have automatic failover, you must design a strategy that encompasses
+ the entire service and all dependencies, such as storage that contains training
+ data.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 8fe970c3-76a2-4c9f-b198-0e6106b17f96
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AccessControlsUserAccess.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AccessControlsUserAccess.yaml
new file mode 100644
index 000000000..5d6cc3814
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AccessControlsUserAccess.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AccessControlsUserAccess
+title: 'Protect integrity: Implement access controls to authenticate and authorize
+ user access to the system by using the least-privilege principle and by using individual
+ identities instead of keys.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: f47bab52-1aa2-45c5-b250-b3716716367e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureAiContentSafetyStudioAzureOpenaiDeployments.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureAiContentSafetyStudioAzureOpenaiDeployments.yaml
new file mode 100644
index 000000000..c8474c4c9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureAiContentSafetyStudioAzureOpenaiDeployments.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureAiContentSafetyStudioAzureOpenaiDeployments
+title: 'Protect against jailbreak attacks: Use Azure AI Content Safety Studio to detect
+ jailbreak risks.'
+description: Detect jailbreak attempts to identify and block prompts that try to bypass
+ the safety mechanisms of your Azure OpenAI deployments.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: 47f53122-cc5c-4172-901a-cd3cf6d5085f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureOpenaiKeyBasedAuthenticationAzureKeyVault.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureOpenaiKeyBasedAuthenticationAzureKeyVault.yaml
new file mode 100644
index 000000000..62626b272
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureOpenaiKeyBasedAuthenticationAzureKeyVault.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureOpenaiKeyBasedAuthenticationAzureKeyVault
+title: 'Secure keys: If your architecture requires Azure OpenAI key-based authentication,
+ store those keys in Azure Key Vault, not in application code.'
+description: Separating secrets from code by storing them in Key Vault reduces the
+ chance of leaking secrets. Separation also facilitates central management of secrets,
+ easing responsibilities like key rotation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: 8dc95921-66ec-40fa-9e0c-2bcd0de338bc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureOpenaiResourcesDataExfiltration.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureOpenaiResourcesDataExfiltration.yaml
new file mode 100644
index 000000000..ccadd321f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureOpenaiResourcesDataExfiltration.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureOpenaiResourcesDataExfiltration
+title: 'Protect confidentiality: Guard against data exfiltration by limiting the outbound
+ URLs that Azure OpenAI resources can access.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: da9ce235-e104-401e-b094-59bf983cfa40
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureVirtualNetworkNetworkTraffic.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureVirtualNetworkNetworkTraffic.yaml
new file mode 100644
index 000000000..dd39cbf42
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-AzureVirtualNetworkNetworkTraffic.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureVirtualNetworkNetworkTraffic
+title: 'Restrict access: Disable public access to Azure OpenAI unless your workload
+ requires it. Create private endpoints if you''re connecting from consumers in an
+ Azure virtual network.'
+description: Controlling access to Azure OpenAI helps prevent attacks from unauthorized
+ users. Using private endpoints ensures network traffic remains private between the
+ application and the platform.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: fb4efdfc-4ccf-4be0-8652-39f3ac82a3a3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-CognitiveServicesOpenaiUserRoleGrantModelAutomationPipelines.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-CognitiveServicesOpenaiUserRoleGrantModelAutomationPipelines.yaml
new file mode 100644
index 000000000..59cfd0559
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-CognitiveServicesOpenaiUserRoleGrantModelAutomationPipelines.yaml
@@ -0,0 +1,22 @@
+name: wafsg-CognitiveServicesOpenaiUserRoleGrantModelAutomationPipelines
+title: 'Microsoft Entra ID: Use Microsoft Entra ID for authentication and to authorize
+ access to Azure OpenAI by using role-based access control (RBAC). Disable local
+ authentication in Azure AI Services and set `disableLocalAuth` to `true`. Grant
+ identities that perform completions or image generation the Cognitive Services OpenAI
+ User role. Grant model automation pipelines and ad-hoc data-science access a role
+ like Cognitive Services OpenAI Contributor.'
+description: Using Microsoft Entra ID centralizes the identity-management component
+ and eliminates the use of API keys. Using RBAC with Microsoft Entra ID ensures that
+ users or groups have exactly the permissions they need to do their job. This kind
+ of fine-grained access control isn't possible with Azure OpenAI API keys.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: a391f8f5-e04e-4285-b756-4e9de162bc10
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-CustomerManagedKeysFineTunedModels.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-CustomerManagedKeysFineTunedModels.yaml
new file mode 100644
index 000000000..a1dcdd74e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-CustomerManagedKeysFineTunedModels.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CustomerManagedKeysFineTunedModels
+title: 'Use customer-managed keys: Use customer-managed keys for fine-tuned models
+ and training data that''s uploaded to Azure OpenAI.'
+description: Using customer-managed keys gives you greater flexibility to create,
+ rotate, disable, and revoke access controls.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: f73c5ae9-9299-48ca-969c-6ac872096e3d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-JailbreakRiskDetectionLanguageModelDeployments.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-JailbreakRiskDetectionLanguageModelDeployments.yaml
new file mode 100644
index 000000000..c391910ce
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-JailbreakRiskDetectionLanguageModelDeployments.yaml
@@ -0,0 +1,16 @@
+name: wafsg-JailbreakRiskDetectionLanguageModelDeployments
+title: 'Protect integrity: Implement jailbreak risk detection to safeguard your language
+ model deployments against prompt injection attacks.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: 41a12d3c-56b5-4f10-9eea-303af5adcdb6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-ModelUsageQuotasSuspectedAbuse.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-ModelUsageQuotasSuspectedAbuse.yaml
new file mode 100644
index 000000000..d3325cc48
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-ModelUsageQuotasSuspectedAbuse.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ModelUsageQuotasSuspectedAbuse
+title: 'Protect availability: Use security controls to prevent attacks that might
+ exhaust model usage quotas. You might configure controls to isolate the service
+ on a network. If the service must be accessible from the internet, consider using
+ a gateway to block suspected abuse by using routing or throttling.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: a55c7008-6341-44e8-8b8c-089bc61dd193
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-SecurityBestPracticesAzureBlobStorage.yaml b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-SecurityBestPracticesAzureBlobStorage.yaml
new file mode 100644
index 000000000..f795fa3f6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCognitiveServices-accounts/Security/wafsg-SecurityBestPracticesAzureBlobStorage.yaml
@@ -0,0 +1,21 @@
+name: wafsg-SecurityBestPracticesAzureBlobStorage
+title: 'Protect confidentiality: If you upload training data to Azure OpenAI, use
+ customer-managed keys for data encryption, implement a key-rotation strategy, and
+ delete training, validation, and training results data. If you use an external data
+ store for training data, follow security best practices for that store. For example,
+ for Azure Blob Storage, use customer-managed keys for encryption and implement a
+ key-rotation strategy. Use managed identity-based access, implement a network perimeter
+ by using private endpoints, and enable access logs.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-openai.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.cognitiveservices/accounts
+waf: Security
+severity: 1
+labels:
+ guid: 18050528-bca5-43c3-99c5-4e7035bd9496
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-galleries/aprl-ProductionImageVersionsProductionImages.yaml b/v2/recos/Services/MicrosoftCompute-galleries/aprl-ProductionImageVersionsProductionImages.yaml
new file mode 100644
index 000000000..d9dffa276
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-galleries/aprl-ProductionImageVersionsProductionImages.yaml
@@ -0,0 +1,26 @@
+name: aprl-ProductionImageVersionsProductionImages
+title: A minimum of three replicas should be kept for production image versions
+description: |-
+ Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica.
+source:
+ type: aprl
+ file: azure-resources/Compute/galleries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/galleries
+severity: 1
+labels:
+ guid: b49a39fd-f431-4b61-9062-f2157849d845
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Query to list all image versions,its associated image name and version replica configurations per region in a compute gallery whose version replicas is less than 3
+ resources
+ | where type =~ "microsoft.compute/galleries/images/versions"
+ | extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
+ | mv-expand VersionReplicas = properties.publishingProfile.targetRegions
+ | project RecommendationId="b49a39fd-f431-4b61-9062-f2157849d845",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("VersionReplicaRegionName: ",VersionReplicas.name),param4=strcat("VersionReplicationCount: ",VersionReplicas.regionalReplicaCount),rc=toint(VersionReplicas.regionalReplicaCount)
+ | where rc < 3
+ | project-away rc
diff --git a/v2/recos/Services/MicrosoftCompute-galleries/aprl-TrustedLaunchSupportedImagesLargeBootVolume.yaml b/v2/recos/Services/MicrosoftCompute-galleries/aprl-TrustedLaunchSupportedImagesLargeBootVolume.yaml
new file mode 100644
index 000000000..6e8eda482
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-galleries/aprl-TrustedLaunchSupportedImagesLargeBootVolume.yaml
@@ -0,0 +1,24 @@
+name: aprl-TrustedLaunchSupportedImagesLargeBootVolume
+title: Consider creating TrustedLaunchSupported images where possible
+description: |-
+ We recommend creating Trusted Launch Supported Images for benefits like Secure Boot, vTPM, trusted launch VMs, large boot volume. These are Gen 2 Images by default and you cannot change a VM's generation after creation, so review the considerations first.
+source:
+ type: aprl
+ file: azure-resources/Compute/galleries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/galleries
+severity: 2
+labels:
+ guid: 1c5e1e58-4e56-491c-8529-10f37af9d4ed
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Query to list all images whose Hyper-V generation is not V2
+ resources
+ | where type =~ "microsoft.compute/galleries/images"
+ | extend VMGeneration = properties.hyperVGeneration
+ | where VMGeneration <> 'V2'
+ | project RecommendationId="1c5e1e58-4e56-491c-8529-10f37af9d4ed",name,id,tags,param1=strcat("VMGeneration: ",VMGeneration)
diff --git a/v2/recos/Services/MicrosoftCompute-galleries/aprl-ZoneRedundantStorageAzureComputeGallery.yaml b/v2/recos/Services/MicrosoftCompute-galleries/aprl-ZoneRedundantStorageAzureComputeGallery.yaml
new file mode 100644
index 000000000..e25d10d3b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-galleries/aprl-ZoneRedundantStorageAzureComputeGallery.yaml
@@ -0,0 +1,25 @@
+name: aprl-ZoneRedundantStorageAzureComputeGallery
+title: Zone redundant storage should be used for image versions
+description: |-
+ Use ZRS for high availability when creating image/VM versions in Azure Compute Gallery, offering resilience against Availability Zone failures. ZRS accounts are advisable in regions with Availability Zones, with the choice of Standard_ZRS recommended over Standard_LRS for these regions.
+source:
+ type: aprl
+ file: azure-resources/Compute/galleries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/galleries
+severity: 1
+labels:
+ guid: 488dcc8b-f2e3-40ce-bf95-73deb2db095f
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Query to list all image versions and its associated image and gallery name whose Storage account type is not using ZRS
+ resources
+ | where type =~ "microsoft.compute/galleries/images/versions"
+ | extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
+ | extend StorageAccountType = tostring(properties.publishingProfile.storageAccountType)
+ | where StorageAccountType !has "ZRS"
+ | project RecommendationId="488dcc8b-f2e3-40ce-bf95-73deb2db095f",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("StorageAccountType: ",StorageAccountType)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/Reliability/revcl-EnhancedVmScaleSetsAutomaticInstanceRepairs.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/Reliability/revcl-EnhancedVmScaleSetsAutomaticInstanceRepairs.yaml
new file mode 100644
index 000000000..6aae56b9f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/Reliability/revcl-EnhancedVmScaleSetsAutomaticInstanceRepairs.yaml
@@ -0,0 +1,18 @@
+name: revcl-EnhancedVmScaleSetsAutomaticInstanceRepairs
+title: Enable automatic instance repairs for enhanced VM Scale Sets resiliency
+description: Automatic instance repairs ensure that unhealthy instances are promptly
+ identified and replaced, maintaining a set of healthy instances within your scale
+ set.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachinescalesets
+waf: Reliability
+severity: 2
+labels:
+ guid: 7e13c105-675c-41e9-95b4-59837ff7ae7c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-ApplicationLoadDemandsVmInstanceDistribution.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-ApplicationLoadDemandsVmInstanceDistribution.yaml
new file mode 100644
index 000000000..1a3346345
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-ApplicationLoadDemandsVmInstanceDistribution.yaml
@@ -0,0 +1,25 @@
+name: aprl-ApplicationLoadDemandsVmInstanceDistribution
+title: Disable Force strictly even balance across zones to avoid scale in and out
+ fail attempts
+description: |-
+ Microsoft advises disabling strictly even VM instance distribution across Availability Zones in VMSS to improve scalability and flexibility, noting that uneven distribution may better serve application load demands despite the potential trade-off in resilience.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 0
+labels:
+ guid: b5a63aa0-c58e-244f-b8a6-cbba0560a6db
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find VMSS instances where strictly zoneBalance is set to True
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | where properties.orchestrationMode == "Uniform" and properties.zoneBalance == true
+ | project recommendationId = "b5a63aa0-c58e-244f-b8a6-cbba0560a6db", name, id, tags, param1 = "strictly zoneBalance: Enabled"
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AutoGuestPatchingVmssImageVersions.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AutoGuestPatchingVmssImageVersions.yaml
new file mode 100644
index 000000000..8324a3afe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AutoGuestPatchingVmssImageVersions.yaml
@@ -0,0 +1,18 @@
+name: aprl-AutoGuestPatchingVmssImageVersions
+title: Upgrade VMSS Image versions scheduled to be deprecated or already retired
+description: |-
+ Ensure current versions of images are in use to avoid disruption after image deprecation. Please review the publisher, offer, sku information of the VM to ensure you are running on a supported image. Enable Auto Guest Patching or Image Upgrades, to get notifications about image deprecation.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 0
+labels:
+ guid: 83d61669-7bd6-9642-a305-175db8adcdf4
+ area: Governance
+links: []
+queries:
+ arg: |
+ //cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AutomaticVmGuestPatchingPatchOrchestrationOptions.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AutomaticVmGuestPatchingPatchOrchestrationOptions.yaml
new file mode 100644
index 000000000..2403f5263
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AutomaticVmGuestPatchingPatchOrchestrationOptions.yaml
@@ -0,0 +1,39 @@
+name: aprl-AutomaticVmGuestPatchingPatchOrchestrationOptions
+title: Set Patch orchestration options to Azure-orchestrated
+description: |-
+ Enabling automatic VM guest patching eases update management by safely, automatically patching virtual machines to maintain security compliance, while limiting blast radius of VMs. Note, the KQL will not return sets using Uniform orchestration.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 2
+labels:
+ guid: e4ffd7b0-ba24-c84e-9352-ba4819f908c0
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph query
+ // Identifies VMs and VMSS with manual patch settings, excluding automatic patch modes
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | join kind=inner (
+ resources
+ | where type == "microsoft.compute/virtualmachines"
+ | project id = tostring(properties.virtualMachineScaleSet.id), vmproperties = properties
+ ) on id
+ | extend recommendationId = "e4ffd7b0-ba24-c84e-9352-ba4819f908c0", param1 = "patchMode: Manual", vmproperties.osProfile.linuxConfiguration.patchSettings.patchMode
+ | where isnotnull(vmproperties.osProfile.linuxConfiguration) and vmproperties.osProfile.linuxConfiguration.patchSettings.patchMode !in ("AutomaticByPlatform", "AutomaticByOS")
+ | distinct recommendationId, name, id, param1
+ | union (resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | join kind=inner (
+ resources
+ | where type == "microsoft.compute/virtualmachines"
+ | project id = tostring(properties.virtualMachineScaleSet.id), vmproperties = properties
+ ) on id
+ | extend recommendationId = "e4ffd7b0-ba24-c84e-9352-ba4819f908c0", param1 = "patchMode: Manual", vmproperties.osProfile.windowsConfiguration.patchSettings.patchMode
+ | where isnotnull(vmproperties.osProfile.windowsConfiguration) and vmproperties.osProfile.windowsConfiguration.patchSettings.patchMode !in ("AutomaticByPlatform", "AutomaticByOS")
+ | distinct recommendationId, name, id, param1)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AvailabilityZonesProtectionMeasure.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AvailabilityZonesProtectionMeasure.yaml
new file mode 100644
index 000000000..526008dcc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AvailabilityZonesProtectionMeasure.yaml
@@ -0,0 +1,24 @@
+name: aprl-AvailabilityZonesProtectionMeasure
+title: Deploy VMSS across availability zones with VMSS Flex
+description: |-
+ When creating VMSS, implement availability zones as a protection measure for your applications and data against the rare event of datacenter failure.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 0
+labels:
+ guid: 1422c567-782c-7148-ac7c-5fc14cf45adc
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find VMSS instances with one or no Zones selected
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | where array_length(zones) <= 1 or isnull(zones)
+ | project recommendationId = "1422c567-782c-7148-ac7c-5fc14cf45adc", name, id, tags, param1 = "AvailabilityZones: Single Zone"
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetVirtualMachineScaleSets.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetVirtualMachineScaleSets.yaml
new file mode 100644
index 000000000..a7c8f50af
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetVirtualMachineScaleSets.yaml
@@ -0,0 +1,30 @@
+name: aprl-AzureVirtualMachineScaleSetVirtualMachineScaleSets
+title: Enable Azure Virtual Machine Scale Set Application Health Monitoring
+description: |-
+ Monitoring application health in Azure Virtual Machine Scale Sets is crucial for deployment management. It supports rolling upgrades such as automatic OS-image upgrades and VM guest patching, leveraging health monitoring for upgrading.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 1
+labels:
+ guid: 94794d2a-eff0-2345-9b67-6f9349d0a627
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that do NOT have health monitoring enabled
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | join kind=leftouter (
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | mv-expand extension=properties.virtualMachineProfile.extensionProfile.extensions
+ | where extension.properties.type in ( "ApplicationHealthWindows", "ApplicationHealthLinux" )
+ | project id
+ ) on id
+ | where id1 == ""
+ | project recommendationId = "94794d2a-eff0-2345-9b67-6f9349d0a627", name, id, tags, param1 = "extension: null"
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetsAutomaticRepairPolicy.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetsAutomaticRepairPolicy.yaml
new file mode 100644
index 000000000..402ddf9bc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetsAutomaticRepairPolicy.yaml
@@ -0,0 +1,23 @@
+name: aprl-AzureVirtualMachineScaleSetsAutomaticRepairPolicy
+title: Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets
+description: |-
+ Enabling automatic instance repairs in Azure Virtual Machine Scale Sets enhances application availability through a continuous health check and maintenance process.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 0
+labels:
+ guid: 820f4743-1f94-e946-ae0b-45efafd87962
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that do NOT have automatic repair policy enabled
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | where properties.automaticRepairsPolicy.enabled == false
+ | project recommendationId = "820f4743-1f94-e946-ae0b-45efafd87962", name, id, tags, param1 = "automaticRepairsPolicy: Disabled"
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetsHistoricalUsageAnalysis.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetsHistoricalUsageAnalysis.yaml
new file mode 100644
index 000000000..2b494d085
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-AzureVirtualMachineScaleSetsHistoricalUsageAnalysis.yaml
@@ -0,0 +1,31 @@
+name: aprl-AzureVirtualMachineScaleSetsHistoricalUsageAnalysis
+title: Enable Predictive autoscale and configure at least for Forecast Only
+description: |-
+ Predictive autoscale utilizes machine learning to efficiently manage and scale Azure Virtual Machine Scale Sets by forecasting CPU load through historical usage analysis, ensuring timely scale-out to meet demand.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 2
+labels:
+ guid: 3f85a51c-e286-9f44-b4dc-51d00768696c
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find VMSS instances associated with autoscale settings when predictiveAutoscalePolicy_scaleMode is disabled
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | project name, id, tags
+ | join kind=leftouter (
+ resources
+ | where type == "microsoft.insights/autoscalesettings"
+ | where tostring(properties.targetResourceUri) contains "Microsoft.Compute/virtualMachineScaleSets"
+ | project id = tostring(properties.targetResourceUri), autoscalesettings = properties
+ ) on id
+ | where autoscalesettings.enabled == "true" and autoscalesettings.predictiveAutoscalePolicy.scaleMode == "Disabled"
+ | project recommendationId = "3f85a51c-e286-9f44-b4dc-51d00768696c", name, id, tags, param1 = "predictiveAutoscalePolicy_scaleMode: Disabled"
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-CustomAutoscaleCostEffectiveness.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-CustomAutoscaleCostEffectiveness.yaml
new file mode 100644
index 000000000..3c0000189
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-CustomAutoscaleCostEffectiveness.yaml
@@ -0,0 +1,31 @@
+name: aprl-CustomAutoscaleCostEffectiveness
+title: Configure VMSS Autoscale to custom and configure the scaling metrics
+description: |-
+ Use custom autoscale for VMSS based on metrics and schedules to improve performance and cost effectiveness, adjusting instances as demand changes.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 0
+labels:
+ guid: ee66ff65-9aa3-2345-93c1-25827cf79f44
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find VMSS instances associated with autoscale settings when autoscale is disabled
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | project name, id, tags
+ | join kind=leftouter (
+ resources
+ | where type == "microsoft.insights/autoscalesettings"
+ | where tostring(properties.targetResourceUri) contains "Microsoft.Compute/virtualMachineScaleSets"
+ | project id = tostring(properties.targetResourceUri), autoscalesettings = properties
+ ) on id
+ | where isnull(autoscalesettings) or autoscalesettings.enabled == "false"
+ | project recommendationId = "ee66ff65-9aa3-2345-93c1-25827cf79f44", name, id, tags, param1 = "autoscalesettings: Disabled"
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-FlexOrchestrationModeFlexibleOrchestrationMode.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-FlexOrchestrationModeFlexibleOrchestrationMode.yaml
new file mode 100644
index 000000000..3d90f9512
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachineScaleSets/aprl-FlexOrchestrationModeFlexibleOrchestrationMode.yaml
@@ -0,0 +1,23 @@
+name: aprl-FlexOrchestrationModeFlexibleOrchestrationMode
+title: Deploy VMSS with Flex orchestration mode instead of Uniform
+description: |-
+ Deploying even single instance VMs into a scale set with Flexible orchestration mode future-proofs applications for scaling and availability. This mode guarantees high availability (up to 1000 VMs) by distributing VMs across fault domains in a region or within an Availability Zone.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachineScaleSets
+severity: 1
+labels:
+ guid: e7495e1c-0c75-0946-b266-b429b5c7f3bf
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all zonal VMs that are NOT deployed with Flex orchestration mode
+ resources
+ | where type == "microsoft.compute/virtualmachinescalesets"
+ | where properties.orchestrationMode != "Flexible"
+ | project recommendationId = "e7495e1c-0c75-0946-b266-b429b5c7f3bf", name, id, tags, param1 = strcat("orchestrationMode: ", tostring(properties.orchestrationMode))
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-AzureReservedInstancesSignificantCostSavings.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-AzureReservedInstancesSignificantCostSavings.yaml
new file mode 100644
index 000000000..08f7dc0dc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-AzureReservedInstancesSignificantCostSavings.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureReservedInstancesSignificantCostSavings
+title: 'Utilize Azure Reserved Instances: This feature allows you to reserve VMs for
+ a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: c7acbe49-bbe6-44dd-a9f2-e87778468d55
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-DiskSizesGibDisk.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-DiskSizesGibDisk.yaml
new file mode 100644
index 000000000..3c7c51548
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-DiskSizesGibDisk.yaml
@@ -0,0 +1,16 @@
+name: revcl-DiskSizesGibDisk
+title: Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk
+ will pay a P30 (1TiB) and consider resizing
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: a2ed27b2-d186-4f1a-8252-bddde68a487c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/automation/how-to/region-mappings
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-InterruptibleJobsDiscountedPrice.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-InterruptibleJobsDiscountedPrice.yaml
new file mode 100644
index 000000000..2d7344a39
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-InterruptibleJobsDiscountedPrice.yaml
@@ -0,0 +1,19 @@
+name: revcl-InterruptibleJobsDiscountedPrice
+title: 'Use Spot VMs for interruptible jobs: These are VMs that can be bid on and
+ purchased at a discounted price, providing a cost-effective solution for non-critical
+ workloads.'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 393a040f-d329-4479-ab11-88b2c5a46ceb
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/overview-v2
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LargerDisksTib.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LargerDisksTib.yaml
new file mode 100644
index 000000000..a744bb916
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LargerDisksTib.yaml
@@ -0,0 +1,15 @@
+name: revcl-LargerDisksTib
+title: Only larger disks can be reserved => 1 TiB -
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: a6bcca2b-4fea-41db-b3dd-95d48c7c891d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory-domain-services/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LearnMicrosoftAhub.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LearnMicrosoftAhub.yaml
new file mode 100644
index 000000000..d2e1b3d5f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LearnMicrosoftAhub.yaml
@@ -0,0 +1,15 @@
+name: revcl-LearnMicrosoftAhub
+title: ' this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 7b95e06e-158e-42ea-9992-c2de6e2065b3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LicensePartDiscountTheVm.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LicensePartDiscountTheVm.yaml
new file mode 100644
index 000000000..71b9495e1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LicensePartDiscountTheVm.yaml
@@ -0,0 +1,15 @@
+name: revcl-LicensePartDiscountTheVm
+title: The VM + license part discount (ahub + 3YRI) is around 70% discount
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 6e2065b3-a76a-4f4a-991e-8839ada46667
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/roles/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LowerStorageTiersDisks.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LowerStorageTiersDisks.yaml
new file mode 100644
index 000000000..9245362fe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-LowerStorageTiersDisks.yaml
@@ -0,0 +1,18 @@
+name: revcl-LowerStorageTiersDisks
+title: 'Check that the disks are really needed, if not: delete. If they are needed,
+ find lower storage tiers or use backup -'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 6aae01e6-a84d-4e5d-b36d-1d92881a1bd5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-MeterCategoryLicensesWindowsVms.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-MeterCategoryLicensesWindowsVms.yaml
new file mode 100644
index 000000000..0975f1d5e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-MeterCategoryLicensesWindowsVms.yaml
@@ -0,0 +1,17 @@
+name: revcl-MeterCategoryLicensesWindowsVms
+title: run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server-
+ consider implementing a policy if windows VMs are created frequently
+description: check by searching the Meter Category Licenses in the Cost analysys
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 59ae568b-a38d-4498-9e22-13dbd7bb012f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-PremiumSsdDisksStandardSsd.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-PremiumSsdDisksStandardSsd.yaml
new file mode 100644
index 000000000..d9e513c67
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-PremiumSsdDisksStandardSsd.yaml
@@ -0,0 +1,16 @@
+name: revcl-PremiumSsdDisksStandardSsd
+title: 'Disks - validate use of Premium SSD disks everywhere: for example, non-prod
+ could swap to Standard SSD or on-demand Premium SSD '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 92d34429-3c76-4286-97a5-51c5b04e4f18
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/backup-center-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RecentSizesVm.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RecentSizesVm.yaml
new file mode 100644
index 000000000..da6e7a96e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RecentSizesVm.yaml
@@ -0,0 +1,17 @@
+name: revcl-RecentSizesVm
+title: Swap VM sized with normalized and most recent sizes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: b04e4f18-5438-47e5-aed1-26cd032af5b2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RightSizingOptimization.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RightSizingOptimization.yaml
new file mode 100644
index 000000000..74813c526
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RightSizingOptimization.yaml
@@ -0,0 +1,15 @@
+name: revcl-RightSizingOptimization
+title: After the right-sizing optimization
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: cb1f7d57-59ae-4568-aa38-d4985e2213db
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RightSizingVmsUsage.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RightSizingVmsUsage.yaml
new file mode 100644
index 000000000..8bdb2dda3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-RightSizingVmsUsage.yaml
@@ -0,0 +1,18 @@
+name: revcl-RightSizingVmsUsage
+title: right-sizing VMs - start with monitoring usage below 5% and then work up to
+ 40%
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: fc6998a5-35e3-4378-a7e3-1c67d68cf6a6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-UnassociatedServicesIpAddresses.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-UnassociatedServicesIpAddresses.yaml
new file mode 100644
index 000000000..354e58c0f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-UnassociatedServicesIpAddresses.yaml
@@ -0,0 +1,15 @@
+name: revcl-UnassociatedServicesIpAddresses
+title: Delete or archive unassociated services (disks, nics, ip addresses etc)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 64f9a19a-f29c-495d-94c6-c7919ca0f6c5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmDensityApplication.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmDensityApplication.yaml
new file mode 100644
index 000000000..175b19648
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmDensityApplication.yaml
@@ -0,0 +1,18 @@
+name: revcl-VmDensityApplication
+title: Containerizing an application can improve VM density and save money on scaling
+ it
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 2a119495-6d69-47dc-9a2e-d27b2d186f1a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmFamiliesFlexibilityOption.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmFamiliesFlexibilityOption.yaml
new file mode 100644
index 000000000..489dedd8a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmFamiliesFlexibilityOption.yaml
@@ -0,0 +1,18 @@
+name: revcl-VmFamiliesFlexibilityOption
+title: Consolidate reserved VM families with flexibility option (no more than 4-5
+ families)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 75c1e945-b459-4837-bf7a-e7c6d3b475a5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal
+- type: docs
+ url: https://learn.microsoft.com/azure/automation/automation-solution-vm-management
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmRightSizingAdvisor.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmRightSizingAdvisor.yaml
new file mode 100644
index 000000000..ae859c00d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmRightSizingAdvisor.yaml
@@ -0,0 +1,15 @@
+name: revcl-VmRightSizingAdvisor
+title: 'Make sure advisor is configured for VM right sizing '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: d0102cac-6aae-401e-9a84-de5de36d1d92
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-Vms.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-Vms.yaml
new file mode 100644
index 000000000..83a16ad15
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-Vms.yaml
@@ -0,0 +1,15 @@
+name: revcl-Vms
+title: Right-sizing all VMs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 544451e1-92d3-4442-a3c7-628637a551c5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmssDemand.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmssDemand.yaml
new file mode 100644
index 000000000..f97b4c343
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/revcl-VmssDemand.yaml
@@ -0,0 +1,15 @@
+name: revcl-VmssDemand
+title: Consider using a VMSS to match demand rather than flat sizing
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-AzureAutomationStartStopFeatureTheStartStopFeature.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-AzureAutomationStartStopFeatureTheStartStopFeature.yaml
new file mode 100644
index 000000000..4b8fe6bdb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-AzureAutomationStartStopFeatureTheStartStopFeature.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureAutomationStartStopFeatureTheStartStopFeature
+title: (Scale set) Reduce the number of VM instances when demand decreases. Set a
+ scale-in policy based on criteria. Stop VMs during off-hours. You can use the
+ Azure Automation Start/Stop feature and configure it according to your business
+ needs.
+description: Scaling in or stopping resources when they're not in use reduces the
+ number of VMs running in the scale set, which saves costs. The Start/Stop feature
+ is a low-cost automation option.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 0a6605c5-2e42-4796-b60c-f2ac2a89872c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-AzurePremiumSsdVDiskExtraCostOptimizationFeatures.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-AzurePremiumSsdVDiskExtraCostOptimizationFeatures.yaml
new file mode 100644
index 000000000..fa96594db
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-AzurePremiumSsdVDiskExtraCostOptimizationFeatures.yaml
@@ -0,0 +1,21 @@
+name: wafsg-AzurePremiumSsdVDiskExtraCostOptimizationFeatures
+title: (VMs, scale set) Evaluate the disk options that are associated with your VM's
+ SKUs. Determine your performance needs while keeping in mind your storage capacity
+ needs and accounting for fluctuating workload patterns. For example, the Azure
+ Premium SSD v2 disk allows you to granularly adjust your performance independent
+ of the disk's size.
+description: Some high-performance disk types offer extra cost optimization features
+ and strategies. The Premium SSD v2 disk's adjustment capability can reduce costs
+ because it provides high performance without overprovisioning, which could otherwise
+ lead to underutilized resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 8e136ca6-91e6-4cd0-8d19-b6cfec2622c1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-BackupStorageCostsAzureBackupStorage.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-BackupStorageCostsAzureBackupStorage.yaml
new file mode 100644
index 000000000..5ab531d8b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-BackupStorageCostsAzureBackupStorage.yaml
@@ -0,0 +1,18 @@
+name: wafsg-BackupStorageCostsAzureBackupStorage
+title: Choose the right capabilities for dependent resources. Save on backup storage
+ costs for the vault-standard tier by using Azure Backup storage with reserved capacity.
+ It offers a discount when you commit to a reservation for either one year or three
+ years.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: e445d2d7-01a5-428d-9996-7d42b8727ae5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-ComputeInfrastructureCostsSpotVirtualMachines.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-ComputeInfrastructureCostsSpotVirtualMachines.yaml
new file mode 100644
index 000000000..90d735e76
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-ComputeInfrastructureCostsSpotVirtualMachines.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ComputeInfrastructureCostsSpotVirtualMachines
+title: (Scale set) Mix regular VMs with spot virtual machines. Flexible orchestration
+ lets you distribute spot virtual machines based on a specified percentage.
+description: Reduce compute infrastructure costs by applying the deep discounts of
+ spot virtual machines.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: bf114ba8-d145-4e31-9798-fb07277a246d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-CostEffectiveApproachPriorityQueues.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-CostEffectiveApproachPriorityQueues.yaml
new file mode 100644
index 000000000..0bad597e3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-CostEffectiveApproachPriorityQueues.yaml
@@ -0,0 +1,20 @@
+name: wafsg-CostEffectiveApproachPriorityQueues
+title: Look for ways to optimize. Some strategies include choosing the most cost-effective
+ approach between increasing resources in an existing system, or scaling up, and
+ adding more instances of that system, or scaling out. You can offload demand by
+ distributing it to other resources, or you can reduce demand by implementing priority
+ queues, gateway offloading, buffering, and rate limiting. For more information,
+ see the recommendations in Performance Efficiency.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: f7fc4792-bc2c-4a9d-98dc-ee637e18badd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-CostGuardrailsGovernancePolicies.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-CostGuardrailsGovernancePolicies.yaml
new file mode 100644
index 000000000..8f1fc526c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-CostGuardrailsGovernancePolicies.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CostGuardrailsGovernancePolicies
+title: Implement cost guardrails. Use governance policies to restrict resource types,
+ configurations, and locations. Use RBAC to block actions that can lead to overspending.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 389aca19-a7d5-4abb-82f6-66716e25023a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-ParallelBatchProcessingJobsRightVmPlanSize.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-ParallelBatchProcessingJobsRightVmPlanSize.yaml
new file mode 100644
index 000000000..f55313c2f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-ParallelBatchProcessingJobsRightVmPlanSize.yaml
@@ -0,0 +1,21 @@
+name: wafsg-ParallelBatchProcessingJobsRightVmPlanSize
+title: (VMs, scale set) Choose the right VM plan size and SKU. Identify the best VM
+ sizes for your workload. Use the VM selector to identify the best VM for your workload.
+ See Windows and Linux pricing. For workloads like highly parallel batch processing
+ jobs that can tolerate some interruptions, consider using Azure Spot Virtual Machines.
+ Spot virtual machines are good for experimenting, developing, and testing large-scale
+ solutions.
+description: SKUs are priced according to the capabilities that they offer. If you
+ don't need advanced capabilities, don't overspend on SKUs. Spot virtual machines
+ take advantage of the surplus capacity in Azure at a lower cost.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 12835f9e-fdcf-4ecd-8d96-22d2a32bbd29
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-PremisesWindowsServerOsLicensesAzureHybridBenefit.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-PremisesWindowsServerOsLicensesAzureHybridBenefit.yaml
new file mode 100644
index 000000000..0acc6e02a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-PremisesWindowsServerOsLicensesAzureHybridBenefit.yaml
@@ -0,0 +1,18 @@
+name: wafsg-PremisesWindowsServerOsLicensesAzureHybridBenefit
+title: (VMs, scale set) Take advantage of license mobility by using Azure Hybrid Benefit.
+ VMs have a licensing option that allows you to bring your own on-premises Windows
+ Server OS licenses to Azure. Azure Hybrid Benefit also lets you bring certain Linux
+ subscriptions to Azure.
+description: You can maximize your on-premises licenses while getting the benefits
+ of the cloud.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 2a4a0772-4dab-4123-bdb0-569271e29b63
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-PricingCalculatorBestVm.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-PricingCalculatorBestVm.yaml
new file mode 100644
index 000000000..364e62550
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-PricingCalculatorBestVm.yaml
@@ -0,0 +1,17 @@
+name: wafsg-PricingCalculatorBestVm
+title: Estimate realistic costs. Use the pricing calculator to estimate the costs
+ of your VMs. Identify the best VM for your workload by using the VM selector. For
+ more information, see Linux and Windows pricing.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 4f730d71-d8da-489b-b609-e9b1962ab07f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-RightBillingModelCommitmentBasedModels.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-RightBillingModelCommitmentBasedModels.yaml
new file mode 100644
index 000000000..45f03a5f7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-RightBillingModelCommitmentBasedModels.yaml
@@ -0,0 +1,17 @@
+name: wafsg-RightBillingModelCommitmentBasedModels
+title: 'Choose the right billing model. Evaluate whether commitment-based models for
+ computing optimize costs based on the business requirements of workload. Consider
+ these Azure options:'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 72eb7a10-acdd-47f4-ac63-c2366162dca0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-UnderutilizedVmsKeyApproach.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-UnderutilizedVmsKeyApproach.yaml
new file mode 100644
index 000000000..1000fc839
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-UnderutilizedVmsKeyApproach.yaml
@@ -0,0 +1,18 @@
+name: wafsg-UnderutilizedVmsKeyApproach
+title: Monitor usage. Continuously monitor usage patterns and detect unused or underutilized
+ VMs. For those instances, shut down VM instances when they're not in use. Monitoring
+ is a key approach of Operational Excellence. For more information, see the recommendations
+ in Operational Excellence.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: 9269756b-3f6f-4066-907b-a24ef20d44c9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-VmPlanSizesRightResources.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-VmPlanSizesRightResources.yaml
new file mode 100644
index 000000000..27d81149a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Cost/wafsg-VmPlanSizesRightResources.yaml
@@ -0,0 +1,18 @@
+name: wafsg-VmPlanSizesRightResources
+title: Choose the right resources. Your selection of VM plan sizes and SKUs directly
+ affect the overall cost. Choose VMs based on workload characteristics. Is the workload
+ CPU intensive or does it run interruptible processes? Each SKU has associated disk
+ options that affect the overall cost.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Cost
+severity: 1
+labels:
+ guid: fd59590a-44b0-469a-aa57-e04183683d0b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureAutomanageMachineConfigurationAuditCapabilitiesOsLevelVirtualMachine.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureAutomanageMachineConfigurationAuditCapabilitiesOsLevelVirtualMachine.yaml
new file mode 100644
index 000000000..bd57cb7f0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureAutomanageMachineConfigurationAuditCapabilitiesOsLevelVirtualMachine.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureAutomanageMachineConfigurationAuditCapabilitiesOsLevelVirtualMachine
+title: Monitor OS level virtual machine (VM) configuration drift using Azure Policy.
+ Enabling Azure Automanage Machine Configuration audit capabilities through policy
+ helps application team workloads to immediately consume feature capabilities with
+ little effort.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: e7d7e484-3276-4d8b-bc05-5bcf619e8a13
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/machine-configuration/overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureUpdateManagerPatchingMechanism-1.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureUpdateManagerPatchingMechanism-1.yaml
new file mode 100644
index 000000000..82052cdec
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureUpdateManagerPatchingMechanism-1.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureUpdateManagerPatchingMechanism-1
+title: Use Azure Update Manager as a patching mechanism for Windows and Linux VMs
+ outside of Azure using Azure Arc.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: c806c048-26b7-4ddf-b4c2-b4f0c476925d
+links:
+- type: docs
+ url: 'https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations '
+- type: docs
+ url: https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureUpdateManagerPatchingMechanism.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureUpdateManagerPatchingMechanism.yaml
new file mode 100644
index 000000000..a331caeb5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureUpdateManagerPatchingMechanism.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureUpdateManagerPatchingMechanism
+title: Use Azure Update Manager as a patching mechanism for Windows and Linux VMs
+ in Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: f9887952-5d62-4688-9d70-ba6c97be9951
+links:
+- type: docs
+ url: 'https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations '
+- type: docs
+ url: https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureVirtualMachinesDisasterRecoveryScenariosAzureSiteRecovery.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureVirtualMachinesDisasterRecoveryScenariosAzureSiteRecovery.yaml
new file mode 100644
index 000000000..eb3e2a4ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/revcl-AzureVirtualMachinesDisasterRecoveryScenariosAzureSiteRecovery.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureVirtualMachinesDisasterRecoveryScenariosAzureSiteRecovery
+title: Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery
+ scenarios. This enables you to replicate workloads across regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 2476e49f-541a-4cdc-b979-377bcdb3751a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/site-recovery/site-recovery-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AutomaticVmGuestPatchingLinuxVirtualMachines.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AutomaticVmGuestPatchingLinuxVirtualMachines.yaml
new file mode 100644
index 000000000..3cd74e08c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AutomaticVmGuestPatchingLinuxVirtualMachines.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AutomaticVmGuestPatchingLinuxVirtualMachines
+title: Have processes for installing automatic updates. Consider using Automatic VM
+ guest patching for a timely rollout of critical patches and security patches. Use
+ Azure Update Manager to manage OS updates for your Windows and Linux virtual machines
+ in Azure.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 941dc2bd-3fae-42ce-97e8-2aae24fa414c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureChaosStudioFaultLibrariesTestEnvironment.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureChaosStudioFaultLibrariesTestEnvironment.yaml
new file mode 100644
index 000000000..ea523f410
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureChaosStudioFaultLibrariesTestEnvironment.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureChaosStudioFaultLibrariesTestEnvironment
+title: Build a test environment that closely matches your production environment to
+ test updates and changes before you deploy them to production. Have processes in
+ place to test the security updates, performance baselines, and reliability faults.
+ Take advantage of Azure Chaos Studio fault libraries to inject and simulate error
+ conditions. For more information, see Azure Chaos Studio fault and action library.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: bc5e266d-f8ee-4c9d-ba6c-edbb581c9a97
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureComputeGalleryScaleSet.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureComputeGalleryScaleSet.yaml
new file mode 100644
index 000000000..e4acaeccd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureComputeGalleryScaleSet.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureComputeGalleryScaleSet
+title: (VMs, scale set) Automatically deploy VM applications from the Azure Compute
+ Gallery by defining the applications in the profile.
+description: The VMs in the scale set are created and the specified apps are preinstalled,
+ which makes management easier.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 77a59c87-2e77-4070-8823-def10424362e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureMonitorAlertsResourceUsage.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureMonitorAlertsResourceUsage.yaml
new file mode 100644
index 000000000..af1202805
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureMonitorAlertsResourceUsage.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureMonitorAlertsResourceUsage
+title: Monitor the VM instances. Collect logs and metrics from VM instances to monitor
+ resource usage and measure the health of the instances. Some common metrics include
+ CPU usage, number of requests, and input/output (I/O) latency. Set up Azure Monitor
+ alerts to be notified about issues and to detect configuration changes in your environment.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 7fabd21e-bee0-4264-a4c0-666cb66e9deb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureUpdateManagerScaleSet.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureUpdateManagerScaleSet.yaml
new file mode 100644
index 000000000..630c99125
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-AzureUpdateManagerScaleSet.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureUpdateManagerScaleSet
+title: (Scale set) Keep your VMs up to date by setting an upgrade policy. We recommend
+ rolling upgrades. However, if you need granular control, choose to upgrade manually. For
+ Flexible orchestration, you can use Azure Update Manager.
+description: Security is the primary reason for upgrades. Security assurances for
+ the instances shouldn't decay over time. Rolling upgrades are done in batches,
+ which ensures all instances aren't down at the same time.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 2adb5980-e146-44a0-b143-b1e618b9af3f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-FollowingOptionsCustomScripts.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-FollowingOptionsCustomScripts.yaml
new file mode 100644
index 000000000..a84065f56
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-FollowingOptionsCustomScripts.yaml
@@ -0,0 +1,17 @@
+name: wafsg-FollowingOptionsCustomScripts
+title: 'Automate processes for bootstrapping, running scripts, and configuring VMs.
+ You can automate processes by using extensions or custom scripts. We recommend the
+ following options:'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 91646a8b-4462-401b-9b10-e600079458fe
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-HealthVms.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-HealthVms.yaml
new file mode 100644
index 000000000..189841371
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-HealthVms.yaml
@@ -0,0 +1,15 @@
+name: wafsg-HealthVms
+title: Monitor the health of the VMs and their dependencies.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: f41eee87-6f25-4471-b482-a186535f468d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-OsSpecificDataCollectionRulesMonitorAgentExtension.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-OsSpecificDataCollectionRulesMonitorAgentExtension.yaml
new file mode 100644
index 000000000..4043cd06b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-OsSpecificDataCollectionRulesMonitorAgentExtension.yaml
@@ -0,0 +1,21 @@
+name: wafsg-OsSpecificDataCollectionRulesMonitorAgentExtension
+title: (VMs, scale set) Monitor and measure the health of the VM instances. Deploy
+ the Monitor agent extension to your VMs to collect monitoring data from the guest
+ OS with OS-specific data collection rules. Enable VM insights to monitor health
+ and performance and to view trends from the collected data. Use boot diagnostics
+ to get information as VMs boot. Boot diagnostics also diagnose boot failures.
+description: Monitoring data is at the core of incident resolution. A comprehensive
+ monitoring stack provides information about how the VMs are performing and their
+ health. By continuously monitoring the instances, you can be ready for or prevent
+ failures like performance overload and reliability issues.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: eb4dbee8-3513-472d-a1da-f27afda1e7d2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-PrebuiltSoftwareComponentsSoftwareInstallation.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-PrebuiltSoftwareComponentsSoftwareInstallation.yaml
new file mode 100644
index 000000000..ac905f159
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-PrebuiltSoftwareComponentsSoftwareInstallation.yaml
@@ -0,0 +1,17 @@
+name: wafsg-PrebuiltSoftwareComponentsSoftwareInstallation
+title: Install prebuilt software components as extensions as part of bootstrapping. Azure
+ supports many extensions that can be used to configure, monitor, secure, and provide
+ utility applications for your VMs. Enable automatic upgrades on extensions.
+description: Extensions can help simplify the software installation at scale without
+ you having to manually install, configure, or upgrade it on each VM.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: bb8b2ac8-e277-4172-996b-a366a00321d3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-QuotaLevel.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-QuotaLevel.yaml
new file mode 100644
index 000000000..890f8f44a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-QuotaLevel.yaml
@@ -0,0 +1,17 @@
+name: wafsg-QuotaLevel
+title: Manage your quota. Plan what level of quota your workload requires and review
+ that level regularly as the workload evolves. If you need to increase or decrease
+ your quota, request those changes early.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 00d9961c-9d4b-4edd-9c69-45aed5d2172c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-RegularSystemPatchingImmediatePatchApplication.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-RegularSystemPatchingImmediatePatchApplication.yaml
new file mode 100644
index 000000000..0ab576ea6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-RegularSystemPatchingImmediatePatchApplication.yaml
@@ -0,0 +1,18 @@
+name: wafsg-RegularSystemPatchingImmediatePatchApplication
+title: Create a maintenance plan that includes regular system patching as a part of
+ routine operations. Include emergency processes that allow for immediate patch application.
+ You can have custom processes to manage patching or partially delegate the task
+ to Azure.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: f419068c-ec1e-4c73-a7c6-ead478c8b4d6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-VirtualMachineScaleSetsMultipleFaultDomains.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-VirtualMachineScaleSetsMultipleFaultDomains.yaml
new file mode 100644
index 000000000..1d223b573
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Operations/wafsg-VirtualMachineScaleSetsMultipleFaultDomains.yaml
@@ -0,0 +1,19 @@
+name: wafsg-VirtualMachineScaleSetsMultipleFaultDomains
+title: (Scale set) Virtual Machine Scale Sets in Flexible orchestration mode can help
+ simplify the deployment and management of your workload. For example, you can easily
+ manage self-healing by using automatic repairs.
+description: Flexible orchestration can manage VM instances at scale. Handing individual
+ VMs adds operational overhead. For example, when you delete VM instances, the associated
+ disks and NICs are also automatically deleted. VM instances are spread across multiple
+ fault domains so that update operations don't disrupt service.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Operations
+severity: 1
+labels:
+ guid: 6ecf127d-151e-41d6-a796-2f1b0502ddd7
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-AutoscaleRulesVmInstances.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-AutoscaleRulesVmInstances.yaml
new file mode 100644
index 000000000..fe6e26bdb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-AutoscaleRulesVmInstances.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AutoscaleRulesVmInstances
+title: (VMs, scale set) Set autoscale rules to increase or decrease the number of
+ VM instances in your scale set based on demand.
+description: If your application demand increases, the load on the VM instances in
+ your scale set increases. Autoscale rules ensure that you have enough resources
+ to meet the demand.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: ac6b7b0d-63b8-4c6f-b7ed-f0bd175ba810
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ContentDeliveryNetworksDependentServices.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ContentDeliveryNetworksDependentServices.yaml
new file mode 100644
index 000000000..949b7d7c2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ContentDeliveryNetworksDependentServices.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ContentDeliveryNetworksDependentServices
+title: Take the dependent services into account. Workload dependencies, like caching,
+ network traffic, and content delivery networks, that interact with the VMs can affect
+ performance. Also, consider geographical distribution, like zones and regions, which
+ can add latency.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: b255b907-9f43-4998-ad40-ef60a225fe43
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-HighPerformanceUseCasesNonVolatileMemoryExpress.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-HighPerformanceUseCasesNonVolatileMemoryExpress.yaml
new file mode 100644
index 000000000..fb28b55ff
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-HighPerformanceUseCasesNonVolatileMemoryExpress.yaml
@@ -0,0 +1,18 @@
+name: wafsg-HighPerformanceUseCasesNonVolatileMemoryExpress
+title: VM performance tuning. Take advantage of performance optimization and enhancing
+ features as required by the workload. For example, use locally attached Non-Volatile
+ Memory Express (NVMe) for high performance use cases and accelerated networking,
+ and use Premium SSD v2 for better performance and scalability.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: d7ea0eb8-7505-4e2b-9be1-380fad934a96
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-LowLatencyDiskSupportVmsHighInputOutputOperations.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-LowLatencyDiskSupportVmsHighInputOutputOperations.yaml
new file mode 100644
index 000000000..f7900b6b0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-LowLatencyDiskSupportVmsHighInputOutputOperations.yaml
@@ -0,0 +1,21 @@
+name: wafsg-LowLatencyDiskSupportVmsHighInputOutputOperations
+title: (VMs, scale set) Set the storage profile by analyzing the disk performance
+ of existing workloads and the VM SKU. Use Premium SSDs for production VMs. Adjust
+ the performance of disks with Premium SSD v2. Use locally attached NVMe devices.
+description: Premium SSDs deliver high-performance and low-latency disk support VMs
+ with I/O-intensive workloads. Premium SSD v2 doesn't require disk resizing, which
+ enables high performance without excessive over-provisioning and minimizes the cost
+ of unused capacity. When available on VM SKUs, locally attached NVMe or similar
+ devices can offer high performance, especially for use cases that require high input/output
+ operations per second (IOPS) and low latency.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: 633df150-cf95-4992-853f-72b1d599395b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-OperationalExcellenceBestPracticesPerformanceData.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-OperationalExcellenceBestPracticesPerformanceData.yaml
new file mode 100644
index 000000000..089a8d163
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-OperationalExcellenceBestPracticesPerformanceData.yaml
@@ -0,0 +1,17 @@
+name: wafsg-OperationalExcellenceBestPracticesPerformanceData
+title: Collect performance data. Follow the Operational Excellence best practices
+ for monitoring and deploy the appropriate extensions to view metrics that track
+ against performance indicators.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: fd304fa2-0694-4952-b53a-6161a4e21099
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-PerformanceProfileScaleSets.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-PerformanceProfileScaleSets.yaml
new file mode 100644
index 000000000..de7b4fa37
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-PerformanceProfileScaleSets.yaml
@@ -0,0 +1,18 @@
+name: wafsg-PerformanceProfileScaleSets
+title: Factor in the performance profile of VMs, scale sets, and disk configuration
+ in your capacity planning. Each SKU has a different profile of memory and CPU and
+ behaves differently depending on the type of workload. Conduct pilots and proofs
+ of concept to understand performance behavior under the specific workload.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: 5739c739-7af2-4f47-8c0a-a38cce9f64af
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ProximityPlacementGroupsAzureComputeResources.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ProximityPlacementGroupsAzureComputeResources.yaml
new file mode 100644
index 000000000..eccafab6d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ProximityPlacementGroupsAzureComputeResources.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ProximityPlacementGroupsAzureComputeResources
+title: (VMs, scale set) Deploy latency-sensitive workload VMs in proximity placement
+ groups.
+description: Proximity placement groups reduce the physical distance between Azure
+ compute resources, which can improve performance and reduce network latency between
+ stand-alone VMs, VMs in multiple availability sets, or VMs in multiple scale sets.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: d69311a8-15b4-4509-928a-0dd369babed3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ProximityPlacementGroupsLowLatency.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ProximityPlacementGroupsLowLatency.yaml
new file mode 100644
index 000000000..151264b6e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ProximityPlacementGroupsLowLatency.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ProximityPlacementGroupsLowLatency
+title: Proximity placement groups. Use proximity placement groups in workloads where
+ low latency is required to ensure that VMs are physically located close to each
+ other.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: e2a34493-c121-47fe-aa04-d9897feeca73
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ScaleSetCapacityPlanning.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ScaleSetCapacityPlanning.yaml
new file mode 100644
index 000000000..275c93861
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-ScaleSetCapacityPlanning.yaml
@@ -0,0 +1,19 @@
+name: wafsg-ScaleSetCapacityPlanning
+title: (VMs, scale set) Choose SKUs for VMs that align with your capacity planning.
+ Have a good understanding of your workload requirements, including the number of
+ cores, memory, storage, and network bandwidth so that you can filter out unsuitable
+ SKUs.
+description: Rightsizing your VMs is a fundamental decision that significantly affects
+ the performance of your workload. Without the right set of VMs, you might experience
+ performance issues and accrue unnecessary costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: 0278dc83-3a7e-4439-b706-1bdc45e0ecd0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-SecondConcurrentUsersPerformanceTargets.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-SecondConcurrentUsersPerformanceTargets.yaml
new file mode 100644
index 000000000..795c86f48
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-SecondConcurrentUsersPerformanceTargets.yaml
@@ -0,0 +1,18 @@
+name: wafsg-SecondConcurrentUsersPerformanceTargets
+title: Define performance targets. Identify VM metrics to track and measure against
+ performance indicators as response time, CPU utilization, and memory utilization,
+ as well as workload metrics such as transactions per second, concurrent users, and
+ availability and health.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: 9ea20a53-3560-42fd-b9c2-e0554d262a5f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-SingleRootIOVirtualizationAcceleratedNetworking.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-SingleRootIOVirtualizationAcceleratedNetworking.yaml
new file mode 100644
index 000000000..c8166f806
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Performance/wafsg-SingleRootIOVirtualizationAcceleratedNetworking.yaml
@@ -0,0 +1,15 @@
+name: wafsg-SingleRootIOVirtualizationAcceleratedNetworking
+title: (VMs) Consider enabling accelerated networking.
+description: It enables single root I/O virtualization (SR-IOV) to a VM, which greatly
+ improves its networking performance.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Performance
+severity: 1
+labels:
+ guid: 8b4677c6-aed0-4e08-9736-6710010b142b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AvailabilityZonesAvailabilitySets.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AvailabilityZonesAvailabilitySets.yaml
new file mode 100644
index 000000000..c8fde7796
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AvailabilityZonesAvailabilitySets.yaml
@@ -0,0 +1,18 @@
+name: revcl-AvailabilityZonesAvailabilitySets
+title: For regions that do not support Availability Zones deploy VMs into Availability
+ Sets
+description: Use at least two VMs in Availability Sets to isolate VMs on different
+ fault and update domains.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 5a785d6f-e96c-496a-b884-4cf3b2b38c88
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/availability-set-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureLoadBalancerIncomingNetworkTraffic.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureLoadBalancerIncomingNetworkTraffic.yaml
new file mode 100644
index 000000000..033de1167
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureLoadBalancerIncomingNetworkTraffic.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureLoadBalancerIncomingNetworkTraffic
+title: Azure Load Balancer and Application Gateway distribute incoming network traffic
+ across multiple resources.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 84101f59-1941-4195-a270-e28034290e3a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureMetadataServiceUpcomingMaintenanceEvents.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureMetadataServiceUpcomingMaintenanceEvents.yaml
new file mode 100644
index 000000000..430bd93f6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureMetadataServiceUpcomingMaintenanceEvents.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzureMetadataServiceUpcomingMaintenanceEvents
+title: Utilize Scheduled Events to prepare for VM maintenance
+description: Scheduled Events is an Azure Metadata Service that provides information
+ about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled
+ Events, you can proactively prepare your applications for VM maintenance, minimizing
+ disruption and improving the availability of your VMs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 2
+labels:
+ guid: 6d3b475a-5c7a-4cbe-99bb-e64dd8902e87
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureVirtualMachinesAzureBackup.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureVirtualMachinesAzureBackup.yaml
new file mode 100644
index 000000000..abe6c8091
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-AzureVirtualMachinesAzureBackup.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureVirtualMachinesAzureBackup
+title: Consider Azure Backup to meet your resiliency requirements for Azure VMs
+description: Ensure that Azure Backup is utilized appropriately to meet your organization's
+ resiliency requirements for Azure virtual machines (VMs).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: 4d874a74-8b66-42d6-b150-512a66498f6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-LeverageAvailabilityZonesOtherAvailabilityZones.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-LeverageAvailabilityZonesOtherAvailabilityZones.yaml
new file mode 100644
index 000000000..4c8c051f3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-LeverageAvailabilityZonesOtherAvailabilityZones.yaml
@@ -0,0 +1,17 @@
+name: revcl-LeverageAvailabilityZonesOtherAvailabilityZones
+title: Leverage Availability Zones for your VMs in regions where they are supported
+description: Co-locate your compute, storage, networking, and data resources across
+ an availability zone, and replicate this arrangement in other availability zones.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: e514548d-2447-4ec6-9138-b8200f1ce16e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/availability-zones-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-LeverageAvailabilityZonesVms.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-LeverageAvailabilityZonesVms.yaml
new file mode 100644
index 000000000..ed345c22f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-LeverageAvailabilityZonesVms.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageAvailabilityZonesVms
+title: Leverage Availability Zones for your VMs in regions where they are supported.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: 826c5c45-bb79-4951-a812-e3bfbfd7326b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/availability-zones-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-ManagedDisksDataDurability.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-ManagedDisksDataDurability.yaml
new file mode 100644
index 000000000..3d3ebb1d0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-ManagedDisksDataDurability.yaml
@@ -0,0 +1,17 @@
+name: revcl-ManagedDisksDataDurability
+title: Ensure Managed Disks are used for all VMs
+description: Azure automatically replicates managed disks within a region to ensure
+ data durability and protect against single-point failures.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: b31e38c3-f298-412b-8363-cffe179b599d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-NetworkVirtualAppliancesNecessaryNvaConfiguration.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-NetworkVirtualAppliancesNecessaryNvaConfiguration.yaml
new file mode 100644
index 000000000..27a636801
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-NetworkVirtualAppliancesNecessaryNvaConfiguration.yaml
@@ -0,0 +1,20 @@
+name: revcl-NetworkVirtualAppliancesNecessaryNvaConfiguration
+title: Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration
+ for High Availability
+description: When choosing the best option for deploying NVAs in Azure, it is crucial
+ to consider the vendor's recommendations and validate that the specific design has
+ been vetted and validated by the NVA vendor. The vendor should also provide the
+ necessary NVA configuration for seamless integration in Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: 8b1188b3-c6a4-46ce-a544-451e192d3442
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-PartnerNetworkingTechnologiesPartnerVendor.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-PartnerNetworkingTechnologiesPartnerVendor.yaml
new file mode 100644
index 000000000..70d951dc9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-PartnerNetworkingTechnologiesPartnerVendor.yaml
@@ -0,0 +1,16 @@
+name: revcl-PartnerNetworkingTechnologiesPartnerVendor
+title: When deploying partner networking technologies or NVAs, follow the partner
+ vendor's guidance
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: e2e8abac-3571-4559-ab91-53e89f89dc7b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-PotentialResourceConstraintsDrRegion.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-PotentialResourceConstraintsDrRegion.yaml
new file mode 100644
index 000000000..afea88e8a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-PotentialResourceConstraintsDrRegion.yaml
@@ -0,0 +1,18 @@
+name: revcl-PotentialResourceConstraintsDrRegion
+title: Increase quotas in DR region before testing failover with ASR
+description: By ensuring that the necessary quotas are increased in your DR region
+ before testing failover with ASR, you can avoid any potential resource constraints
+ during the recovery process for failed over VMs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: e6e2065b-3a76-4af4-a691-e8939ada4666
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/quotas/per-vm-quota-requests
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-ProductionWorkloadSingleVm.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-ProductionWorkloadSingleVm.yaml
new file mode 100644
index 000000000..4a9f1e549
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-ProductionWorkloadSingleVm.yaml
@@ -0,0 +1,15 @@
+name: revcl-ProductionWorkloadSingleVm
+title: Avoid running a production workload on a single VM.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: 7ccb7c06-5511-42df-8177-d97f08d0337d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-RecoveryTimeObjectiveLowRtoRequirements.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-RecoveryTimeObjectiveLowRtoRequirements.yaml
new file mode 100644
index 000000000..029f43308
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-RecoveryTimeObjectiveLowRtoRequirements.yaml
@@ -0,0 +1,18 @@
+name: revcl-RecoveryTimeObjectiveLowRtoRequirements
+title: For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements
+ use Azure Site Recovery
+description: Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective)
+ for your Azure and hybrid VMs by providing continuous replication and failover capabilities.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: 2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/site-recovery/site-recovery-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-SqlServerTempdbTempDisk.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-SqlServerTempdbTempDisk.yaml
new file mode 100644
index 000000000..b00d4f1bf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-SqlServerTempdbTempDisk.yaml
@@ -0,0 +1,18 @@
+name: revcl-SqlServerTempdbTempDisk
+title: Do not use the Temp disk for anything that is not acceptable to be lost
+description: Temporary disks are intended for short-term storage of non-persistent
+ data such as page files, swap files, or SQL Server tempdb. Storing persistent data
+ on temporary disks can lead to data loss during maintenance events or VM redeployment.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: e0d5973c-d4ce-432c-8881-37f6f7c4c0d4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-UseCapacityReservationsCriticalWorkloads.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-UseCapacityReservationsCriticalWorkloads.yaml
new file mode 100644
index 000000000..4310ae6ce
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-UseCapacityReservationsCriticalWorkloads.yaml
@@ -0,0 +1,17 @@
+name: revcl-UseCapacityReservationsCriticalWorkloads
+title: Use Capacity Reservations for critical workloads that require guaranteed capacity
+description: By using Capacity Reservations, you can effectively manage capacity for
+ critical workloads, ensuring resource availability in specified regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 2
+labels:
+ guid: bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-VirtualMachineConnectivitySingleInstanceVms.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-VirtualMachineConnectivitySingleInstanceVms.yaml
new file mode 100644
index 000000000..37ff1760b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-VirtualMachineConnectivitySingleInstanceVms.yaml
@@ -0,0 +1,18 @@
+name: revcl-VirtualMachineConnectivitySingleInstanceVms
+title: Use Premium or Ultra disks for production VMs
+description: Single Instance VMs using Premium SSD or Ultra Disk for all Operating
+ System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity
+ of at least 99.9%
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: 8052d88e-79d1-47b7-9b22-a5a67e7a8ed4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/disks-types
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-VirtualMachineScaleSetsAzureSiteRecovery.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-VirtualMachineScaleSetsAzureSiteRecovery.yaml
new file mode 100644
index 000000000..ad318f475
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/revcl-VirtualMachineScaleSetsAzureSiteRecovery.yaml
@@ -0,0 +1,17 @@
+name: revcl-VirtualMachineScaleSetsAzureSiteRecovery
+title: Avoid running a production workload on a single VM
+description: Azure provides multiple options for VM redundancy to meet different requirements
+ (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 0
+labels:
+ guid: 6ba2c021-4991-414a-9d3c-e574dccbd979
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-AutomaticRecoveryOptionsHealthDegradationMonitoring.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-AutomaticRecoveryOptionsHealthDegradationMonitoring.yaml
new file mode 100644
index 000000000..668a75c4e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-AutomaticRecoveryOptionsHealthDegradationMonitoring.yaml
@@ -0,0 +1,20 @@
+name: wafsg-AutomaticRecoveryOptionsHealthDegradationMonitoring
+title: Explore the automatic recovery options. Azure supports health degradation monitoring
+ and self-healing features for VMs. For example, scale sets provide automatic instance
+ repairs. In more advanced scenarios, self-healing involves using Azure Site Recovery,
+ having a passive standby to fail over to, or redeploying from infrastructure as
+ code (IaC). The method that you choose should align with the business requirements
+ and your organizational operations. For more information, see VM service disruptions.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 9a34544a-d391-485c-8373-e191d47e3fb8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-CapacityReservationsFeatureApplicableSlas.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-CapacityReservationsFeatureApplicableSlas.yaml
new file mode 100644
index 000000000..9514f83de
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-CapacityReservationsFeatureApplicableSlas.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CapacityReservationsFeatureApplicableSlas
+title: (VMs) Take advantage of the capacity reservations feature.
+description: Capacity is reserved for your use and is available within the scope of
+ the applicable SLAs. You can delete capacity reservations when you no longer need
+ them, and billing is consumption based.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 640c79fd-8a7f-4824-ba96-ca41034d02e8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-CompositeServiceLevelObjectivesAzureServiceLevelAgreements.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-CompositeServiceLevelObjectivesAzureServiceLevelAgreements.yaml
new file mode 100644
index 000000000..950c9e800
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-CompositeServiceLevelObjectivesAzureServiceLevelAgreements.yaml
@@ -0,0 +1,17 @@
+name: wafsg-CompositeServiceLevelObjectivesAzureServiceLevelAgreements
+title: Calculate your composite service-level objectives (SLOs) based on Azure service-level
+ agreements (SLAs). Ensure that your SLO isn't higher than the Azure SLAs to avoid
+ unrealistic expectations and potential issues.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 0962db49-c5c0-45b4-9064-c5da949a67b3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ComprehensiveDisasterRecoveryPlanComprehensivePlan.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ComprehensiveDisasterRecoveryPlanComprehensivePlan.yaml
new file mode 100644
index 000000000..22899b49b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ComprehensiveDisasterRecoveryPlanComprehensivePlan.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ComprehensiveDisasterRecoveryPlanComprehensivePlan
+title: Create a comprehensive disaster recovery plan. Disaster preparedness involves
+ creating a comprehensive plan and deciding on a technology for recovery.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: dcaadec2-8bc9-43ce-b13d-51aa5c4db90e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-EphemeralOperatingSystemFailureModeAnalysis.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-EphemeralOperatingSystemFailureModeAnalysis.yaml
new file mode 100644
index 000000000..7123774f3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-EphemeralOperatingSystemFailureModeAnalysis.yaml
@@ -0,0 +1,19 @@
+name: wafsg-EphemeralOperatingSystemFailureModeAnalysis
+title: Conduct a failure mode analysis to minimize points of failure by analyzing
+ VM interactions with the network and storage components. Choose configurations like
+ ephemeral operating system (OS) disks to localize disk access and avoid network
+ hops. Add a load balancer to enhance self-preservation by distributing network traffic
+ across multiple VMs, which improves availability and reliability.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 957b7b80-d049-454d-b65b-7bbd967b141b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-EphemeralOsDisksSeparateDataDisk.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-EphemeralOsDisksSeparateDataDisk.yaml
new file mode 100644
index 000000000..ec1a1cb1e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-EphemeralOsDisksSeparateDataDisk.yaml
@@ -0,0 +1,18 @@
+name: wafsg-EphemeralOsDisksSeparateDataDisk
+title: Create state isolation. Workload data should be on a separate data disk to
+ prevent interference with the OS disk. If a VM fails, you can create a new OS disk
+ with the same data disk, which ensures resilience and fault isolation. For more
+ information, see Ephemeral OS disks.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: b2ecdce9-fd21-4784-beb8-6084a166aa12
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-InRedundancyOptionsRedundancyChoices.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-InRedundancyOptionsRedundancyChoices.yaml
new file mode 100644
index 000000000..287738e94
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-InRedundancyOptionsRedundancyChoices.yaml
@@ -0,0 +1,19 @@
+name: wafsg-InRedundancyOptionsRedundancyChoices
+title: Make VMs and their dependencies redundant across zones. If a VM fails, the
+ workload should continue to function because of redundancy. Include dependencies
+ in your redundancy choices. For example, use the built-in redundancy options that
+ are available with disks. Use zone-redundant IPs to ensure data availability and
+ high uptime.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 5aaae165-879c-4ce7-8661-c4a05b0e5074
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-MaximumLoadExtraCapacity.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-MaximumLoadExtraCapacity.yaml
new file mode 100644
index 000000000..6a8862241
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-MaximumLoadExtraCapacity.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MaximumLoadExtraCapacity
+title: Rightsize the VMs and their dependencies. Understand your VM's expected work
+ to ensure it's not undersized and can handle the maximum load. Have extra capacity
+ to mitigate failures.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 285a5da3-2741-4f96-b58f-d2a48be2d39d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-OneFaultDomainManyFaultDomains.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-OneFaultDomainManyFaultDomains.yaml
new file mode 100644
index 000000000..836da58fd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-OneFaultDomainManyFaultDomains.yaml
@@ -0,0 +1,16 @@
+name: wafsg-OneFaultDomainManyFaultDomains
+title: (Scale set) Allow Flexible orchestration to spread the VM instances across
+ as many fault domains as possible.
+description: This option isolates fault domains. During maintenance periods, when
+ one fault domain is updated, VM instances are available in the other fault domains.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 18b6cb3c-704e-415c-ac33-a04ce8d33982
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-PreferredRepairActionPrematureRepairOperations.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-PreferredRepairActionPrematureRepairOperations.yaml
new file mode 100644
index 000000000..3da1202a0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-PreferredRepairActionPrematureRepairOperations.yaml
@@ -0,0 +1,19 @@
+name: wafsg-PreferredRepairActionPrematureRepairOperations
+title: (VMs) Implement heath endpoints that emit instance health statuses on VMs. (Scale
+ set) Enable automatic repairs on the scale set by specifying the preferred repair
+ action. Consider setting a time frame during which automatic repairs pause if the
+ VM's state changes.
+description: Maintain availability even if an instance is deemed unhealthy. Automatic
+ repairs initiate recovery by replacing the faulty instance. Setting a time window
+ can prevent inadvertent or premature repair operations.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 0bc7ac44-c4e0-4192-a423-09571aae23dc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ReliabilityDesignChoicesApplicationVmPatches.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ReliabilityDesignChoicesApplicationVmPatches.yaml
new file mode 100644
index 000000000..21ce5c47d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ReliabilityDesignChoicesApplicationVmPatches.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ReliabilityDesignChoicesApplicationVmPatches
+title: Run operations with rigor. Reliability design choices must be supported by
+ effective operations based on the principles of monitoring, resiliency testing in
+ production, automated application VM patches and upgrades, and consistency of deployments.
+ For operational guidance, see Operational Excellence.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: eaff9b97-b18a-4ab7-9307-14cf820eeb5a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ScaleSetDeploymentTimes.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ScaleSetDeploymentTimes.yaml
new file mode 100644
index 000000000..3f3b02f49
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-ScaleSetDeploymentTimes.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ScaleSetDeploymentTimes
+title: (Scale set) Enable overprovisioning on scale sets.
+description: Overprovisioning reduces deployment times and has a cost benefit because
+ the extra VMs aren't billed.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: c97c1d86-cef5-435b-9312-c8f41b231afe
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-TheVmInstancesScaleSet.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-TheVmInstancesScaleSet.yaml
new file mode 100644
index 000000000..e044ca649
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-TheVmInstancesScaleSet.yaml
@@ -0,0 +1,21 @@
+name: wafsg-TheVmInstancesScaleSet
+title: (Scale set) Deploy across availability zones on scale sets. Set up at least
+ two instances in each zone. Zone balancing equally spreads the instances across
+ zones.
+description: The VM instances are provisioned in physically separate locations within
+ each Azure region that are tolerant to local failures. Keep in mind that, depending
+ on resource availability, there might be an uneven number of instances across zones.
+ Zone balancing supports availability by making sure that, if one zone is down, the
+ other zones have sufficient instances. Two instances in each zone provide a buffer
+ during upgrades.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: cfcbe692-8d95-414c-855a-2af8530bbee7
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachineScaleSetsFlexibleOrchestrationMode.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachineScaleSetsFlexibleOrchestrationMode.yaml
new file mode 100644
index 000000000..055ff2ab9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachineScaleSetsFlexibleOrchestrationMode.yaml
@@ -0,0 +1,17 @@
+name: wafsg-VirtualMachineScaleSetsFlexibleOrchestrationMode
+title: (Scale set) Use Virtual Machine Scale Sets in Flexible orchestration mode to
+ deploy VMs.
+description: Future-proof your application for scaling and take advantage of the high
+ availability guarantees that spread VMs across fault domains in a region or an availability
+ zone.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 2f3edda7-4225-472e-83d0-265c26367213
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachineScaleSetsServiceLevelDegradation.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachineScaleSetsServiceLevelDegradation.yaml
new file mode 100644
index 000000000..71199a6d1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachineScaleSetsServiceLevelDegradation.yaml
@@ -0,0 +1,18 @@
+name: wafsg-VirtualMachineScaleSetsServiceLevelDegradation
+title: Be ready to scale up and scale out to prevent service level degradation and
+ to avoid failures. Virtual Machine Scale Sets have autoscale capabilities that create
+ new instances as required and distribute the load across multiple VMs and availability
+ zones.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 553a3f24-22d8-4c4c-a26a-84063663c613
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachinesQuotasDesignRestrictions.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachinesQuotasDesignRestrictions.yaml
new file mode 100644
index 000000000..ec87b8727
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Reliability/wafsg-VirtualMachinesQuotasDesignRestrictions.yaml
@@ -0,0 +1,19 @@
+name: wafsg-VirtualMachinesQuotasDesignRestrictions
+title: Review Virtual Machines quotas and limits that might pose design restrictions.
+ VMs have specific limits and quotas, which vary based on the type of VM or the region.
+ There might be subscription restrictions, such as the number of VMs per subscription
+ or the number of cores per VM. If other workloads share your subscription, then
+ your ability to consume data might be reduced.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Reliability
+severity: 1
+labels:
+ guid: 361c5452-9715-4191-b073-b0331eb90559
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-BaseOperatingSystemPatchingAzureMonitorLogs.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-BaseOperatingSystemPatchingAzureMonitorLogs.yaml
new file mode 100644
index 000000000..5206a077a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-BaseOperatingSystemPatchingAzureMonitorLogs.yaml
@@ -0,0 +1,16 @@
+name: revcl-BaseOperatingSystemPatchingAzureMonitorLogs
+title: Monitor base operating system patching drift via Azure Monitor Logs and Defender
+ for Cloud.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 15833ee7-ad6c-46d3-9331-65c7acbe44ab
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/security-center/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-CompliantBaselineVmConfigurationVmExtensions.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-CompliantBaselineVmConfigurationVmExtensions.yaml
new file mode 100644
index 000000000..83f6b8606
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-CompliantBaselineVmConfigurationVmExtensions.yaml
@@ -0,0 +1,16 @@
+name: revcl-CompliantBaselineVmConfigurationVmExtensions
+title: Use Azure policies to automatically deploy software configurations through
+ VM extensions and enforce a compliant baseline VM configuration.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: f541acdc-e979-4377-acdb-3751ab2ab13a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-EndpointProtectionIaasServers.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-EndpointProtectionIaasServers.yaml
new file mode 100644
index 000000000..448825e88
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-EndpointProtectionIaasServers.yaml
@@ -0,0 +1,15 @@
+name: revcl-EndpointProtectionIaasServers
+title: Enable Endpoint Protection on IaaS Servers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 0
+labels:
+ guid: 24d96b30-61ee-4436-a1cc-d6ef08bc574b
+links:
+- type: docs
+ url: https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-VmSecurityConfigurationDriftGuestConfigurationFeatures.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-VmSecurityConfigurationDriftGuestConfigurationFeatures.yaml
new file mode 100644
index 000000000..9e468e9d5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/revcl-VmSecurityConfigurationDriftGuestConfigurationFeatures.yaml
@@ -0,0 +1,18 @@
+name: revcl-VmSecurityConfigurationDriftGuestConfigurationFeatures
+title: Monitor VM security configuration drift via Azure Policy.
+description: Azure Policy's guest configuration features can audit and remediate machine
+ settings (e.g., OS, application, environment) to ensure resources align with expected
+ configurations, and Update Management can enforce patch management for VMs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: da6e55d7-d8a2-4adb-817d-6326af625ca4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AssociatedNetworkSecurityGroupVirtualNetworkInterfaces.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AssociatedNetworkSecurityGroupVirtualNetworkInterfaces.yaml
new file mode 100644
index 000000000..f326ea176
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AssociatedNetworkSecurityGroupVirtualNetworkInterfaces.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AssociatedNetworkSecurityGroupVirtualNetworkInterfaces
+title: (VMs) Choose secure networking options for your VM's network profile. Don't
+ directly associate public IP addresses to your VMs and don't enable IP forwarding. Ensure
+ that all virtual network interfaces have an associated network security group.
+description: You can set segmentation controls in the networking profile. Attackers
+ scan public IP addresses, which makes VMs vulnerable to threats.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 312f1ab0-131f-4606-ae9b-18956ba60371
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AttackSurfaceOsImages.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AttackSurfaceOsImages.yaml
new file mode 100644
index 000000000..3f4605679
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AttackSurfaceOsImages.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AttackSurfaceOsImages
+title: Reduce the attack surface by hardening OS images and removing unused components.
+ Use smaller images and remove binaries that aren't required to run the workload.
+ Tighten the VM configurations by removing features, like default accounts and ports,
+ that you don't need.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: e4779d30-f938-495f-b9a6-bfed5afa8c38
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AutomatedSecurityPatchingSecurityCompliance.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AutomatedSecurityPatchingSecurityCompliance.yaml
new file mode 100644
index 000000000..41c2b4d85
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AutomatedSecurityPatchingSecurityCompliance.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AutomatedSecurityPatchingSecurityCompliance
+title: Ensure timely and automated security patching and upgrades. Make sure updates
+ are automatically rolled out and validated by using a well-defined process. Use
+ a solution like Azure Automation to manage OS updates and maintain security compliance
+ by making critical updates.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 51c32087-d5b8-4be6-9006-786bf12bd94b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureConfidentialComputingHighSensitivityRequirements.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureConfidentialComputingHighSensitivityRequirements.yaml
new file mode 100644
index 000000000..3a9fe05a0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureConfidentialComputingHighSensitivityRequirements.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureConfidentialComputingHighSensitivityRequirements
+title: Identify the VMs that hold state. Make sure that data is classified according
+ to the sensitivity labels that your organization provided. Protect data by using
+ security controls like appropriate levels of at-rest and in-transit encryption.
+ If you have high sensitivity requirements, consider using high-security controls
+ like double encryption and Azure confidential computing to protect data-in-use.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: a4ceac6a-ac90-4278-9ad9-706194c2d5c9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureKeyVaultExtensionCorrespondingCertificates.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureKeyVaultExtensionCorrespondingCertificates.yaml
new file mode 100644
index 000000000..fb5840bdd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureKeyVaultExtensionCorrespondingCertificates.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureKeyVaultExtensionCorrespondingCertificates
+title: Protect secrets such as the certificates that you need to protect data in transit.
+ Consider using the Azure Key Vault extension for Windows or Linux that automatically
+ refreshes the certificates stored in a key vault. When it detects a change in the
+ certificates, the extension retrieves and installs the corresponding certificates.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 08be36ad-0190-4740-b002-9adae9be0cca
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureVirtualNetworkNetworkSecurityGroups.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureVirtualNetworkNetworkSecurityGroups.yaml
new file mode 100644
index 000000000..07ef0da2d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-AzureVirtualNetworkNetworkSecurityGroups.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureVirtualNetworkNetworkSecurityGroups
+title: Use network controls to restrict ingress and egress traffic. Isolate VMs and
+ scale sets in Azure Virtual Network and define network security groups to filter
+ traffic. Protect against distributed denial of service (DDoS) attacks. Use load
+ balancers and firewall rules to protect against malicious traffic and data exfiltration
+ attacks.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 51bdfe3f-1460-43ac-860d-d5dcaa69a698
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-IntrusionDetectionSystemsTrustedExecutionEnvironment.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-IntrusionDetectionSystemsTrustedExecutionEnvironment.yaml
new file mode 100644
index 000000000..fda0b7480
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-IntrusionDetectionSystemsTrustedExecutionEnvironment.yaml
@@ -0,0 +1,17 @@
+name: wafsg-IntrusionDetectionSystemsTrustedExecutionEnvironment
+title: Threat prevention. Protect against malware attacks and malicious actors by
+ implementing security controls like firewalls, antivirus software, and intrusion
+ detection systems. Determine if a Trusted Execution Environment (TEE) is required.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: ad4792c8-903c-4467-a6c8-90c84a49af47
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdAuthenticationAzureDiskEncryptionExtension.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdAuthenticationAzureDiskEncryptionExtension.yaml
new file mode 100644
index 000000000..fc7c62482
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdAuthenticationAzureDiskEncryptionExtension.yaml
@@ -0,0 +1,19 @@
+name: wafsg-MicrosoftEntraIdAuthenticationAzureDiskEncryptionExtension
+title: (VMs, scale set) Include extensions in your VMs that protect against threats. For
+ example, - Key Vault extension for Windows and Linux - Microsoft Entra ID authentication -
+ Microsoft Antimalware for Azure Cloud Services and Virtual Machines - Azure Disk
+ Encryption extension for Windows and Linux.
+description: The extensions are used to bootstrap the VMs with the right software
+ that protects access to and from the VMs. Microsoft-provided extensions are updated
+ frequently to keep up with the evolving security standards.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 01d2e86e-e54e-4e42-87dd-fc09bf9f69a0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdRoleBasedAccessControl.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdRoleBasedAccessControl.yaml
new file mode 100644
index 000000000..c8870f5c1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdRoleBasedAccessControl.yaml
@@ -0,0 +1,20 @@
+name: wafsg-MicrosoftEntraIdRoleBasedAccessControl
+title: Apply access controls to the identities that try to reach the VMs and also
+ to the VMs that reach other resources. Use Microsoft Entra ID for authentication
+ and authorization needs. Put strong passwords, multifactor authentication, and role-based
+ access control (RBAC) in place for your VMs and their dependencies, like secrets,
+ to permit allowed identities to perform only the operations that are expected of
+ their roles.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 2e452de7-a327-401b-9ad4-19a42e7b3b2a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdVmProfile.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdVmProfile.yaml
new file mode 100644
index 000000000..8a7c46c3f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-MicrosoftEntraIdVmProfile.yaml
@@ -0,0 +1,19 @@
+name: wafsg-MicrosoftEntraIdVmProfile
+title: (Scale set) Assign a managed identity to scale sets. All VMs in the scale set
+ get the same identity through the specified VM profile. (VMs) You can also assign
+ a managed identity to individual VMs when you create them and then add it to a scale
+ set if needed.
+description: When VMs communicate with other resources, they cross a trust boundary.
+ Scale sets and VMs should authenticate their identity before communication is allowed.
+ Microsoft Entra ID handles that authentication by using managed identities.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 22995c7f-8fcf-4986-b139-cc1b8e946c03
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-PublicNetworkAccessSecureStorageOptions.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-PublicNetworkAccessSecureStorageOptions.yaml
new file mode 100644
index 000000000..6fa163ecc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-PublicNetworkAccessSecureStorageOptions.yaml
@@ -0,0 +1,17 @@
+name: wafsg-PublicNetworkAccessSecureStorageOptions
+title: (VMs) Choose secure storage options for your VM's storage profile. Enable
+ disk encryption and data-at-rest encryption by default. Disable public network access
+ to the VM disks.
+description: Disabling public network access helps prevent unauthorized access to
+ your data and resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 47c0a03c-627a-4961-96da-9a8c883d0d9f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetConfidentialComputing.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetConfidentialComputing.yaml
new file mode 100644
index 000000000..0a0b04c27
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetConfidentialComputing.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ScaleSetConfidentialComputing
+title: (Scale set) Choose VM SKUs with security features. For example, some SKUs support
+ BitLocker encryption, and confidential computing provides encryption of data-in-use. Review
+ the features to understand the limitations.
+description: Azure-provided features are based on signals that are captured across
+ many tenants and can protect resources better than custom controls. You can also
+ use policies to enforce those controls.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: b298468d-1c65-4c20-986c-6456d2d99665
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetOrganizationRecommendedTags.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetOrganizationRecommendedTags.yaml
new file mode 100644
index 000000000..bd7574c0f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetOrganizationRecommendedTags.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ScaleSetOrganizationRecommendedTags
+title: (VMs, scale set) Apply organization-recommended tags in the provisioned resources.
+description: Tagging is a common way to segment and organize resources and can be
+ crucial during incident management. For more information, see Purpose of naming
+ and tagging.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: b47b917b-bb94-49a9-9c84-a579d9554f18
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetsNetworkBoundaries.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetsNetworkBoundaries.yaml
new file mode 100644
index 000000000..9923b8e01
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ScaleSetsNetworkBoundaries.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ScaleSetsNetworkBoundaries
+title: Provide segmentation to the VMs and scale sets by setting network boundaries
+ and access controls. Place VMs in resource groups that share the same lifecycle.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: f90aa688-2018-4e02-9fd9-0c7151dee588
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ThreatDetectionAuditTrail.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ThreatDetectionAuditTrail.yaml
new file mode 100644
index 000000000..55bb9f34e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-ThreatDetectionAuditTrail.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ThreatDetectionAuditTrail
+title: Threat detection. Monitor VMs for threats and misconfigurations. Use Defender
+ for Servers to capture VM and OS changes, and maintain an audit trail of access,
+ new accounts, and changes in permissions.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 9a7f628b-002c-4926-b1fc-d4918b451c30
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-VirtualMachineScaleSetsAzureSecurityBaseline.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-VirtualMachineScaleSetsAzureSecurityBaseline.yaml
new file mode 100644
index 000000000..e5c481b87
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-VirtualMachineScaleSetsAzureSecurityBaseline.yaml
@@ -0,0 +1,19 @@
+name: wafsg-VirtualMachineScaleSetsAzureSecurityBaseline
+title: (VMs, scale set) Set a security profile with the security features that you
+ want to enable in the VM configuration. For example, when you specify encryption
+ at host in the profile, the data that's stored on the VM host is encrypted at rest
+ and flows are encrypted to the storage service.
+description: The features in the security profile are automatically enabled when the
+ VM is created. For more information, see Azure security baseline for Virtual Machine
+ Scale Sets.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: 4529997c-b38f-402e-9bbf-8db5717a74d4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-VirtualMachineScaleSetsSecurityBaselines.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-VirtualMachineScaleSetsSecurityBaselines.yaml
new file mode 100644
index 000000000..8ea69ce68
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/Security/wafsg-VirtualMachineScaleSetsSecurityBaselines.yaml
@@ -0,0 +1,16 @@
+name: wafsg-VirtualMachineScaleSetsSecurityBaselines
+title: Review the security baselines for Linux and Windows VMs and Virtual Machine
+ Scale Sets.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/virtual-machines.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.compute/virtualmachines
+waf: Security
+severity: 1
+labels:
+ guid: fe47919b-9d90-4600-8dad-658568ce94d8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureCapacityReservationsReserveComputeCapacity.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureCapacityReservationsReserveComputeCapacity.yaml
new file mode 100644
index 000000000..be44e6b5a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureCapacityReservationsReserveComputeCapacity.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureCapacityReservationsReserveComputeCapacity
+title: Reserve Compute Capacity for critical workloads
+description: |-
+ Azure Capacity Reservations ensure high availability for virtual machines by reserving compute capacity in advance within a specific region or availability zone. This guarantees that VMs will have the necessary resources during peak demand or maintenance events, enhancing reliability and uptime.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: 302fda08-ee65-4fbe-a916-6dc0b33169c4
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find all Virtual Machines not associated with a Capacity Reservation, and provide details for Capacity Reservation like vmSize, location, and zone.
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnull(properties.capacityReservation)
+ | extend zoneValue = iff(isnull(zones), "null", zones)
+ | project recommendationId = "302fda08-ee65-4fbe-a916-6dc0b33169c4", name, id, tags, param1 = strcat("VmSize: ", properties.hardwareProfile.vmSize), param2 = strcat("Location: ", location), param3 = strcat("Zone: ", zoneValue)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVirtualMachinesAzureMonitorMetrics.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVirtualMachinesAzureMonitorMetrics.yaml
new file mode 100644
index 000000000..f6ad49f11
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVirtualMachinesAzureMonitorMetrics.yaml
@@ -0,0 +1,60 @@
+name: aprl-AzureVirtualMachinesAzureMonitorMetrics
+title: Configure monitoring for all Azure Virtual Machines
+description: |-
+ Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: 4a9d8973-6dba-0042-b3aa-07924877ebd5
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Virtual Machines without diagnostic settings enabled/with diagnostic settings enabled but not configured both performance counters and event logs/syslogs.
+ resources
+ | where type =~ "microsoft.compute/virtualmachines"
+ | project name, id, tags, lowerCaseVmId = tolower(id)
+ | join kind = leftouter (
+ resources
+ | where type =~ "Microsoft.Compute/virtualMachines/extensions" and properties.publisher =~ "Microsoft.Azure.Diagnostics"
+ | project
+ lowerCaseVmIdOfExtension = tolower(substring(id, 0, indexof(id, "/extensions/"))),
+ extensionType = properties.type,
+ provisioningState = properties.provisioningState,
+ storageAccount = properties.settings.StorageAccount,
+ // Windows
+ wadPerfCounters = properties.settings.WadCfg.DiagnosticMonitorConfiguration.PerformanceCounters.PerformanceCounterConfiguration,
+ wadEventLogs = properties.settings.WadCfg.DiagnosticMonitorConfiguration.WindowsEventLog,
+ // Linux
+ ladPerfCounters = properties.settings.ladCfg.diagnosticMonitorConfiguration.performanceCounters.performanceCounterConfiguration,
+ ladSyslog = properties.settings.ladCfg.diagnosticMonitorConfiguration.syslogEvents
+ | extend
+ // Windows
+ isWadPerfCountersConfigured = iif(array_length(wadPerfCounters) > 0, true, false),
+ isWadEventLogsConfigured = iif(isnotnull(wadEventLogs) and array_length(wadEventLogs.DataSource) > 0, true, false),
+ // Linux
+ isLadPerfCountersConfigured = iif(array_length(ladPerfCounters) > 0, true, false),
+ isLadSyslogConfigured = isnotnull(ladSyslog)
+ | project
+ lowerCaseVmIdOfExtension,
+ extensionType,
+ provisioningState,
+ storageAccount,
+ isPerfCountersConfigured = case(extensionType =~ "IaaSDiagnostics", isWadPerfCountersConfigured, extensionType =~ "LinuxDiagnostic", isLadPerfCountersConfigured, false),
+ isEventLogsConfigured = case(extensionType =~ "IaaSDiagnostics", isWadEventLogsConfigured, extensionType =~ "LinuxDiagnostic", isLadSyslogConfigured, false)
+ )
+ on $left.lowerCaseVmId == $right.lowerCaseVmIdOfExtension
+ | where isempty(lowerCaseVmIdOfExtension) or provisioningState !~ "Succeeded" or not(isPerfCountersConfigured and isEventLogsConfigured)
+ | extend
+ param1 = strcat("DiagnosticSetting: ", iif(isnotnull(extensionType), strcat("Enabled, partially configured (", extensionType, ")"), "Not enabled")),
+ param2 = strcat("ProvisioningState: ", iif(isnotnull(provisioningState), provisioningState, "n/a")),
+ param3 = strcat("storageAccount: ", iif(isnotnull(storageAccount), storageAccount, "n/a")),
+ param4 = strcat("PerformanceCounters: ", case(isnull(isPerfCountersConfigured), "n/a", isPerfCountersConfigured, "Configured", "Not configured")),
+ param5 = strcat("EventLogs/Syslogs: ", case(isnull(isEventLogsConfigured), "n/a", isEventLogsConfigured, "Configured", "Not configured"))
+ | project recommendationId = "4a9d8973-6dba-0042-b3aa-07924877ebd5", name, id, tags, param1, param2, param3, param4, param5
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVirtualMachinesReviewVms.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVirtualMachinesReviewVms.yaml
new file mode 100644
index 000000000..e5d5c2fe6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVirtualMachinesReviewVms.yaml
@@ -0,0 +1,23 @@
+name: aprl-AzureVirtualMachinesReviewVms
+title: Review VMs in stopped state
+description: |-
+ Azure Virtual Machines (VM) instances have various states, like provisioning and power states. A non-running VM may indicate issues or it being unnecessary, suggesting removal could help cut costs.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: 98b334c0-8578-6046-9e43-b6e8fce6318e
+ area: Governance
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that are NOT running
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where properties.extended.instanceView.powerState.displayStatus != 'VM running'
+ | project recommendationId = "98b334c0-8578-6046-9e43-b6e8fce6318e", name, id, tags
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVmDisksAzureDiskEncryption.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVmDisksAzureDiskEncryption.yaml
new file mode 100644
index 000000000..a3688a27d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-AzureVmDisksAzureDiskEncryption.yaml
@@ -0,0 +1,27 @@
+name: aprl-AzureVmDisksAzureDiskEncryption
+title: Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled
+description: |-
+ Consider enabling Azure Disk Encryption (ADE) for encrypting Azure VM disks using DM-Crypt (Linux) or BitLocker (Windows). Additionally, consider Encryption at host and Confidential disk encryption for enhanced data security.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: f0a97179-133a-6e4f-8a49-8a44da73ffce
+ area: Security
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Provides a list of Azure VM disks without Azure Disk Encryption or encryption at host enabled
+ resources
+ | where type =~ "microsoft.compute/disks"
+ | project diskId = id, diskName = name, vmId = tolower(managedBy), azureDiskEncryption = iff(properties.encryptionSettingsCollection.enabled == true, true, false)
+ | join kind=leftouter (resources
+ | where type =~ "microsoft.compute/virtualmachines"
+ | project vmId = tolower(id), vmName = name, encryptionAtHost = iff(properties.securityProfile.encryptionAtHost == true, true, false)) on vmId
+ | where not(encryptionAtHost) and not(azureDiskEncryption)
+ | project recommendationId = 'f0a97179-133a-6e4f-8a49-8a44da73ffce', name = vmName, id =vmId, param1 = strcat('diskName:',diskName), param2 = strcat('azureDiskEncryption:',iff(azureDiskEncryption, "Enabled", "Disabled")), param3 = strcat('encryptionAtHost:',iff(encryptionAtHost, "Enabled", "Disabled"))
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-CompatibleVmSizesAzureMaintenanceActivities.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-CompatibleVmSizesAzureMaintenanceActivities.yaml
new file mode 100644
index 000000000..f268a7de0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-CompatibleVmSizesAzureMaintenanceActivities.yaml
@@ -0,0 +1,18 @@
+name: aprl-CompatibleVmSizesAzureMaintenanceActivities
+title: Use Azure Boost VMs for Maintenance sensitive workload
+description: |-
+ If the workload is Maintenance sensitive, consider Azure Boost compatible VMs. Azure Boost is designed to lessen the impact on customers when Azure maintenance activities occur on the host, and the current list of compatible VM sizes are documented in the first link below.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: 9ab499d8-8844-424d-a2d4-8f53690eb8f8
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ConstantFullCpuPerformanceSmallToMediumDatabases.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ConstantFullCpuPerformanceSmallToMediumDatabases.yaml
new file mode 100644
index 000000000..bf6c6a66d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ConstantFullCpuPerformanceSmallToMediumDatabases.yaml
@@ -0,0 +1,23 @@
+name: aprl-ConstantFullCpuPerformanceSmallToMediumDatabases
+title: Don't use A or B-Series VMs for production needing constant full CPU performance
+description: |-
+ A-series VMs are tailored for entry-level workloads like development and testing, including use cases such as development and test servers, low traffic web servers, and small to medium databases.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: 3201dba8-d1da-4826-98a4-104066545170
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs using A or B series families
+ resources
+ | where type == 'microsoft.compute/virtualmachines'
+ | where properties.hardwareProfile.vmSize contains "Standard_B" or properties.hardwareProfile.vmSize contains "Standard_A"
+ | project recommendationId = "3201dba8-d1da-4826-98a4-104066545170", name, id, tags, param1=strcat("vmSku: " , properties.hardwareProfile.vmSize)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ContinuousAsynchronousDiskReplicationRecoveryPointObjective.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ContinuousAsynchronousDiskReplicationRecoveryPointObjective.yaml
new file mode 100644
index 000000000..7354c9e49
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ContinuousAsynchronousDiskReplicationRecoveryPointObjective.yaml
@@ -0,0 +1,33 @@
+name: aprl-ContinuousAsynchronousDiskReplicationRecoveryPointObjective
+title: Replicate VMs using Azure Site Recovery
+description: |-
+ Replicating Azure VMs via Site Recovery entails continuous, asynchronous disk replication to a target region. Recovery points are generated every few minutes, ensuring a Recovery Point Objective (RPO) in minutes.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: cfe22a65-b1db-fd41-9e8e-d573922709ae
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find all VMs that do NOT have replication with ASR enabled
+ resources
+ | where type =~ "Microsoft.Compute/virtualMachines"
+ | extend securityType = iif(isnull(properties.securityProfile.securityType), "Standard", properties.securityProfile.securityType)
+ | where securityType !in~ ("TrustedLaunch", "ConfidentialVM")
+ | project id, vmIdForJoin = tolower(id), name, tags
+ | join kind = leftouter (
+ recoveryservicesresources
+ | where type =~ "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems"
+ and properties.providerSpecificDetails.dataSourceInfo.datasourceType =~ "AzureVm"
+ | project vmResourceId = tolower(properties.providerSpecificDetails.dataSourceInfo.resourceId)
+ )
+ on $left.vmIdForJoin == $right.vmResourceId
+ | where isempty(vmResourceId)
+ | project recommendationId = "cfe22a65-b1db-fd41-9e8e-d573922709ae", name, id, tags
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-CrossZoneDataReplicationHigherWriteLatency.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-CrossZoneDataReplicationHigherWriteLatency.yaml
new file mode 100644
index 000000000..05b647a1d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-CrossZoneDataReplicationHigherWriteLatency.yaml
@@ -0,0 +1,24 @@
+name: aprl-CrossZoneDataReplicationHigherWriteLatency
+title: Use Azure Disks with Zone Redundant Storage for higher resiliency and availability
+description: |-
+ Azure disks offers a zone-redundant storage (ZRS) option for workloads that need to be resilient to an entire zone being down. Due to the cross-zone data replication, ZRS disks have higher write latency when compared to the locally-redundant option (LRS), so make sure to benchmark your disks.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: fa0cf4f5-0b21-47b7-89a9-ee936f193ce1
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find eligible Disks that are not zonal nor zone redundant
+ resources
+ | where type == 'microsoft.compute/disks'
+ | where sku has "Premium_LRS" or sku has "StandardSSD_LRS"
+ | where sku.name has_cs 'ZRS' or array_length(zones) > 0
+ | project recommendationId="fa0cf4f5-0b21-47b7-89a9-ee936f193ce1", name, id, tags, param1 = sku, param2 = sku.name
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DefaultAzureVnetInterfaceLatestMellanoxDrivers.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DefaultAzureVnetInterfaceLatestMellanoxDrivers.yaml
new file mode 100644
index 000000000..87004c01e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DefaultAzureVnetInterfaceLatestMellanoxDrivers.yaml
@@ -0,0 +1,18 @@
+name: aprl-DefaultAzureVnetInterfaceLatestMellanoxDrivers
+title: When AccelNet is enabled, you must manually update the GuestOS NIC driver
+description: |-
+ When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: 73d1bb04-7d3e-0d47-bc0d-63afe773b5fe
+ area: Governance
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DemandingNetworkWorkloadsAcceleratedNetworking.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DemandingNetworkWorkloadsAcceleratedNetworking.yaml
new file mode 100644
index 000000000..ce35037d8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DemandingNetworkWorkloadsAcceleratedNetworking.yaml
@@ -0,0 +1,34 @@
+name: aprl-DemandingNetworkWorkloadsAcceleratedNetworking
+title: Enable Accelerated Networking (AccelNet)
+description: |-
+ Accelerated networking enables SR-IOV to a VM, greatly improving its networking performance by bypassing the host from the data path, which reduces latency, jitter, and CPU utilization for demanding network workloads on supported VM types.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: dfedbeb1-1519-fc47-86a5-52f96cf07105
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VM NICs that do not have Accelerated Networking enabled
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | mv-expand nic = properties.networkProfile.networkInterfaces
+ | project name, id, tags, lowerCaseNicId = tolower(nic.id), vmSize = tostring(properties.hardwareProfile.vmSize)
+ | join kind = inner (
+ resources
+ | where type =~ 'Microsoft.Network/networkInterfaces'
+ | where properties.enableAcceleratedNetworking == false
+ | project nicName = split(id, "/")[8], lowerCaseNicId = tolower(id)
+ )
+ on lowerCaseNicId
+ | summarize nicNames = make_set(nicName) by name, id, tostring(tags), vmSize
+ | extend param1 = strcat("NicName: ", strcat_array(nicNames, ", ")), param2 = strcat("VMSize: ", vmSize)
+ | project recommendationId = "dfedbeb1-1519-fc47-86a5-52f96cf07105", name, id, tags, param1, param2
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DifferentFaultDomainsAvailabilitySets.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DifferentFaultDomainsAvailabilitySets.yaml
new file mode 100644
index 000000000..18ab04a37
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-DifferentFaultDomainsAvailabilitySets.yaml
@@ -0,0 +1,23 @@
+name: aprl-DifferentFaultDomainsAvailabilitySets
+title: Migrate VMs using availability sets to VMSS Flex
+description: |-
+ While availability sets are not scheduled for immediate deprecation, they are planned to be deprecated in the future. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: a8d25876-7951-b646-b4e8-880c9031596b
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs using Availability Sets
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnotnull(properties.availabilitySet)
+ | project recommendationId = "a8d25876-7951-b646-b4e8-880c9031596b", name, id, tags, param1=strcat("availabilitySet: ",properties.availabilitySet.id)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-HigherSingleInstanceVirtualMachineUptimeSlasHighestUptimeSla.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-HigherSingleInstanceVirtualMachineUptimeSlasHighestUptimeSla.yaml
new file mode 100644
index 000000000..4dcb45ca5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-HigherSingleInstanceVirtualMachineUptimeSlasHighestUptimeSla.yaml
@@ -0,0 +1,31 @@
+name: aprl-HigherSingleInstanceVirtualMachineUptimeSlasHighestUptimeSla
+title: Mission Critical Workloads should consider using Premium or Ultra Disks
+description: |-
+ Compared to Standard HDD and SSD, Premium SSD, SSDv2, and Ultra SSDs offer improved performance, configurability, and higher single-instance Virtual Machine uptime SLAs. The lowest SLA of all disks on a Virtual Machine applies, so it is best to use Premium or Ultra Disks for the highest uptime SLA.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: df0ff862-814d-45a3-95e4-4fad5a244ba6
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that have an attached disk that is not in the Premium or Ultra sku tier.
+
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | extend lname = tolower(name)
+ | join kind=leftouter(resources
+ | where type =~ 'Microsoft.Compute/disks'
+ | where not(sku.tier =~ 'Premium') and not(sku.tier =~ 'Ultra')
+ | extend lname = tolower(tostring(split(managedBy, '/')[8]))
+ | project lname, name
+ | summarize disks = make_list(name) by lname) on lname
+ | where isnotnull(disks)
+ | project recommendationId = "df0ff862-814d-45a3-95e4-4fad5a244ba6", name, id, tags, param1=strcat("AffectedDisks: ", disks)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MaintenanceConfigurationSettingsMaintenanceConfigurations.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MaintenanceConfigurationSettingsMaintenanceConfigurations.yaml
new file mode 100644
index 000000000..79b280102
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MaintenanceConfigurationSettingsMaintenanceConfigurations.yaml
@@ -0,0 +1,32 @@
+name: aprl-MaintenanceConfigurationSettingsMaintenanceConfigurations
+title: Use maintenance configurations for the VMs
+description: |-
+ The maintenance configuration settings let users schedule and manage updates, making sure the updates or interruptions on the VM are performed within a planned timeframe.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find VMS that do not have maintenance configuration assigned
+ Resources
+ | extend resourceId = tolower(id)
+ | project name, location, type, id, tags, resourceId, properties
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | join kind=leftouter (
+ maintenanceresources
+ | where type =~ "microsoft.maintenance/configurationassignments"
+ | project planName = name, type, maintenanceProps = properties
+ | extend resourceId = tostring(maintenanceProps.resourceId)
+ ) on resourceId
+ | where isnull(maintenanceProps)
+ | project recommendationId = "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870",name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MaintenanceSensitiveWorkloadVmsAzureMetadataService.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MaintenanceSensitiveWorkloadVmsAzureMetadataService.yaml
new file mode 100644
index 000000000..47bbbfdd6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MaintenanceSensitiveWorkloadVmsAzureMetadataService.yaml
@@ -0,0 +1,18 @@
+name: aprl-MaintenanceSensitiveWorkloadVmsAzureMetadataService
+title: Enable Scheduled Events for Maintenance sensitive workload VMs
+description: |-
+ If your workload is Maintenance sensitive, enable Scheduled Events. This Azure Metadata Service lets your app prepare for virtual machine maintenance by providing information on upcoming events like reboots, reducing disruptions.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: 2de8fa5e-14f4-4c4c-857f-1520f87a629f
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ManagedDisksVmDisks.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ManagedDisksVmDisks.yaml
new file mode 100644
index 000000000..c2162da7a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ManagedDisksVmDisks.yaml
@@ -0,0 +1,23 @@
+name: aprl-ManagedDisksVmDisks
+title: Use Managed Disks for VM disks
+description: |-
+ Azure is retiring unmanaged disks on September 30, 2025. Users should plan the migration to avoid disruptions and maintain service reliability.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: 122d11d7-b91f-8747-a562-f56b79bcfbdc
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that are not using Managed Disks
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnull(properties.storageProfile.osDisk.managedDisk)
+ | project recommendationId = "122d11d7-b91f-8747-a562-f56b79bcfbdc", name, id, tags
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MicrosoftAzureCloudAzureBackupService.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MicrosoftAzureCloudAzureBackupService.yaml
new file mode 100644
index 000000000..801ae042b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-MicrosoftAzureCloudAzureBackupService.yaml
@@ -0,0 +1,35 @@
+name: aprl-MicrosoftAzureCloudAzureBackupService
+title: Backup VMs with Azure Backup service
+description: |-
+ Enable backups for your virtual machines with Azure Backup to secure and quickly recover your data. This service offers simple, secure, and cost-effective solutions for backing up and recovering data from the Microsoft Azure cloud.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: 1981f704-97b9-b645-9c57-33f8ded9261a
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that do NOT have Backup enabled
+ // Run query to see results.
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | project name, id, tags
+ | join kind=leftouter (
+ recoveryservicesresources
+ | where type =~ 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems'
+ | where properties.dataSourceInfo.datasourceType =~ 'Microsoft.Compute/virtualMachines'
+ | project idBackupEnabled=properties.sourceResourceId
+ | extend name=strcat_array(array_slice(split(idBackupEnabled, '/'), 8, -1), '/')
+ ) on name
+ | where isnull(idBackupEnabled)
+ | project-away idBackupEnabled
+ | project-away name1
+ | project recommendationId = "1981f704-97b9-b645-9c57-33f8ded9261a", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-NetworkIssuesVmInsights.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-NetworkIssuesVmInsights.yaml
new file mode 100644
index 000000000..7001123ce
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-NetworkIssuesVmInsights.yaml
@@ -0,0 +1,43 @@
+name: aprl-NetworkIssuesVmInsights
+title: Enable VM Insights
+description: |-
+ VM Insights monitors VM and scale set performance, health, running processes, and dependencies. It enhances the predictability of application performance and availability by pinpointing performance bottlenecks and network issues, and it clarifies if problems are related to other dependencies.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: b72214bb-e879-5f4b-b9cd-642db84f36f4
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Check for VMs without Azure Monitoring Agent extension installed, missing Data Collection Rule or Data Collection Rule without performance enabled.
+ Resources
+ | where type == 'microsoft.compute/virtualmachines'
+ | project idVm = tolower(id), name, tags
+ | join kind=leftouter (
+ InsightsResources
+ | where type =~ "Microsoft.Insights/dataCollectionRuleAssociations" and id has "Microsoft.Compute/virtualMachines"
+ | project idDcr = tolower(properties.dataCollectionRuleId), idVmDcr = tolower(substring(id, 0, indexof(id, "/providers/Microsoft.Insights/dataCollectionRuleAssociations/"))))
+ on $left.idVm == $right.idVmDcr
+ | join kind=leftouter (
+ Resources
+ | where type =~ "Microsoft.Insights/dataCollectionRules"
+ | extend
+ isPerformanceEnabled = iif(properties.dataSources.performanceCounters contains "Microsoft-InsightsMetrics" and properties.dataFlows contains "Microsoft-InsightsMetrics", true, false),
+ isMapEnabled = iif(properties.dataSources.extensions contains "Microsoft-ServiceMap" and properties.dataSources.extensions contains "DependencyAgent" and properties.dataFlows contains "Microsoft-ServiceMap", true, false)//,
+ | where isPerformanceEnabled or isMapEnabled
+ | project dcrName = name, isPerformanceEnabled, isMapEnabled, idDcr = tolower(id))
+ on $left.idDcr == $right.idDcr
+ | join kind=leftouter (
+ Resources
+ | where type == 'microsoft.compute/virtualmachines/extensions' and (name contains 'AzureMonitorWindowsAgent' or name contains 'AzureMonitorLinuxAgent')
+ | extend idVmExtension = tolower(substring(id, 0, indexof(id, '/extensions'))), extensionName = name)
+ on $left.idVm == $right.idVmExtension
+ | where isPerformanceEnabled != 1 or (extensionName != 'AzureMonitorWindowsAgent' and extensionName != 'AzureMonitorLinuxAgent')
+ | project recommendationId = "b72214bb-e879-5f4b-b9cd-642db84f36f4", name, id = idVm, tags, param1 = strcat('MonitoringExtension:', extensionName), param2 = strcat('DataCollectionRuleId:', idDcr), param3 = strcat('isPerformanceEnabled:', isPerformanceEnabled)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-OtherEssentialDataHostDatabaseData.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-OtherEssentialDataHostDatabaseData.yaml
new file mode 100644
index 000000000..944e7b309
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-OtherEssentialDataHostDatabaseData.yaml
@@ -0,0 +1,23 @@
+name: aprl-OtherEssentialDataHostDatabaseData
+title: Host database data on a data disk
+description: |-
+ A data disk is a managed disk attached to a virtual machine for storing database or other essential data. These disks are SCSI drives labeled as per choice.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: 4ea2878f-0d69-8d4a-b715-afc10d1e538e
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that only have OS Disk
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where array_length(properties.storageProfile.dataDisks) < 1
+ | project recommendationId = "4ea2878f-0d69-8d4a-b715-afc10d1e538e", name, id, tags
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-OutboundInternetConnectivityPublicIp.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-OutboundInternetConnectivityPublicIp.yaml
new file mode 100644
index 000000000..540623eeb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-OutboundInternetConnectivityPublicIp.yaml
@@ -0,0 +1,36 @@
+name: aprl-OutboundInternetConnectivityPublicIp
+title: VMs should not have a Public IP directly associated
+description: |-
+ For outbound internet connectivity of Virtual Machines, using NAT Gateway or Azure Firewall is recommended to enhance security and service resilience, thanks to their higher availability and SNAT ports.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: 1f629a30-c9d0-d241-82ee-6f2eb9d42cb4
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs with PublicIPs directly associated with them
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnotnull(properties.networkProfile.networkInterfaces)
+ | mv-expand nic=properties.networkProfile.networkInterfaces
+ | project name, id, tags, nicId = nic.id
+ | extend nicId = tostring(nicId)
+ | join kind=inner (
+ Resources
+ | where type =~ 'Microsoft.Network/networkInterfaces'
+ | where isnotnull(properties.ipConfigurations)
+ | mv-expand ipconfig=properties.ipConfigurations
+ | extend publicIp = tostring(ipconfig.properties.publicIPAddress.id)
+ | where publicIp != ""
+ | project name, nicId = tostring(id), publicIp
+ ) on nicId
+ | project recommendationId = "1f629a30-c9d0-d241-82ee-6f2eb9d42cb4", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-PotentialExternalThreatsDisablePublicAccess.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-PotentialExternalThreatsDisablePublicAccess.yaml
new file mode 100644
index 000000000..7158717bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-PotentialExternalThreatsDisablePublicAccess.yaml
@@ -0,0 +1,42 @@
+name: aprl-PotentialExternalThreatsDisablePublicAccess
+title: Network access to the VM disk should be set to Disable public access and enable
+ private access
+description: |-
+ Recommended changing to "Disable public access and enable private access" and creating a Private Endpoint to improve security by restricting direct public access and ensuring connections are made privately, enhancing data protection and minimizing potential external threats.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: 70b1d2be-e6c4-b54e-9959-b1b690f9e485
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Disks with "Enable public access from all networks" enabled
+ resources
+ | where type =~ 'Microsoft.Compute/disks'
+ | where properties.publicNetworkAccess == "Enabled"
+ | project id, name, tags, lowerCaseDiskId = tolower(id)
+ | join kind = leftouter (
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | project osDiskVmName = name, lowerCaseOsDiskId = tolower(properties.storageProfile.osDisk.managedDisk.id)
+ | join kind = fullouter (
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | mv-expand dataDisks = properties.storageProfile.dataDisks
+ | project dataDiskVmName = name, lowerCaseDataDiskId = tolower(dataDisks.managedDisk.id)
+ )
+ on $left.lowerCaseOsDiskId == $right.lowerCaseDataDiskId
+ | project lowerCaseDiskId = coalesce(lowerCaseOsDiskId, lowerCaseDataDiskId), vmName = coalesce(osDiskVmName, dataDiskVmName)
+ )
+ on lowerCaseDiskId
+ | summarize vmNames = make_set(vmName) by name, id, tostring(tags)
+ | extend param1 = iif(isempty(vmNames[0]), "VMName: n/a", strcat("VMName: ", strcat_array(vmNames, ", ")))
+ | project recommendationId = "70b1d2be-e6c4-b54e-9959-b1b690f9e485", name, id, tags, param1
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ProductionVmWorkloadsVmssFlexInstance.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ProductionVmWorkloadsVmssFlexInstance.yaml
new file mode 100644
index 000000000..4065c7f4d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-ProductionVmWorkloadsVmssFlexInstance.yaml
@@ -0,0 +1,23 @@
+name: aprl-ProductionVmWorkloadsVmssFlexInstance
+title: Run production workloads on two or more VMs using VMSS Flex
+description: |-
+ Production VM workloads should be deployed on multiple VMs and grouped in a VMSS Flex instance to intelligently distribute across the platform, minimizing the impact of platform faults and updates.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: 273f6b30-68e0-4241-85ea-acf15ffb60bf
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that are not associated with a VMSS Flex instance
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnull(properties.virtualMachineScaleSet.id)
+ | project recommendationId="273f6b30-68e0-4241-85ea-acf15ffb60bf", name, id, tags
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-SecondaryAzureRegionPersonalHostPools.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-SecondaryAzureRegionPersonalHostPools.yaml
new file mode 100644
index 000000000..4b35c4152
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-SecondaryAzureRegionPersonalHostPools.yaml
@@ -0,0 +1,18 @@
+name: aprl-SecondaryAzureRegionPersonalHostPools
+title: Use Azure Site Recovery or backups to protect VMs supporting personal desktops
+description: |-
+ Implement Azure Site Recovery (ASR) or Azure Backup for personal host pools to enable seamless failover and failback. This replicates VMs supporting personal desktops to a secondary Azure region, ensuring recovery from a known state in case of a disaster or outage.
+source:
+ type: aprl
+ file: azure-resources/DesktopVirtualization/hostPools/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: 38721758-2cc2-4d6b-b7b7-8b47dadbf7df
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-UnexpectedCommunicationIssuesPotentialRuleConflicts.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-UnexpectedCommunicationIssuesPotentialRuleConflicts.yaml
new file mode 100644
index 000000000..2498e8ec9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-UnexpectedCommunicationIssuesPotentialRuleConflicts.yaml
@@ -0,0 +1,43 @@
+name: aprl-UnexpectedCommunicationIssuesPotentialRuleConflicts
+title: VM network interfaces and associated subnets both have a Network Security Group
+ associated
+description: |-
+ Unless you have a specific reason, it's advised to associate a network security group to a subnet or a network interface, but not both, to avoid unexpected communication issues and troubleshooting due to potential rule conflicts between the two associations.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: 82b3cf6b-9ae2-2e44-b193-10793213f676
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of virtual machines and associated NICs that do have an NSG associated to them and also an NSG associated to the subnet.
+ Resources
+ | where type =~ 'Microsoft.Network/networkInterfaces'
+ | where isnotnull(properties.networkSecurityGroup)
+ | mv-expand ipConfigurations = properties.ipConfigurations, nsg = properties.networkSecurityGroup
+ | project nicId = tostring(id), subnetId = tostring(ipConfigurations.properties.subnet.id), nsgName=split(nsg.id, '/')[8]
+ | parse kind=regex subnetId with '/virtualNetworks/' virtualNetwork '/subnets/' subnet
+ | join kind=inner (
+ Resources
+ | where type =~ 'Microsoft.Network/NetworkSecurityGroups' and isnotnull(properties.subnets)
+ | project name, resourceGroup, subnet=properties.subnets
+ | mv-expand subnet
+ | project subnetId=tostring(subnet.id)
+ ) on subnetId
+ | project nicId
+ | join kind=leftouter (
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnotnull(properties.networkProfile.networkInterfaces)
+ | mv-expand nic=properties.networkProfile.networkInterfaces
+ | project vmName = name, vmId = id, tags, nicId = nic.id, nicName=split(nic.id, '/')[8]
+ | extend nicId = tostring(nicId)
+ ) on nicId
+ | project recommendationId = "82b3cf6b-9ae2-2e44-b193-10793213f676", name=vmName, id = vmId, tags, param1 = strcat("nic-name=", nicName)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-UnlikelyDatacenterFailuresAzureAvailabilityZones.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-UnlikelyDatacenterFailuresAzureAvailabilityZones.yaml
new file mode 100644
index 000000000..d8aa4112b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-UnlikelyDatacenterFailuresAzureAvailabilityZones.yaml
@@ -0,0 +1,23 @@
+name: aprl-UnlikelyDatacenterFailuresAzureAvailabilityZones
+title: Deploy VMs across Availability Zones
+description: |-
+ Azure Availability Zones, within each Azure region, are tolerant to local failures, protecting applications and data against unlikely Datacenter failures by being physically separate.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 0
+labels:
+ guid: 2bd0be95-a825-6f47-a8c6-3db1fb5eb387
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs that are not assigned to a Zone
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnull(zones)
+ | project recommendationId="2bd0be95-a825-6f47-a8c6-3db1fb5eb387", name, id, tags, param1="No Zone"
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VariousAzureServicesAzurePolicies.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VariousAzureServicesAzurePolicies.yaml
new file mode 100644
index 000000000..7f3d2057b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VariousAzureServicesAzurePolicies.yaml
@@ -0,0 +1,57 @@
+name: aprl-VariousAzureServicesAzurePolicies
+title: Ensure that your VMs are compliant with Azure Policies
+description: |-
+ Keeping your virtual machine (VM) secure is crucial for the applications you run. This involves using various Azure services and features to ensure secure access to your VMs and the secure storage of your data, aiming for overall security of your VM and applications.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: c42343ae-2712-2843-a285-3437eb0b28a1
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find all VMs in "Non-compliant" state with Azure Policies
+ policyresources
+ | where type =~ "Microsoft.PolicyInsights/policyStates" and properties.resourceType =~ "Microsoft.Compute/virtualMachines" and properties.complianceState =~ "NonCompliant"
+ | project
+ policyDefinitionId = tolower(properties.policyDefinitionId),
+ policyAssignmentId = tolower(properties.policyAssignmentId),
+ targetResourceId = tolower(properties.resourceId)
+ // Join the policy definition details
+ | join kind = leftouter (
+ policyresources
+ | where type =~ "Microsoft.Authorization/policyDefinitions"
+ | project policyDefinitionId = tolower(id), policyDefinitionDisplayName = properties.displayName
+ )
+ on policyDefinitionId
+ | project policyDefinitionId, policyDefinitionDisplayName, policyAssignmentId, targetResourceId
+ // Join the policy assignment details
+ | join kind = leftouter (
+ policyresources
+ | where type =~ "Microsoft.Authorization/policyAssignments"
+ | project policyAssignmentId = tolower(id), policyAssignmentDisplayName = properties.displayName
+ )
+ on policyAssignmentId
+ | project policyDefinitionId, policyDefinitionDisplayName, policyAssignmentId, policyAssignmentDisplayName, targetResourceId
+ // Join the target resource details
+ | join kind = leftouter (
+ resources
+ | where type =~ "Microsoft.Compute/virtualMachines"
+ | project targetResourceId = tolower(id), targetResourceIdPreservedCase = id, targetResourceName = name, targetResourceTags = tags
+ )
+ on targetResourceId
+ | project
+ recommendationId = "c42343ae-2712-2843-a285-3437eb0b28a1",
+ name = targetResourceName,
+ id = targetResourceIdPreservedCase,
+ tags = targetResourceTags,
+ param1 = strcat("DefinitionName: ", policyDefinitionDisplayName),
+ param2 = strcat("DefinitionID: ", policyDefinitionId),
+ param3 = strcat("AssignmentName: ", policyAssignmentDisplayName),
+ param4 = strcat("AssignmentID: ", policyAssignmentId)
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VirtualMachineNetworkInterfaceNetworkVirtualAppliances.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VirtualMachineNetworkInterfaceNetworkVirtualAppliances.yaml
new file mode 100644
index 000000000..e0b8e34bb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VirtualMachineNetworkInterfaceNetworkVirtualAppliances.yaml
@@ -0,0 +1,33 @@
+name: aprl-VirtualMachineNetworkInterfaceNetworkVirtualAppliances
+title: IP Forwarding should only be enabled for Network Virtual Appliances
+description: |-
+ IP forwarding allows a virtual machine network interface to receive and send network traffic not destined for or originating from its assigned IP addresses.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VM NICs that have IPForwarding enabled. This feature is usually only required for Network Virtual Appliances
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnotnull(properties.networkProfile.networkInterfaces)
+ | mv-expand nic=properties.networkProfile.networkInterfaces
+ | project name, id, tags, nicId = nic.id
+ | extend nicId = tostring(nicId)
+ | join kind=inner (
+ Resources
+ | where type =~ 'Microsoft.Network/networkInterfaces'
+ | where properties.enableIPForwarding == true
+ | project nicId = tostring(id)
+ ) on nicId
+ | project recommendationId = "41a22a5e-5e08-9647-92d0-2ffe9ef1bdad", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VirtualNetworkLevelCustomerDnsServers.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VirtualNetworkLevelCustomerDnsServers.yaml
new file mode 100644
index 000000000..2c4c39a25
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VirtualNetworkLevelCustomerDnsServers.yaml
@@ -0,0 +1,35 @@
+name: aprl-VirtualNetworkLevelCustomerDnsServers
+title: Customer DNS Servers should be configured in the Virtual Network level
+description: |-
+ Configure the DNS Server at the Virtual Network level to prevent any inconsistency across the environment.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 2
+labels:
+ guid: 1cf8fe21-9593-1e4e-966b-779a294c0d30
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VM NICs that have DNS Server settings configured in any of the NICs
+ Resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | where isnotnull(properties.networkProfile.networkInterfaces)
+ | mv-expand nic=properties.networkProfile.networkInterfaces
+ | project name, id, tags, nicId = nic.id
+ | extend nicId = tostring(nicId)
+ | join kind=inner (
+ Resources
+ | where type =~ 'Microsoft.Network/networkInterfaces'
+ | project name, id, dnsServers = properties.dnsSettings.dnsServers
+ | extend hasDns = array_length(dnsServers) >= 1
+ | where hasDns != 0
+ | project name, nicId = tostring(id)
+ ) on nicId
+ | project recommendationId = "1cf8fe21-9593-1e4e-966b-779a294c0d30", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VmClusterMembersClusteredServers.yaml b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VmClusterMembersClusteredServers.yaml
new file mode 100644
index 000000000..55df79867
--- /dev/null
+++ b/v2/recos/Services/MicrosoftCompute-virtualMachines/aprl-VmClusterMembersClusteredServers.yaml
@@ -0,0 +1,41 @@
+name: aprl-VmClusterMembersClusteredServers
+title: Shared disks should only be enabled in clustered servers
+description: |-
+ Azure shared disks let you attach a disk to multiple VMs at once for deploying or migrating clustered applications, suitable only when a disk is shared among VM cluster members.
+source:
+ type: aprl
+ file: azure-resources/Compute/virtualMachines/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Compute/virtualMachines
+severity: 1
+labels:
+ guid: 3263a64a-c256-de48-9818-afd3cbc55c2a
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Disks configured to be Shared. This is not an indication of an issue, but if a disk with this configuration is assigned to two or more VMs without a proper disk control mechanism (like a WSFC) it can lead to data loss
+ resources
+ | where type =~ 'Microsoft.Compute/disks'
+ | where isnotnull(properties.maxShares) and properties.maxShares >= 2
+ | project id, name, tags, lowerCaseDiskId = tolower(id), diskState = tostring(properties.diskState)
+ | join kind = leftouter (
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | project osDiskVmName = name, lowerCaseOsDiskId = tolower(properties.storageProfile.osDisk.managedDisk.id)
+ | join kind = fullouter (
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | mv-expand dataDisks = properties.storageProfile.dataDisks
+ | project dataDiskVmName = name, lowerCaseDataDiskId = tolower(dataDisks.managedDisk.id)
+ )
+ on $left.lowerCaseOsDiskId == $right.lowerCaseDataDiskId
+ | project lowerCaseDiskId = coalesce(lowerCaseOsDiskId, lowerCaseDataDiskId), vmName = coalesce(osDiskVmName, dataDiskVmName)
+ )
+ on lowerCaseDiskId
+ | summarize vmNames = make_set(vmName) by name, id, tostring(tags), diskState
+ | extend param1 = strcat("DiskState: ", diskState), param2 = iif(isempty(vmNames[0]), "VMName: n/a", strcat("VMName: ", strcat_array(vmNames, ", ")))
+ | project recommendationId = "3263a64a-c256-de48-9818-afd3cbc55c2a", name, id, tags, param1, param2
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-CustomMaintenanceScheduleFlexibleServerInstances.yaml b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-CustomMaintenanceScheduleFlexibleServerInstances.yaml
new file mode 100644
index 000000000..857977bcc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-CustomMaintenanceScheduleFlexibleServerInstances.yaml
@@ -0,0 +1,23 @@
+name: aprl-CustomMaintenanceScheduleFlexibleServerInstances
+title: Enable custom maintenance schedule
+description: |-
+ Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.
+source:
+ type: aprl
+ file: azure-resources/DBforMySQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforMySQL/flexibleServers
+severity: 0
+labels:
+ guid: 82a9a0f2-24ee-496f-9ad2-25f81710942d
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for MySQL instances that do not have a custom maintenance window
+ resources
+ | where type =~ "microsoft.dbformysql/flexibleservers"
+ | where properties.maintenanceWindow.customWindow != "Enabled"
+ | project recommendationId = "82a9a0f2-24ee-496f-9ad2-25f81710942d", name, id, tags, param1 = strcat("customWindow:", properties['maintenanceWindow']['customWindow'])
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-DurabilityTargetsReadReplicas.yaml b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-DurabilityTargetsReadReplicas.yaml
new file mode 100644
index 000000000..c30644c1a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-DurabilityTargetsReadReplicas.yaml
@@ -0,0 +1,23 @@
+name: aprl-DurabilityTargetsReadReplicas
+title: Configure one or more read replicas
+description: |-
+ Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.
+source:
+ type: aprl
+ file: azure-resources/DBforMySQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforMySQL/flexibleServers
+severity: 0
+labels:
+ guid: b49a8653-cc43-48c9-8513-a2d2e3f14dd1
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for MySQL instances that do not have a read replica configured
+ resources
+ | where type =~ "microsoft.dbformysql/flexibleservers"
+ | where properties.replicationRole == "None"
+ | project recommendationId = "b49a8653-cc43-48c9-8513-a2d2e3f14dd1", name, id, tags, param1 = strcat("replicationRole:", properties['replicationRole'])
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-FlexibleServerInstancesAutomaticFailoverCapability.yaml b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-FlexibleServerInstancesAutomaticFailoverCapability.yaml
new file mode 100644
index 000000000..01cc9f25d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-FlexibleServerInstancesAutomaticFailoverCapability.yaml
@@ -0,0 +1,23 @@
+name: aprl-FlexibleServerInstancesAutomaticFailoverCapability
+title: Enable HA with zone redundancy
+description: |-
+ Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.
+source:
+ type: aprl
+ file: azure-resources/DBforMySQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforMySQL/flexibleServers
+severity: 0
+labels:
+ guid: 88856605-53d8-4bbd-a75b-4a7b14939d32
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for MySQL instances that are not zone redundant
+ resources
+ | where type == "microsoft.dbformysql/flexibleservers"
+ | where properties.highAvailability.mode != "ZoneRedundant"
+ | project recommendationId = "88856605-53d8-4bbd-a75b-4a7b14939d32", name, id, tags, param1 = "ZoneRedundant: False"
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-GeoRedundantBackupStorageDurabilityTargets.yaml b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-GeoRedundantBackupStorageDurabilityTargets.yaml
new file mode 100644
index 000000000..d3ac19c5a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-GeoRedundantBackupStorageDurabilityTargets.yaml
@@ -0,0 +1,23 @@
+name: aprl-GeoRedundantBackupStorageDurabilityTargets
+title: Configure geo redundant backup storage
+description: |-
+ Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.
+source:
+ type: aprl
+ file: azure-resources/DBforMySQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforMySQL/flexibleServers
+severity: 0
+labels:
+ guid: 5c96afc3-7d2e-46ff-a4c7-9c32850c441b
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for MySQL instances that do not have geo redundant backup storage enabled
+ resources
+ | where type =~ "microsoft.dbformysql/flexibleservers"
+ | where properties.backup.geoRedundantBackup != "Enabled"
+ | project recommendationId = "5c96afc3-7d2e-46ff-a4c7-9c32850c441b", name, id, tags, param1 = strcat("geoRedundantBackup:", properties['backup']['geoRedundantBackup'])
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-StorageAutoGrowServer.yaml b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-StorageAutoGrowServer.yaml
new file mode 100644
index 000000000..52ca96b3c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-flexibleServers/aprl-StorageAutoGrowServer.yaml
@@ -0,0 +1,23 @@
+name: aprl-StorageAutoGrowServer
+title: Configure storage auto-grow
+description: |-
+ Configure storage auto-grow to prevent the server from running out of storage and becoming read-only.
+source:
+ type: aprl
+ file: azure-resources/DBforMySQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforMySQL/flexibleServers
+severity: 0
+labels:
+ guid: 8176a79d-8645-4e52-96be-a10fc0204fe5
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for MySQL instances that do not have a storage auto-grow
+ resources
+ | where type =~ "microsoft.dbformysql/flexibleservers"
+ | where properties.storage.autoGrow != "Enabled"
+ | project recommendationId = "8176a79d-8645-4e52-96be-a10fc0204fe5", name, id, tags, param1 = strcat("autoGrow:", properties['storage']['autoGrow'])
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-CrossRegionDrScenariosLeverageData.yaml b/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-CrossRegionDrScenariosLeverageData.yaml
new file mode 100644
index 000000000..48838c882
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-CrossRegionDrScenariosLeverageData.yaml
@@ -0,0 +1,15 @@
+name: revcl-CrossRegionDrScenariosLeverageData
+title: Leverage Data-in replication for cross-region DR scenarios
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.dbformysql/servers
+waf: Reliability
+severity: 1
+labels:
+ guid: 1e944a45-9c37-43e7-bd61-623b365a917e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-LeverageAvailabilityZones-1-2-3.yaml b/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-LeverageAvailabilityZones-1-2-3.yaml
new file mode 100644
index 000000000..606238d91
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-LeverageAvailabilityZones-1-2-3.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageAvailabilityZones-1-2-3
+title: Leverage Availability Zones where regionally applicable
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.dbformysql/servers
+waf: Reliability
+severity: 0
+labels:
+ guid: de3aad1e-8c38-4ec9-9666-7313c005674b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-LeverageFlexibleServer.yaml b/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-LeverageFlexibleServer.yaml
new file mode 100644
index 000000000..cc36c9eb1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforMySQL-servers/Reliability/revcl-LeverageFlexibleServer.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageFlexibleServer
+title: Leverage Flexible Server
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.dbformysql/servers
+waf: Reliability
+severity: 1
+labels:
+ guid: 388c3e25-e800-4ad2-9df3-f3d6ae1050b7
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/mysql/flexible-server/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-CustomMaintenanceScheduleFlexibleServerInstances-1.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-CustomMaintenanceScheduleFlexibleServerInstances-1.yaml
new file mode 100644
index 000000000..6f68e44bf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-CustomMaintenanceScheduleFlexibleServerInstances-1.yaml
@@ -0,0 +1,23 @@
+name: aprl-CustomMaintenanceScheduleFlexibleServerInstances-1
+title: Enable custom maintenance schedule
+description: |-
+ Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.
+source:
+ type: aprl
+ file: azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforPostgreSQL/flexibleServers
+severity: 0
+labels:
+ guid: b2bad57d-7e03-4c0f-9024-597c9eb295bb
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for PostgreSQL instances that do not have a custom maintenance window
+ resources
+ | where type == "microsoft.dbforpostgresql/flexibleservers"
+ | where properties.maintenanceWindow.customWindow != "Enabled"
+ | project recommendationId = "b2bad57d-7e03-4c0f-9024-597c9eb295bb", name, id, tags, param1 = strcat("customWindow:", properties['maintenanceWindow']['customWindow'])
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-DurabilityTargetsReadReplicas-1.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-DurabilityTargetsReadReplicas-1.yaml
new file mode 100644
index 000000000..b589059b2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-DurabilityTargetsReadReplicas-1.yaml
@@ -0,0 +1,23 @@
+name: aprl-DurabilityTargetsReadReplicas-1
+title: Configure one or more read replicas
+description: |-
+ Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.
+source:
+ type: aprl
+ file: azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforPostgreSQL/flexibleServers
+severity: 0
+labels:
+ guid: 2ab85a67-26be-4ed2-a0bb-101b2513ec63
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for PostgreSQL instances that are read replicas
+ resources
+ | where type == "microsoft.dbforpostgresql/flexibleservers"
+ | where properties.replicationRole == "AsyncReplica"
+ | project recommendationId = "2ab85a67-26be-4ed2-a0bb-101b2513ec63", name, id, tags, param1 = strcat("replicationRole:", properties['replicationRole'])
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-FlexibleServerInstancesAutomaticFailoverCapability-1.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-FlexibleServerInstancesAutomaticFailoverCapability-1.yaml
new file mode 100644
index 000000000..6b1b33f7a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-FlexibleServerInstancesAutomaticFailoverCapability-1.yaml
@@ -0,0 +1,23 @@
+name: aprl-FlexibleServerInstancesAutomaticFailoverCapability-1
+title: Enable HA with zone redundancy
+description: |-
+ Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.
+source:
+ type: aprl
+ file: azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforPostgreSQL/flexibleServers
+severity: 0
+labels:
+ guid: ca87914f-aac4-4783-ab67-82a6f936f194
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for PostgreSQL instances that are not zone redundant
+ resources
+ | where type == "microsoft.dbforpostgresql/flexibleservers"
+ | where properties.highAvailability.mode != "ZoneRedundant"
+ | project recommendationId = "ca87914f-aac4-4783-ab67-82a6f936f194", name, id, tags, param1 = "ZoneRedundant: False"
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-GeoRedundantBackupStorageDurabilityTargets-1.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-GeoRedundantBackupStorageDurabilityTargets-1.yaml
new file mode 100644
index 000000000..9db17ae4f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-GeoRedundantBackupStorageDurabilityTargets-1.yaml
@@ -0,0 +1,23 @@
+name: aprl-GeoRedundantBackupStorageDurabilityTargets-1
+title: Configure geo redundant backup storage
+description: |-
+ Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.
+source:
+ type: aprl
+ file: azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforPostgreSQL/flexibleServers
+severity: 0
+labels:
+ guid: 31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find Database for PostgreSQL instances that do not have geo redundant backup storage configured
+ resources
+ | where type == "microsoft.dbforpostgresql/flexibleservers"
+ | where properties.backup.geoRedundantBackup != "Enabled"
+ | project recommendationId = "31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3", name, id, tags, param1 = strcat("geoRedundantBackup:", properties['backup']['geoRedundantBackup'])
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-StorageAutoGrowServer-1.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-StorageAutoGrowServer-1.yaml
new file mode 100644
index 000000000..d03fd9de5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-flexibleServers/aprl-StorageAutoGrowServer-1.yaml
@@ -0,0 +1,18 @@
+name: aprl-StorageAutoGrowServer-1
+title: Configure storage auto-grow
+description: |-
+ Configure storage auto-grow to prevent the server from running out of storage and becoming read-only.
+source:
+ type: aprl
+ file: azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DBforPostgreSQL/flexibleServers
+severity: 0
+labels:
+ guid: 6293a3cc-6b4a-4c0f-9ea7-b8ae8d7dd3d5
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageAvailabilityZones-1-2-3-4.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageAvailabilityZones-1-2-3-4.yaml
new file mode 100644
index 000000000..b37252089
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageAvailabilityZones-1-2-3-4.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageAvailabilityZones-1-2-3-4
+title: Leverage Availability Zones where regionally applicable
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.dbforpostgresql/servers
+waf: Reliability
+severity: 0
+labels:
+ guid: 016ccf31-ae5a-41eb-9888-9535e227896d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageCrossRegionReplicas.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageCrossRegionReplicas.yaml
new file mode 100644
index 000000000..036ca42c3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageCrossRegionReplicas.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageCrossRegionReplicas
+title: Leverage cross-region read replicas for BCDR
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.dbforpostgresql/servers
+waf: Reliability
+severity: 1
+labels:
+ guid: 31b67c67-be59-4519-8083-845d587cb391
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageFlexibleServer-1.yaml b/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageFlexibleServer-1.yaml
new file mode 100644
index 000000000..a31827a87
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDBforPostgreSQL-servers/Reliability/revcl-LeverageFlexibleServer-1.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageFlexibleServer-1
+title: Leverage Flexible Server
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.dbforpostgresql/servers
+waf: Reliability
+severity: 1
+labels:
+ guid: 65285269-441c-44bf-9d3e-0844276d4bdc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/postgresql/flexible-server/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-AdfPipelinesKeyVault.yaml b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-AdfPipelinesKeyVault.yaml
new file mode 100644
index 000000000..9f0747986
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-AdfPipelinesKeyVault.yaml
@@ -0,0 +1,18 @@
+name: revcl-AdfPipelinesKeyVault
+title: If using Keyvault integration, use SLA of Keyvault to understand your availablity
+description: If your ADF Pipelines use Key Vault you don't have to do anything to
+ replicate Key Vault. Key Vault is a managed service and Microsoft takes care of
+ it for you
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.datafactory/datafactories
+waf: Reliability
+severity: 2
+labels:
+ guid: 25498f6d-bad3-47da-a43b-c6ce1d7aa9b2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-GithubAzureDevopsIntegrationArmTemplates.yaml b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-GithubAzureDevopsIntegrationArmTemplates.yaml
new file mode 100644
index 000000000..1033accfe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-GithubAzureDevopsIntegrationArmTemplates.yaml
@@ -0,0 +1,15 @@
+name: revcl-GithubAzureDevopsIntegrationArmTemplates
+title: 'Use DevOps to Backup the ARM templates with Github/Azure DevOps integration '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.datafactory/datafactories
+waf: Reliability
+severity: 1
+labels:
+ guid: 9ef1d6e8-32e5-42e3-911c-818b1a0bc511
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-factory/source-control
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-LeverageFtaResiliencyPlaybookAzureDataFactory.yaml b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-LeverageFtaResiliencyPlaybookAzureDataFactory.yaml
new file mode 100644
index 000000000..05ea9c83f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-LeverageFtaResiliencyPlaybookAzureDataFactory.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageFtaResiliencyPlaybookAzureDataFactory
+title: Leverage FTA Resiliency Playbook for Azure Data Factory
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.datafactory/datafactories
+waf: Reliability
+severity: 1
+labels:
+ guid: ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e
+links:
+- type: docs
+ url: https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-SelfHostedIntegrationRuntimeVmsRegion.yaml b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-SelfHostedIntegrationRuntimeVmsRegion.yaml
new file mode 100644
index 000000000..74d99b0d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-SelfHostedIntegrationRuntimeVmsRegion.yaml
@@ -0,0 +1,16 @@
+name: revcl-SelfHostedIntegrationRuntimeVmsRegion
+title: 'Make sure you replicate the Self-Hosted Integration Runtime VMs in another
+ region '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.datafactory/datafactories
+waf: Reliability
+severity: 1
+labels:
+ guid: e43a18a9-cd29-49cf-b7b1-7db8255562f2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-SisterRegionNetwork.yaml b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-SisterRegionNetwork.yaml
new file mode 100644
index 000000000..f503f3214
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-SisterRegionNetwork.yaml
@@ -0,0 +1,16 @@
+name: revcl-SisterRegionNetwork
+title: Make sure you replicate or duplicate your network in the sister region. You
+ have to make a copy of your Vnet in another region
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.datafactory/datafactories
+waf: Reliability
+severity: 1
+labels:
+ guid: aee4563a-fd83-4393-98b2-62d6dc5f512a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-ZoneRedundantPipelinesAvailabilityZones.yaml b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-ZoneRedundantPipelinesAvailabilityZones.yaml
new file mode 100644
index 000000000..194a52993
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDataFactory-datafactories/Reliability/revcl-ZoneRedundantPipelinesAvailabilityZones.yaml
@@ -0,0 +1,15 @@
+name: revcl-ZoneRedundantPipelinesAvailabilityZones
+title: Use zone redundant pipelines in regions that support Availability Zones
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.datafactory/datafactories
+waf: Reliability
+severity: 0
+labels:
+ guid: e503547c-d447-4e82-9138-a7200f1cac6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/Cost/revcl-SpotVmsFallback.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/Cost/revcl-SpotVmsFallback.yaml
new file mode 100644
index 000000000..c1cc29abb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/Cost/revcl-SpotVmsFallback.yaml
@@ -0,0 +1,16 @@
+name: revcl-SpotVmsFallback
+title: Consider using Spot VMs with fallback where possible. Consider autotermination
+ of clusters.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.databricks/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: cd463cbb-bc8a-4c29-aebc-91a43da1dae2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AdbWorkspaceLimitsSeparateSubscriptions.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AdbWorkspaceLimitsSeparateSubscriptions.yaml
new file mode 100644
index 000000000..3eb6426ba
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AdbWorkspaceLimitsSeparateSubscriptions.yaml
@@ -0,0 +1,18 @@
+name: aprl-AdbWorkspaceLimitsSeparateSubscriptions
+title: Deploy workspaces in separate Subscriptions
+description: |-
+ Customers often naturally divide workspaces by teams or departments. However, it's crucial to also consider Azure Subscription and ADB Workspace limits when partitioning.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 397cdebb-9d6e-ab4f-83a1-8c481de0a3a7
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ApacheSparkUdfsProductionGradeModel.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ApacheSparkUdfsProductionGradeModel.yaml
new file mode 100644
index 000000000..44f203f4f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ApacheSparkUdfsProductionGradeModel.yaml
@@ -0,0 +1,18 @@
+name: aprl-ApacheSparkUdfsProductionGradeModel
+title: Use a scalable and production-grade model serving infrastructure
+description: |-
+ Use Databricks and MLflow for deploying models as Apache Spark UDFs, benefiting from job scheduling, retries, autoscaling, etc.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 4cbb7744-ff3d-0447-badb-baf068c95696
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AutomaticJobTerminationUserDefinedLocalProcesses.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AutomaticJobTerminationUserDefinedLocalProcesses.yaml
new file mode 100644
index 000000000..7f8676641
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AutomaticJobTerminationUserDefinedLocalProcesses.yaml
@@ -0,0 +1,19 @@
+name: aprl-AutomaticJobTerminationUserDefinedLocalProcesses
+title: Automatic Job Termination is enabled, ensure there are no user-defined local
+ processes
+description: |-
+ To conserve cluster resources, you can terminate a cluster to store its configuration for future reuse or autostart jobs. Clusters can auto-terminate after inactivity, but this only tracks Spark jobs, not local processes, which might still be running even after Spark jobs end.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: 3d3e53b5-ebd1-db42-b43b-d4fad74824ec
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AutomaticRetriesSparkUdfs.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AutomaticRetriesSparkUdfs.yaml
new file mode 100644
index 000000000..7b5e88035
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AutomaticRetriesSparkUdfs.yaml
@@ -0,0 +1,18 @@
+name: aprl-AutomaticRetriesSparkUdfs
+title: Configure jobs for automatic retries and termination
+description: |-
+ Use Databricks and MLflow for deploying models as Spark UDFs for job scheduling, retries, autoscaling. Model serving offers scalable infrastructure, processes models using MLflow, and serves them via REST API using serverless compute managed in Databricks cloud.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 84e44da6-8cd7-b349-b02c-c8bf72cf587c
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AzureDatabricksWorkspaceDataAvailabilityConcerns.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AzureDatabricksWorkspaceDataAvailabilityConcerns.yaml
new file mode 100644
index 000000000..e2ef55593
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-AzureDatabricksWorkspaceDataAvailabilityConcerns.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureDatabricksWorkspaceDataAvailabilityConcerns
+title: Do not Store any Production Data in Default DBFS Folders
+description: |-
+ Driven by security and data availability concerns, each Azure Databricks Workspace comes with a default DBFS designed for system-level artifacts like libraries and Init scripts, not for production data.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 14310ba6-77ad-3641-a2db-57a2218b9bc7
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-CriticalProductionWorkloadsAzureSpotVms.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-CriticalProductionWorkloadsAzureSpotVms.yaml
new file mode 100644
index 000000000..92a7d85ff
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-CriticalProductionWorkloadsAzureSpotVms.yaml
@@ -0,0 +1,18 @@
+name: aprl-CriticalProductionWorkloadsAzureSpotVms
+title: Do not use Azure Spot VMs for critical Production workloads
+description: |-
+ Azure Spot VMs are not suitable for critical production workloads needing high availability and reliability. They are meant for fault-tolerant tasks and can be evicted with 30-seconds notice if Azure needs the capacity, with no SLA guarantees.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: b5af7e26-3939-1b48-8fba-f8d4a475c67a
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-CurrentControlPlaneRegionRegionControlPlane.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-CurrentControlPlaneRegionRegionControlPlane.yaml
new file mode 100644
index 000000000..1e704ad6e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-CurrentControlPlaneRegionRegionControlPlane.yaml
@@ -0,0 +1,18 @@
+name: aprl-CurrentControlPlaneRegionRegionControlPlane
+title: Evaluate regional isolation for workspaces
+description: |-
+ Move workspaces to in-region control plane for increased regional isolation. Identify current control plane region using the workspace URL and nslookup. When region from CNAME differs from workspace region and an in-region control is available, consider migration using tools provided below.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 8aa63c34-dd9d-49bd-9582-21ec310dfbdd
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DatabricksAutoLoaderDeltaLiveTables.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DatabricksAutoLoaderDeltaLiveTables.yaml
new file mode 100644
index 000000000..984350945
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DatabricksAutoLoaderDeltaLiveTables.yaml
@@ -0,0 +1,19 @@
+name: aprl-DatabricksAutoLoaderDeltaLiveTables
+title: Automatically rescue invalid or nonconforming data with Databricks Auto Loader
+ or Delta Live Tables
+description: |-
+ Invalid or nonconforming data can crash workloads dependent on specific data formats. Best practices recommend filtering such data at ingestion to improve end-to-end resilience, ensuring no data is lost or missed.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 2
+labels:
+ guid: 7e52d64d-8cc0-8548-a593-eb49ab45630d
+ area: Business Continuity
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaLiveTablesDataProcessingLatency.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaLiveTablesDataProcessingLatency.yaml
new file mode 100644
index 000000000..85e229020
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaLiveTablesDataProcessingLatency.yaml
@@ -0,0 +1,18 @@
+name: aprl-DeltaLiveTablesDataProcessingLatency
+title: Use Delta Live Tables enhanced autoscaling
+description: |-
+ Databricks enhanced autoscaling optimizes cluster utilization by automatically allocating cluster resources based on workload volume, with minimal impact on the data processing latency of your pipelines.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: cd77db98-9b13-6e4b-bd2b-74c2cb538628
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaLiveTablesDeltaTables.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaLiveTablesDeltaTables.yaml
new file mode 100644
index 000000000..26e1c7689
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaLiveTablesDeltaTables.yaml
@@ -0,0 +1,18 @@
+name: aprl-DeltaLiveTablesDeltaTables
+title: Use constraints and data expectations
+description: |-
+ Delta tables verify data quality automatically with SQL constraints, triggering an error for violations. Delta Live Tables enhance this by defining expectations for data quality, utilizing Python or SQL, to manage actions for record failures, ensuring data integrity and compliance.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 2
+labels:
+ guid: a42297c4-7e4f-8b41-8d4b-114033263f0e
+ area: Business Continuity
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaTimeTravelThoroughTesting.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaTimeTravelThoroughTesting.yaml
new file mode 100644
index 000000000..9b8e74b5a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DeltaTimeTravelThoroughTesting.yaml
@@ -0,0 +1,18 @@
+name: aprl-DeltaTimeTravelThoroughTesting
+title: Recover ETL jobs based on Delta time travel
+description: |-
+ Despite thorough testing, a production job can fail or yield unexpected data. Sometimes, repairs are done by adding jobs post-issue identification and pipeline correction.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: a18d60f8-c98c-ba4e-ad6e-2fac72879df1
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DisasterRecoveryPatternDataTeamsAccess.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DisasterRecoveryPatternDataTeamsAccess.yaml
new file mode 100644
index 000000000..958350df9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-DisasterRecoveryPatternDataTeamsAccess.yaml
@@ -0,0 +1,20 @@
+name: aprl-DisasterRecoveryPatternDataTeamsAccess
+title: Configure a disaster recovery pattern
+description: |-
+ Implementing a disaster recovery pattern is vital for Azure Databricks, ensuring data teams' access even during rare regional outages.
+
+ It is important to note that the Azure Databricks service is not entirely zone redudant and does support zonal failover.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 4fdb7112-4531-6f48-b60e-c917a6068d9b
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-EfficientErrorRecoveryDatabricksWorkflows.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-EfficientErrorRecoveryDatabricksWorkflows.yaml
new file mode 100644
index 000000000..87af5b01d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-EfficientErrorRecoveryDatabricksWorkflows.yaml
@@ -0,0 +1,18 @@
+name: aprl-EfficientErrorRecoveryDatabricksWorkflows
+title: Use Databricks Workflows and built-in recovery
+description: |-
+ Databricks Workflows enable efficient error recovery in multi-task jobs by offering a matrix view for issue examination. Fixes can be applied to initiate repair runs targeting only failed and dependent tasks, preserving successful outcomes and thereby saving time and money.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 2
+labels:
+ guid: c0e22580-3819-444d-8546-a80e4ed85c83
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LatestXVersionDatabricksRuntimeVersion.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LatestXVersionDatabricksRuntimeVersion.yaml
new file mode 100644
index 000000000..dcf5f19f1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LatestXVersionDatabricksRuntimeVersion.yaml
@@ -0,0 +1,18 @@
+name: aprl-LatestXVersionDatabricksRuntimeVersion
+title: Databricks runtime version is not latest or is not LTS version
+description: |-
+ Databricks recommends migrating workloads to the latest or LTS version of its runtime for enhanced stability and support. If on Runtime 11.3 LTS or above, move directly to the latest 12.x version. If below, first migrate to 11.3 LTS, then to the latest 12.x version as per the migration guide.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: 0e835cc2-2551-a247-b1f1-3c5f25c9cb70
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LayeredStorageArchitectureLayeredArchitecture.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LayeredStorageArchitectureLayeredArchitecture.yaml
new file mode 100644
index 000000000..a40b3b330
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LayeredStorageArchitectureLayeredArchitecture.yaml
@@ -0,0 +1,18 @@
+name: aprl-LayeredStorageArchitectureLayeredArchitecture
+title: Use a layered storage architecture
+description: |-
+ Curate data by creating a layered architecture to increase data quality across layers. Start with a raw layer for ingested source data, continue with a curated layer for cleansed and refined data, and finish with a final layer catered to business needs, focusing on security and performance.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: 1b0d0893-bf0e-8f4c-9dc6-f18f145c1ecf
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LoggingClusterLogDeliveryLogDeliveryLocation.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LoggingClusterLogDeliveryLogDeliveryLocation.yaml
new file mode 100644
index 000000000..631297259
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-LoggingClusterLogDeliveryLogDeliveryLocation.yaml
@@ -0,0 +1,18 @@
+name: aprl-LoggingClusterLogDeliveryLogDeliveryLocation
+title: Enable Logging-Cluster log delivery
+description: |-
+ When creating a Databricks cluster, you can set a log delivery location for the Spark driver, worker nodes, and events. Logs are delivered every 5 mins and archived hourly. Upon cluster termination, all generated logs until that point are guaranteed to be delivered.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: 7fb90127-5364-bb4d-86fa-30778ed713fb
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ManyUseCasesDeltaLiveTables.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ManyUseCasesDeltaLiveTables.yaml
new file mode 100644
index 000000000..e87c3c4b8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ManyUseCasesDeltaLiveTables.yaml
@@ -0,0 +1,18 @@
+name: aprl-ManyUseCasesDeltaLiveTables
+title: Enable autoscaling for batch workloads
+description: |-
+ Autoscaling adjusts cluster sizes automatically based on workload demands, offering benefits for many use cases in terms of costs and performance. It includes guidance on when and how to best utilize Autoscaling. For streaming, Delta Live Tables with autoscaling is advised.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 5c72f0d6-55ec-d941-be84-36c194fa78c0
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-OneDatabricksWorkspaceIsolationModel.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-OneDatabricksWorkspaceIsolationModel.yaml
new file mode 100644
index 000000000..ca2256794
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-OneDatabricksWorkspaceIsolationModel.yaml
@@ -0,0 +1,18 @@
+name: aprl-OneDatabricksWorkspaceIsolationModel
+title: Isolate each workspace in its own Vnet
+description: |-
+ Deploying only one Databricks Workspace per VNet aligns with ADB's isolation model.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 5e722c4f-415a-9b4c-bd4c-96b74dce29ad
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-OpenSourceStorageFormatScalableMetadataHandling.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-OpenSourceStorageFormatScalableMetadataHandling.yaml
new file mode 100644
index 000000000..7caf166c9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-OpenSourceStorageFormatScalableMetadataHandling.yaml
@@ -0,0 +1,18 @@
+name: aprl-OpenSourceStorageFormatScalableMetadataHandling
+title: Use Delta Lake for higher reliability
+description: |-
+ Delta Lake is an open source storage format enhancing data lakes' reliability with ACID transactions, schema enforcement, and scalable metadata handling.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: da4ea916-4df3-8c4d-8060-17b49da45977
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-PreProvisionVmsProvisioningErrors.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-PreProvisionVmsProvisioningErrors.yaml
new file mode 100644
index 000000000..67345760b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-PreProvisionVmsProvisioningErrors.yaml
@@ -0,0 +1,18 @@
+name: aprl-PreProvisionVmsProvisioningErrors
+title: Use Databricks Pools
+description: |-
+ Databricks pools pre-provision VMs, reducing risks of provisioning errors during cluster start or scale, enhancing reliability.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: c166602e-0804-e34b-be8f-09b4d56e1fcd
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ProblematicOperationalDataSilosLakehouseDataQuality.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ProblematicOperationalDataSilosLakehouseDataQuality.yaml
new file mode 100644
index 000000000..b8b84dac2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ProblematicOperationalDataSilosLakehouseDataQuality.yaml
@@ -0,0 +1,18 @@
+name: aprl-ProblematicOperationalDataSilosLakehouseDataQuality
+title: Improve data integrity by reducing data redundancy
+description: |-
+ Copying data leads to redundancy, lost integrity, lineage, and access issues, affecting lakehouse data quality. Temporary copies are useful for agility and innovation but can become problematic operational data silos, questioning data's master status and currency.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 2
+labels:
+ guid: e93fe702-e385-d741-ba37-1f1656482ecd
+ area: Business Continuity
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ResilientDistributedDataProcessingUsePhotonAcceleration.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ResilientDistributedDataProcessingUsePhotonAcceleration.yaml
new file mode 100644
index 000000000..dd4b5ddf0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-ResilientDistributedDataProcessingUsePhotonAcceleration.yaml
@@ -0,0 +1,18 @@
+name: aprl-ResilientDistributedDataProcessingUsePhotonAcceleration
+title: Use Photon Acceleration
+description: |-
+ Apache Spark in Databricks Lakehouse ensures resilient distributed data processing by automatically rescheduling failed tasks, aiding in overcoming external issues like network problems or revoked VMs.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 2
+labels:
+ guid: 892ca809-e2b5-9a47-924a-71132bf6f902
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-SqlWarehouseScalingParameter.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-SqlWarehouseScalingParameter.yaml
new file mode 100644
index 000000000..1bf1663f4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-SqlWarehouseScalingParameter.yaml
@@ -0,0 +1,18 @@
+name: aprl-SqlWarehouseScalingParameter
+title: Enable autoscaling for SQL warehouse
+description: |-
+ The scaling parameter of a SQL warehouse defines the min and max number of clusters for distributing queries. By default, it's set to one. Increasing the cluster count can accommodate more concurrent users effectively.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 362ad2b6-b92c-414f-980a-0cf69467ccce
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-StandardSsdsBalanceCostWorkerVmType.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-StandardSsdsBalanceCostWorkerVmType.yaml
new file mode 100644
index 000000000..d6a5ff445
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-StandardSsdsBalanceCostWorkerVmType.yaml
@@ -0,0 +1,18 @@
+name: aprl-StandardSsdsBalanceCostWorkerVmType
+title: Use SSD backed VMs for Worker VM Type and Driver type
+description: |-
+ Upgrade HDDs in premium VMs to SSDs for better speed and reliability. Premium SSDs boost IO-heavy apps; Standard SSDs balance cost and performance. Ideal for critical workloads, upgrading improves connectivity with brief reboot. Consider for vital VMs
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: 5877a510-8444-7a4c-8412-a8dab8662f7e
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-StructuredStreamingQueryFailuresAzureDatabricksWorkflows.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-StructuredStreamingQueryFailuresAzureDatabricksWorkflows.yaml
new file mode 100644
index 000000000..5741408ae
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-StructuredStreamingQueryFailuresAzureDatabricksWorkflows.yaml
@@ -0,0 +1,18 @@
+name: aprl-StructuredStreamingQueryFailuresAzureDatabricksWorkflows
+title: Recover from Structured Streaming query failures
+description: |-
+ Structured Streaming ensures fault-tolerance and data consistency in streaming queries. With Azure Databricks workflows, you can set up your queries to automatically restart after failure, picking up precisely where they left off.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 12e9d852-5cdc-2743-bffe-ee21f2ef7781
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksLabsProjectDatabricksCliApi.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksLabsProjectDatabricksCliApi.yaml
new file mode 100644
index 000000000..3fe2fab4d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksLabsProjectDatabricksCliApi.yaml
@@ -0,0 +1,18 @@
+name: aprl-TheDatabricksLabsProjectDatabricksCliApi
+title: Create regular backups
+description: |-
+ To recover from a failure, regular backups are needed. The Databricks Labs project migrate lets admins create backups by exporting workspace assets using the Databricks CLI/API. These backups help in restoring or migrating workspaces.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 2
+labels:
+ guid: 932d45d6-b46d-e341-abfb-d97bce832f1f
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces-1.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces-1.yaml
new file mode 100644
index 000000000..d0cd20e85
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces-1.yaml
@@ -0,0 +1,18 @@
+name: aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces-1
+title: Set up monitoring, alerting, and logging
+description: |-
+ The Databricks Terraform provider is a flexible, powerful tool for managing Azure Databricks workspaces and cloud infrastructure.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 20193ff9-dbcd-a74e-b197-71d7d9d3c1e6
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces.yaml
new file mode 100644
index 000000000..682cfd762
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces.yaml
@@ -0,0 +1,18 @@
+name: aprl-TheDatabricksTerraformProviderAzureDatabricksWorkspaces
+title: Automate deployments and workloads
+description: |-
+ The Databricks Terraform provider manages Azure Databricks workspaces and cloud infrastructure flexibly and powerfully.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 0
+labels:
+ guid: 42aedaa8-6151-424d-b782-b8666c779969
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-UncontrolledSchemaChangesInvalidData.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-UncontrolledSchemaChangesInvalidData.yaml
new file mode 100644
index 000000000..76e108935
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-UncontrolledSchemaChangesInvalidData.yaml
@@ -0,0 +1,18 @@
+name: aprl-UncontrolledSchemaChangesInvalidData
+title: Actively manage schemas
+description: |-
+ Uncontrolled schema changes can lead to invalid data and failing jobs. Databricks validates and enforces schema through Delta Lake, which prevents bad records during ingestion, and Auto Loader, which detects new columns and supports schema evolution to maintain data integrity.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: b7e1d13f-54c9-1648-8a52-34c0abe8ce16
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-VmSkuSwapStrategiesAlternateVmSkus.yaml b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-VmSkuSwapStrategiesAlternateVmSkus.yaml
new file mode 100644
index 000000000..9462b4e36
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDatabricks-workspaces/aprl-VmSkuSwapStrategiesAlternateVmSkus.yaml
@@ -0,0 +1,18 @@
+name: aprl-VmSkuSwapStrategiesAlternateVmSkus
+title: Define alternate VM SKUs
+description: |-
+ Azure Databricks planning should include VM SKU swap strategies for capacity issues. VMs are regional, and allocation failures may occur, shown by a "CLOUD PROVIDER" error.
+source:
+ type: aprl
+ file: azure-resources/Databricks/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Databricks/workspaces
+severity: 1
+labels:
+ guid: 028593be-956e-4736-bccf-074cb10b92f4
+ area: Personalized
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-EarlyIssueDetectionMultipleHostPools.yaml b/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-EarlyIssueDetectionMultipleHostPools.yaml
new file mode 100644
index 000000000..c12f564e2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-EarlyIssueDetectionMultipleHostPools.yaml
@@ -0,0 +1,18 @@
+name: aprl-EarlyIssueDetectionMultipleHostPools
+title: Create a validation host pool for testing of planned updates
+description: |-
+ Create a Validation Pool for early issue detection with planned AVD updates. Adjust limits based on needs. Scale by adding multiple host pools for more users. Regularly test updates on host pools. Validate changes before applying to main environment to avoid downtime.
+source:
+ type: aprl
+ file: azure-resources/DesktopVirtualization/hostPools/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DesktopVirtualization/hostPools
+severity: 1
+labels:
+ guid: 013ac34e-7c4b-425f-9e0c-216f0cc06181
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-HostPoolScheduledAgentUpdatesAzureVirtualDesktopAgent.yaml b/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-HostPoolScheduledAgentUpdatesAzureVirtualDesktopAgent.yaml
new file mode 100644
index 000000000..c937fe52d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-HostPoolScheduledAgentUpdatesAzureVirtualDesktopAgent.yaml
@@ -0,0 +1,23 @@
+name: aprl-HostPoolScheduledAgentUpdatesAzureVirtualDesktopAgent
+title: Configure host pool scheduled agent updates
+description: |-
+ Create maintenance schedules for AVD agent updates to avoid disruptions. Use Scheduled Agent Updates to set maintenance windows for updating Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent.
+source:
+ type: aprl
+ file: azure-resources/DesktopVirtualization/hostPools/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DesktopVirtualization/hostPools
+severity: 1
+labels:
+ guid: 979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // This resource graph query will return all AVD host pools that does not have scheduled agent updates configured
+ resources
+ | where type =~ "Microsoft.DesktopVirtualization/hostpools"
+ | where isnull(properties.agentUpdate)
+ | project recommendationId = "979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7", name, id, tags, param1 = 'No scheduled agent updates'
diff --git a/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-UniqueOuHostPools.yaml b/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-UniqueOuHostPools.yaml
new file mode 100644
index 000000000..9cbe27544
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDesktopVirtualization-hostPools/aprl-UniqueOuHostPools.yaml
@@ -0,0 +1,19 @@
+name: aprl-UniqueOuHostPools
+title: Ensure a unique OU is used when deploying host pools with domain joined session
+ hosts
+description: |-
+ For optimized AVD configuration, place Hybrid VMs in unique OUs. Segregate Prod and DR units for environment-specific settings. This ensures targeted configurations for session hosts, including Fslogix, timeouts, and session controls.
+source:
+ type: aprl
+ file: azure-resources/DesktopVirtualization/hostPools/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DesktopVirtualization/hostPools
+severity: 1
+labels:
+ guid: 939cb85c-102a-4e0a-ab82-5c92116d3778
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDesktopVirtualization-scalingPlans/aprl-SecondaryScalingPlanScalingPlans.yaml b/v2/recos/Services/MicrosoftDesktopVirtualization-scalingPlans/aprl-SecondaryScalingPlanScalingPlans.yaml
new file mode 100644
index 000000000..cf055204f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDesktopVirtualization-scalingPlans/aprl-SecondaryScalingPlanScalingPlans.yaml
@@ -0,0 +1,18 @@
+name: aprl-SecondaryScalingPlanScalingPlans
+title: Scaling plans should be created per region and not scaled across regions
+description: |-
+ Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region.
+source:
+ type: aprl
+ file: azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DesktopVirtualization/scalingPlans
+severity: 1
+labels:
+ guid: 499769ae-67c9-492e-9ca5-cfd4cece5209
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-CorrespondingGeoPairedRegionAffectedRegion-1.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-CorrespondingGeoPairedRegionAffectedRegion-1.yaml
new file mode 100644
index 000000000..74eac229d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-CorrespondingGeoPairedRegionAffectedRegion-1.yaml
@@ -0,0 +1,17 @@
+name: revcl-CorrespondingGeoPairedRegionAffectedRegion-1
+title: Be aware of Microsoft-initiated failovers. These are exercised by Microsoft
+ in rare situations to fail over all the IoT hubs from an affected region to the
+ corresponding geo-paired region.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/iothubs
+waf: Reliability
+severity: 1
+labels:
+ guid: 35f651e8-0124-4ef7-8c57-658e38609e6e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3.yaml
new file mode 100644
index 000000000..32e20d3ae
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3.yaml
@@ -0,0 +1,15 @@
+name: revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3
+title: Consider a Cross-Region DR strategy for critical workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/iothubs
+waf: Reliability
+severity: 0
+labels:
+ guid: 4ed3e490-dc06-4a1e-b467-5d0239d85540
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-Failover.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-Failover.yaml
new file mode 100644
index 000000000..444eff6ba
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-Failover.yaml
@@ -0,0 +1,15 @@
+name: revcl-Failover
+title: Learn how to fail back after a failover.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/iothubs
+waf: Reliability
+severity: 0
+labels:
+ guid: f9db8dfb-1194-460b-aedd-34dd6a69db22
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-LeverageAvailabilityZones-1-2.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-LeverageAvailabilityZones-1-2.yaml
new file mode 100644
index 000000000..7bb980147
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-LeverageAvailabilityZones-1-2.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAvailabilityZones-1-2
+title: Leverage Availability Zones if regionally applicable (this is automatically
+ enabled)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/iothubs
+waf: Reliability
+severity: 0
+labels:
+ guid: ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-ManualFailover.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-ManualFailover.yaml
new file mode 100644
index 000000000..2094b3c61
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/Reliability/revcl-ManualFailover.yaml
@@ -0,0 +1,15 @@
+name: revcl-ManualFailover
+title: Learn how to trigger a manual failover.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/iothubs
+waf: Reliability
+severity: 0
+labels:
+ guid: a11ecab0-db47-46f7-9aa7-17764e7e45a1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-DisabledFallbackRouteDefaultRoute.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-DisabledFallbackRouteDefaultRoute.yaml
new file mode 100644
index 000000000..cf6c757f7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-DisabledFallbackRouteDefaultRoute.yaml
@@ -0,0 +1,24 @@
+name: aprl-DisabledFallbackRouteDefaultRoute
+title: Disabled Fallback Route
+description: |-
+ Using message routing for custom endpoints in IoT Hub, messages might not reach these destinations if specific conditions are unmet. A default route ensures all messages are received, but disabling this safety net risks leaving some messages undelivered.
+source:
+ type: aprl
+ file: azure-resources/Devices/iotHubs/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Devices/IotHubs
+severity: 2
+labels:
+ guid: e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // list all IoT Hubs that have the fallback route disabled
+ resources
+ | where type == "microsoft.devices/iothubs"
+ | extend fallbackEnabled=properties.routing.fallbackRoute.isEnabled
+ | where fallbackEnabled == false
+ | project recommendationId="e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e", name, id, tags, param1='FallbackRouteEnabled:false'
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-FailoverGuidelinesRegionalFailure.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-FailoverGuidelinesRegionalFailure.yaml
new file mode 100644
index 000000000..4208ee914
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-FailoverGuidelinesRegionalFailure.yaml
@@ -0,0 +1,18 @@
+name: aprl-FailoverGuidelinesRegionalFailure
+title: Define Failover Guidelines
+description: |-
+ In case of a regional failure, an IoT Hub can failover to a second region, automatically or manually, to ensure your application continues working.
+source:
+ type: aprl
+ file: azure-resources/Devices/iotHubs/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Devices/IotHubs
+severity: 0
+labels:
+ guid: 02568a5d-335e-4e51-9f7c-fe2ada977300
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-MissionCriticalWorkloadsFailoverRegionIotHub.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-MissionCriticalWorkloadsFailoverRegionIotHub.yaml
new file mode 100644
index 000000000..78ee6b39d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-MissionCriticalWorkloadsFailoverRegionIotHub.yaml
@@ -0,0 +1,18 @@
+name: aprl-MissionCriticalWorkloadsFailoverRegionIotHub
+title: Device Identities are exported to a secondary region
+description: |-
+ Device Identities should be copied to the failover region IoT-Hub for all IoT devices to ensure connectivity in case of a failover. Manual Failover to another region is quicker (RTO), suitable for mission critical workloads.
+source:
+ type: aprl
+ file: azure-resources/Devices/iotHubs/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Devices/IotHubs
+severity: 0
+labels:
+ guid: 783c6c18-760b-4867-9ced-3010a0bc5aa3
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-NecessaryServiceLevelAgreementIotHubTier.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-NecessaryServiceLevelAgreementIotHubTier.yaml
new file mode 100644
index 000000000..88abeafab
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-NecessaryServiceLevelAgreementIotHubTier.yaml
@@ -0,0 +1,23 @@
+name: aprl-NecessaryServiceLevelAgreementIotHubTier
+title: Do not use free tier
+description: |-
+ In a production scenario, the IoT Hub tier should not be Free because the Free tier does not provide the necessary Service Level Agreement.
+source:
+ type: aprl
+ file: azure-resources/Devices/iotHubs/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Devices/IotHubs
+severity: 0
+labels:
+ guid: eeba3a49-fef0-481f-a471-7ff01139b474
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // list all IoT Hubs that are using the Free tier
+ resources
+ | where type =~ "microsoft.devices/iothubs" and
+ tostring(sku.tier) =~ 'Free'
+ | project recommendationId="eeba3a49-fef0-481f-a471-7ff01139b474", name, id, tags, param1=strcat("tier:", tostring(sku.tier))
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-NewIotHubsUseAvailabilityZones.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-NewIotHubsUseAvailabilityZones.yaml
new file mode 100644
index 000000000..4809896d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-NewIotHubsUseAvailabilityZones.yaml
@@ -0,0 +1,18 @@
+name: aprl-NewIotHubsUseAvailabilityZones
+title: Use Availability Zones
+description: |-
+ In regions supporting Availability Zones for IoT Hub, using these zones boosts availability. They're automatically activated for new IoT Hubs in supported areas.
+source:
+ type: aprl
+ file: azure-resources/Devices/iotHubs/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Devices/IotHubs
+severity: 0
+labels:
+ guid: 214cbc46-747e-4354-af6e-6bf0054196a5
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-SpecificIotHubInstancesUseDeviceProvisioningService.yaml b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-SpecificIotHubInstancesUseDeviceProvisioningService.yaml
new file mode 100644
index 000000000..933235a20
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-IotHubs/aprl-SpecificIotHubInstancesUseDeviceProvisioningService.yaml
@@ -0,0 +1,30 @@
+name: aprl-SpecificIotHubInstancesUseDeviceProvisioningService
+title: Use Device Provisioning Service
+description: |-
+ Device Provisioning Service (DPS) enables easy redistribution of IoT devices for scaling and availability, allowing devices to be reassigned and not bound to specific IoT Hub instances. Devices in IoT Hubs using DPS should be verified for DPS utilization.
+source:
+ type: aprl
+ file: azure-resources/Devices/iotHubs/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Devices/IotHubs
+severity: 0
+labels:
+ guid: b1e1378d-4572-4414-bebd-b8872a6d4d1c
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // list all IoT Hubs that do not have a linked IoT Hub Device Provisioning Service (DPS)
+ resources
+ | where type =~ "microsoft.devices/iothubs"
+ | project id, iotHubName=tostring(properties.hostName), tags, resourceGroup
+ | join kind=fullouter (
+ resources
+ | where type == "microsoft.devices/provisioningservices"
+ | mv-expand iotHubs=properties.iotHubs
+ | project iotHubName = tostring(iotHubs.name), dpsName = name, name=iotHubs.name
+ ) on iotHubName
+ | where dpsName == ''
+ | project recommendationId="b1e1378d-4572-4414-bebd-b8872a6d4d1c", name=iotHubName, id, tags, param1='DPS:none'
diff --git a/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1-2.yaml b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1-2.yaml
new file mode 100644
index 000000000..88d5d0983
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1-2.yaml
@@ -0,0 +1,16 @@
+name: revcl-AppServiceEnvironmentIsolatedEnvironment-1-2
+title: If deploying to an Isolated environment, use or migrate to App Service Environment
+ (ASE) v3
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/deviceupdateservices
+waf: Reliability
+severity: 0
+labels:
+ guid: bd91245c-fe32-4e98-a085-794a40f4bfe1
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/environment/intro
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-CorrespondingGeoPairedRegionAffectedRegion.yaml b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-CorrespondingGeoPairedRegionAffectedRegion.yaml
new file mode 100644
index 000000000..3ab4bcbbd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-CorrespondingGeoPairedRegionAffectedRegion.yaml
@@ -0,0 +1,17 @@
+name: revcl-CorrespondingGeoPairedRegionAffectedRegion
+title: Be aware of Microsoft-initiated failovers. These are exercised by Microsoft
+ in rare situations to fail over all the DPS instances from an affected region to
+ the corresponding geo-paired region.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/deviceupdateservices
+waf: Reliability
+severity: 0
+labels:
+ guid: c0c273bd-00ad-419a-9f2f-fc72fb181e55
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2.yaml b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2.yaml
new file mode 100644
index 000000000..ea3fde60d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2.yaml
@@ -0,0 +1,15 @@
+name: revcl-CrossRegionDrStrategyCriticalWorkloads-1-2
+title: Consider a Cross-Region DR strategy for critical workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/deviceupdateservices
+waf: Reliability
+severity: 0
+labels:
+ guid: 3af8abe6-07eb-4287-b393-6c4abe3702eb
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-LeverageAvailabilityZones-1.yaml b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-LeverageAvailabilityZones-1.yaml
new file mode 100644
index 000000000..1cb1fb6d4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-deviceUpdateServices/Reliability/revcl-LeverageAvailabilityZones-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAvailabilityZones-1
+title: Leverage Availability Zones if regionally applicable (this is automatically
+ enabled).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/deviceupdateservices
+waf: Reliability
+severity: 0
+labels:
+ guid: 0e03f5ee-4648-423c-bb86-7239480f9171
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-provisioningServices/Operations/revcl-LeverageAzureDevopsLogicAppCode.yaml b/v2/recos/Services/MicrosoftDevices-provisioningServices/Operations/revcl-LeverageAzureDevopsLogicAppCode.yaml
new file mode 100644
index 000000000..77ca536b9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-provisioningServices/Operations/revcl-LeverageAzureDevopsLogicAppCode.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAzureDevopsLogicAppCode
+title: Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic
+ App code
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/provisioningservices
+waf: Operations
+severity: 1
+labels:
+ guid: 62711604-c9d1-4b0a-bdb7-5fda54a4f6c1
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1.yaml b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1.yaml
new file mode 100644
index 000000000..c2fc15fbe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-AppServiceEnvironmentIsolatedEnvironment-1
+title: If deploying to an Isolated environment, use or migrate to App Service Environment
+ (ASE) v3
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/provisioningservices
+waf: Reliability
+severity: 0
+labels:
+ guid: da0f033e-d180-4f36-9aa4-c468dba14203
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/environment/intro
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1.yaml b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1.yaml
new file mode 100644
index 000000000..f7421fc86
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1.yaml
@@ -0,0 +1,15 @@
+name: revcl-CrossRegionDrStrategyCriticalWorkloads-1
+title: Consider a Cross-Region DR strategy for critical workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/provisioningservices
+waf: Reliability
+severity: 0
+labels:
+ guid: 8aed4fbf-0830-4883-899d-222a154af478
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-LogicAppsRegionFailures.yaml b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-LogicAppsRegionFailures.yaml
new file mode 100644
index 000000000..fdaf2879f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-LogicAppsRegionFailures.yaml
@@ -0,0 +1,16 @@
+name: revcl-LogicAppsRegionFailures
+title: Protect logic apps from region failures with zone redundancy and availability
+ zones
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/provisioningservices
+waf: Reliability
+severity: 0
+labels:
+ guid: f6dd7977-1123-4f39-b488-f91415a8430a
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps
+queries: {}
diff --git a/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-RightLogicAppHostingPlanSloRequirements.yaml b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-RightLogicAppHostingPlanSloRequirements.yaml
new file mode 100644
index 000000000..e2d9cc205
--- /dev/null
+++ b/v2/recos/Services/MicrosoftDevices-provisioningServices/Reliability/revcl-RightLogicAppHostingPlanSloRequirements.yaml
@@ -0,0 +1,15 @@
+name: revcl-RightLogicAppHostingPlanSloRequirements
+title: Select the right Logic App hosting plan based on your business & SLO requirements
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.devices/provisioningservices
+waf: Reliability
+severity: 0
+labels:
+ guid: cb26b2ba-a9db-45d1-8260-d9c6ec1447d9
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare
+queries: {}
diff --git a/v2/recos/Services/MicrosoftEventGrid-topics/aprl-AzureEventGridResourcesDiagnosticSettings.yaml b/v2/recos/Services/MicrosoftEventGrid-topics/aprl-AzureEventGridResourcesDiagnosticSettings.yaml
new file mode 100644
index 000000000..099fc2113
--- /dev/null
+++ b/v2/recos/Services/MicrosoftEventGrid-topics/aprl-AzureEventGridResourcesDiagnosticSettings.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureEventGridResourcesDiagnosticSettings
+title: Configure Diagnostic Settings for all Azure Event Grid resources
+description: |-
+ Enabling diagnostic settings on Azure Event Grid resources like custom topics, system topics, and domains lets you capture and view diagnostic information to troubleshoot failures effectively.
+source:
+ type: aprl
+ file: azure-resources/EventGrid/topics/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.EventGrid/topics
+severity: 2
+labels:
+ guid: 54c3191b-b535-1946-bba9-b754f44060f6
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftEventGrid-topics/aprl-AzureEventGridTopicsPrivateLinkPrivateEndpoints.yaml b/v2/recos/Services/MicrosoftEventGrid-topics/aprl-AzureEventGridTopicsPrivateLinkPrivateEndpoints.yaml
new file mode 100644
index 000000000..0a480e900
--- /dev/null
+++ b/v2/recos/Services/MicrosoftEventGrid-topics/aprl-AzureEventGridTopicsPrivateLinkPrivateEndpoints.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureEventGridTopicsPrivateLinkPrivateEndpoints
+title: Azure Event Grid topics should use Private Link Private Endpoints
+description: |-
+ Use private endpoints for secure event ingress to custom topics/domains via a private link, avoiding the public internet. It employs an IP from the VNet space for your topic/domain.
+source:
+ type: aprl
+ file: azure-resources/EventGrid/topics/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.EventGrid/topics
+severity: 1
+labels:
+ guid: b2069f64-4741-3d4a-a71d-50c8b03f5ab7
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all eventgrid services not protected by private endpoints.
+ Resources
+ | where type contains "eventgrid"
+ | where properties['publicNetworkAccess'] == "Enabled"
+ | project recommendationId = "b2069f64-4741-3d4a-a71d-50c8b03f5ab7", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftEventGrid-topics/aprl-SpecificTimeSeveralAttempts.yaml b/v2/recos/Services/MicrosoftEventGrid-topics/aprl-SpecificTimeSeveralAttempts.yaml
new file mode 100644
index 000000000..152be89af
--- /dev/null
+++ b/v2/recos/Services/MicrosoftEventGrid-topics/aprl-SpecificTimeSeveralAttempts.yaml
@@ -0,0 +1,18 @@
+name: aprl-SpecificTimeSeveralAttempts
+title: Configure Dead-letter to save events that cannot be delivered
+description: |-
+ Event Grid may not deliver an event within a specific time or after several attempts, leading to dead-lettering where undelivered events are sent to a storage account.
+source:
+ type: aprl
+ file: azure-resources/EventGrid/topics/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.EventGrid/topics
+severity: 2
+labels:
+ guid: 92162eb5-4323-3145-8a6c-525ce2f0700e
+ area: Personalized
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftInsights-activityLogAlerts/aprl-PersonalizedHealthViewServiceHealthAlerts.yaml b/v2/recos/Services/MicrosoftInsights-activityLogAlerts/aprl-PersonalizedHealthViewServiceHealthAlerts.yaml
new file mode 100644
index 000000000..d6692b6fb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-activityLogAlerts/aprl-PersonalizedHealthViewServiceHealthAlerts.yaml
@@ -0,0 +1,34 @@
+name: aprl-PersonalizedHealthViewServiceHealthAlerts
+title: Configure Service Health Alerts
+description: |-
+ Service health gives a personalized health view of Azure services and regions used, offering the best place for notifications on outages, planned maintenance, and health advisories by knowing the services used.
+source:
+ type: aprl
+ file: azure-resources/Insights/activityLogAlerts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Insights/activityLogAlerts
+severity: 0
+labels:
+ guid: 9729c89d-8118-41b4-a39b-e12468fa872b
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This resource graph query will return all subscriptions without Service Health alerts configured.
+
+ resourcecontainers
+ | where type == 'microsoft.resources/subscriptions'
+ | project subscriptionAlerts=tostring(id),name,tags
+ | join kind=leftouter (
+ resources
+ | where type == 'microsoft.insights/activitylogalerts' and properties.condition contains "ServiceHealth"
+ | extend subscriptions = properties.scopes
+ | project subscriptions
+ | mv-expand subscriptions
+ | project subscriptionAlerts = tostring(subscriptions)
+ ) on subscriptionAlerts
+ | where isempty(subscriptionAlerts1)
+ | project-away subscriptionAlerts1
+ | project recommendationId = "9729c89d-8118-41b4-a39b-e12468fa872b",id=subscriptionAlerts,name,tags
diff --git a/v2/recos/Services/MicrosoftInsights-activityLogAlerts/aprl-ResourceHealthAlertsHistoricalHealthStatus.yaml b/v2/recos/Services/MicrosoftInsights-activityLogAlerts/aprl-ResourceHealthAlertsHistoricalHealthStatus.yaml
new file mode 100644
index 000000000..5a36d8a18
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-activityLogAlerts/aprl-ResourceHealthAlertsHistoricalHealthStatus.yaml
@@ -0,0 +1,18 @@
+name: aprl-ResourceHealthAlertsHistoricalHealthStatus
+title: Configure Resource Health Alerts
+description: |-
+ Configure Resource Health Alerts for all applicable resources to stay informed about the current and historical health status of your Azure resources. They notify you when these resources have a change in their health status.
+source:
+ type: aprl
+ file: azure-resources/Insights/activityLogAlerts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Insights/activityLogAlerts
+severity: 2
+labels:
+ guid: be448849-0d7d-49ba-9c94-9573ee533d5d
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-DataCollectionRulesAzureMonitor.yaml b/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-DataCollectionRulesAzureMonitor.yaml
new file mode 100644
index 000000000..6b13371c5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-DataCollectionRulesAzureMonitor.yaml
@@ -0,0 +1,17 @@
+name: revcl-DataCollectionRulesAzureMonitor
+title: Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Cost
+severity: 1
+labels:
+ guid: a95b86ad-8840-48e3-9273-4b875ba18f20
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models
+- type: docs
+ url: https://azure.microsoft.com/pricing/reservations/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-DifferentLogAnalyticsWorkspacesDifferentRetention.yaml b/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-DifferentLogAnalyticsWorkspacesDifferentRetention.yaml
new file mode 100644
index 000000000..c6b0d21c0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-DifferentLogAnalyticsWorkspacesDifferentRetention.yaml
@@ -0,0 +1,22 @@
+name: revcl-DifferentLogAnalyticsWorkspacesDifferentRetention
+title: 'Check spending and savings opportunities among the 40 different log analytics
+ workspaces- use different retention and data collection for nonprod workspaces-create
+ daily cap for awareness and tier sizing - If you do set a daily cap, in addition
+ to creating an alert when the cap is reached,ensure that you also create an alert
+ rule to be notified when some percentage has been reached (90% for example). - consider
+ workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Cost
+severity: 1
+labels:
+ guid: 674b5ed8-5a85-49c7-933b-e2a1a27b765a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-PurgingLogPolicyColdStorage.yaml b/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-PurgingLogPolicyColdStorage.yaml
new file mode 100644
index 000000000..320eaea74
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Cost/revcl-PurgingLogPolicyColdStorage.yaml
@@ -0,0 +1,18 @@
+name: revcl-PurgingLogPolicyColdStorage
+title: Enforce a purging log policy and automation (if needed, logs can be moved to
+ cold storage)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Cost
+severity: 1
+labels:
+ guid: 91be1f38-8ef3-494c-8bd4-63cbbac75819
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations
+- type: docs
+ url: https://www.youtube.com/watch?v=nHQYcYGKuyw
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-AzureMonitorAlertsOperationalAlerts.yaml b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-AzureMonitorAlertsOperationalAlerts.yaml
new file mode 100644
index 000000000..dbcda6acf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-AzureMonitorAlertsOperationalAlerts.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureMonitorAlertsOperationalAlerts
+title: Use Azure Monitor alerts for the generation of operational alerts.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Operations
+severity: 1
+labels:
+ guid: 97be9951-9048-4384-9c98-6cb2913156a1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-AzureMonitorLogsInsights.yaml b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-AzureMonitorLogsInsights.yaml
new file mode 100644
index 000000000..d5ef058c3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-AzureMonitorLogsInsights.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureMonitorLogsInsights
+title: Use Azure Monitor Logs for insights and reporting.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Operations
+severity: 1
+labels:
+ guid: 6944008b-e7d7-4e48-9327-6d8bdc055bcf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-LogAnalyticsWorkspaceAzureAutomationAccounts.yaml b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-LogAnalyticsWorkspaceAzureAutomationAccounts.yaml
new file mode 100644
index 000000000..b4bcf6763
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-LogAnalyticsWorkspaceAzureAutomationAccounts.yaml
@@ -0,0 +1,17 @@
+name: revcl-LogAnalyticsWorkspaceAzureAutomationAccounts
+title: When using Change and Inventory Tracking via Azure Automation Accounts, ensure
+ that you have selected supported regions for linking your Log Analytics workspace
+ and automation accounts together.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Operations
+severity: 1
+labels:
+ guid: fed3c55f-a67e-4875-aadd-3aba3f9fde31
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/automation/how-to/region-mappings
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-LogRetentionRequirementsAzureStorage.yaml b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-LogRetentionRequirementsAzureStorage.yaml
new file mode 100644
index 000000000..dc16c8b01
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-LogRetentionRequirementsAzureStorage.yaml
@@ -0,0 +1,19 @@
+name: revcl-LogRetentionRequirementsAzureStorage
+title: Export logs to Azure Storage if your log retention requirements exceed twelve
+ years. Use immutable storage with a write-once, read-many policy to make data non-erasable
+ and non-modifiable for a user-specified interval.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Operations
+severity: 1
+labels:
+ guid: 5e6c4cfd-3e50-4454-9c24-47ec66138a72
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-SingleMonitorLogsWorkspaceAzureRoleBasedAccessControl.yaml b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-SingleMonitorLogsWorkspaceAzureRoleBasedAccessControl.yaml
new file mode 100644
index 000000000..3be847479
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Operations/revcl-SingleMonitorLogsWorkspaceAzureRoleBasedAccessControl.yaml
@@ -0,0 +1,19 @@
+name: revcl-SingleMonitorLogsWorkspaceAzureRoleBasedAccessControl
+title: Use a single monitor logs workspace to manage platforms centrally except where
+ Azure role-based access control (Azure RBAC), data sovereignty requirements, or
+ data retention policies mandate separate workspaces.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Operations
+severity: 1
+labels:
+ guid: 67e7a8ed-4b30-4e38-a3f2-9812b2363cef
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/Security/revcl-CentralizedAzureMonitorLogAnalyticsWorkspaceDefaultResourceConfigurations.yaml b/v2/recos/Services/MicrosoftInsights-components/Security/revcl-CentralizedAzureMonitorLogAnalyticsWorkspaceDefaultResourceConfigurations.yaml
new file mode 100644
index 000000000..b0a5e0781
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/Security/revcl-CentralizedAzureMonitorLogAnalyticsWorkspaceDefaultResourceConfigurations.yaml
@@ -0,0 +1,16 @@
+name: revcl-CentralizedAzureMonitorLogAnalyticsWorkspaceDefaultResourceConfigurations
+title: Connect default resource configurations to a centralized Azure Monitor Log
+ Analytics workspace.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.insights/components
+waf: Security
+severity: 1
+labels:
+ guid: e5f8d79f-2e87-4768-924c-516775c6ea95
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment
+queries: {}
diff --git a/v2/recos/Services/MicrosoftInsights-components/aprl-ExistingApplicationMonitoringScenariosWorkspaceBasedApplicationInsights.yaml b/v2/recos/Services/MicrosoftInsights-components/aprl-ExistingApplicationMonitoringScenariosWorkspaceBasedApplicationInsights.yaml
new file mode 100644
index 000000000..444d12e98
--- /dev/null
+++ b/v2/recos/Services/MicrosoftInsights-components/aprl-ExistingApplicationMonitoringScenariosWorkspaceBasedApplicationInsights.yaml
@@ -0,0 +1,21 @@
+name: aprl-ExistingApplicationMonitoringScenariosWorkspaceBasedApplicationInsights
+title: Convert Classic Deployments
+description: |-
+ Classic Application Insights retires in February 2024. To minimize disruption to existing application monitoring scenarios, transition to workspace-based Application Insights before 29 February 2024.
+source:
+ type: aprl
+ file: azure-resources/Insights/components/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Insights/components
+severity: 1
+labels:
+ guid: dac421ec-2832-4c37-839e-b6dc5a38f2fa
+ area: Service Upgrade and Retirement
+links: []
+queries:
+ arg: "// Azure Resource Graph query\n// Filters Application Insights resources with\
+ \ \u2018Classic\u2019 deployment type\nresources\n| where type =~ \"microsoft.insights/components\"\
+ \n| extend IngestionMode = properties.IngestionMode\n| where IngestionMode =~\
+ \ 'ApplicationInsights'\n| project recommendationId= \"dac421ec-2832-4c37-839e-b6dc5a38f2fa\"\
+ , name, id, tags, param1=\"ApplicationInsightsDeploymentType: Classic\"\n"
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Operations/revcl-VirtualMachinesUserPasswordsKeyVaultSecrets.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Operations/revcl-VirtualMachinesUserPasswordsKeyVaultSecrets.yaml
new file mode 100644
index 000000000..8d31fd42b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Operations/revcl-VirtualMachinesUserPasswordsKeyVaultSecrets.yaml
@@ -0,0 +1,16 @@
+name: revcl-VirtualMachinesUserPasswordsKeyVaultSecrets
+title: Use Key Vault secrets to avoid hard-coding sensitive information such as credentials
+ (virtual machines user passwords), certificates or keys.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Operations
+severity: 0
+labels:
+ guid: 108d5099-a11d-4445-bd8b-e12a5e95412e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-AccessPolicyKeyVault.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-AccessPolicyKeyVault.yaml
new file mode 100644
index 000000000..98d6f95c2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-AccessPolicyKeyVault.yaml
@@ -0,0 +1,17 @@
+name: revcl-AccessPolicyKeyVault
+title: During failover, access policy or firewall configurations and settings can't
+ be changed. The key vault will be in read-only mode during failover. Familiarize
+ yourself with the Key Vault's failover guidance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 1
+labels:
+ guid: 614682ca-6e0c-4f34-9f03-c6d3f2b99a32
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-BackupLimitationsPastVersions.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-BackupLimitationsPastVersions.yaml
new file mode 100644
index 000000000..7fbeaec9c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-BackupLimitationsPastVersions.yaml
@@ -0,0 +1,18 @@
+name: revcl-BackupLimitationsPastVersions
+title: Understand Key Vault's backup limitations. Key Vault does not support the ability
+ to backup more than 500 past versions of a key, secret, or certificate object. Attempting
+ to backup a key, secret, or certificate object may result in an error. It is not
+ possible to delete previous versions of a key, secret, or certificate.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 2
+labels:
+ guid: e8659d11-7e02-4db0-848c-c6541dbab68c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-EntireKeyVaultSingleOperation.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-EntireKeyVaultSingleOperation.yaml
new file mode 100644
index 000000000..ae8926602
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-EntireKeyVaultSingleOperation.yaml
@@ -0,0 +1,17 @@
+name: revcl-EntireKeyVaultSingleOperation
+title: Key Vault doesn't currently provide a way to back up an entire key vault in
+ a single operation and keys, secrets and certitificates must be backup indvidually.
+ Familiarize yourself with the Key Vault's backup and restore guidance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 2
+labels:
+ guid: 45c25e29-d0ef-4f07-aa04-0f8c64cbcc04
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultBestPractices.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultBestPractices.yaml
new file mode 100644
index 000000000..d7a0c7c97
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultBestPractices.yaml
@@ -0,0 +1,16 @@
+name: revcl-KeyVaultBestPractices
+title: Familiarize yourself with the Key Vault's best practices such as isolation
+ recommendations, access control, data protection, backup, and logging.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 0
+labels:
+ guid: 6d37a33b-531c-4a91-871a-b69d8044f04e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultManagedService.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultManagedService.yaml
new file mode 100644
index 000000000..3bb45e78d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultManagedService.yaml
@@ -0,0 +1,16 @@
+name: revcl-KeyVaultManagedService
+title: Key Vault is a managed service and Microsoft will handle the failover within
+ and across region. Familiarize yourself with the Key Vault's availability and redundancy.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 1
+labels:
+ guid: 7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultSameGeography.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultSameGeography.yaml
new file mode 100644
index 000000000..09fd1f11f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultSameGeography.yaml
@@ -0,0 +1,17 @@
+name: revcl-KeyVaultSameGeography
+title: The contents of your key vault are replicated within the region and to a secondary
+ region at least 150 miles away, but within the same geography to maintain high durability
+ of your keys and secrets. Familiarize yourself with the Key Vault's data replication.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 1
+labels:
+ guid: 17fb86a2-eb45-42a4-9c34-52b92a2a1842
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultSoftDeletedResources.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultSoftDeletedResources.yaml
new file mode 100644
index 000000000..38e293ee7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-KeyVaultSoftDeletedResources.yaml
@@ -0,0 +1,16 @@
+name: revcl-KeyVaultSoftDeletedResources
+title: Key Vault's soft-deleted resources are retained for a set period of 90 calendar
+ days. Familiarize yourself with the Key Vault's soft-delete guidance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 2
+labels:
+ guid: cbfa96b0-5249-4e6f-947c-d0e79509708c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-MaliciousDeletionKeyVault.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-MaliciousDeletionKeyVault.yaml
new file mode 100644
index 000000000..4f90c1731
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-MaliciousDeletionKeyVault.yaml
@@ -0,0 +1,16 @@
+name: revcl-MaliciousDeletionKeyVault
+title: If you want protection against accidental or malicious deletion of your secrets,
+ configure soft-delete and purge protection features on your key vault.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 0
+labels:
+ guid: 2df045b1-c0f6-47d3-9a9b-99cf6999684e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-OptionalKeyVaultBehaviorPurgeProtection.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-OptionalKeyVaultBehaviorPurgeProtection.yaml
new file mode 100644
index 000000000..e71eb45ea
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-OptionalKeyVaultBehaviorPurgeProtection.yaml
@@ -0,0 +1,18 @@
+name: revcl-OptionalKeyVaultBehaviorPurgeProtection
+title: Purge protection is recommended when using keys for encryption to prevent data
+ loss. Purge protection is an optional Key Vault behavior and is not enabled by default.
+ Purge protection can only be enabled once soft-delete is enabled. It can be turned
+ on via CLI, PowerShell or Portal.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 1
+labels:
+ guid: 0f15640b-31e5-4de6-85a7-d2c652fa09d3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-SameAzureSubscriptionKeyVaultObject.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-SameAzureSubscriptionKeyVaultObject.yaml
new file mode 100644
index 000000000..1cc8185f0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Reliability/revcl-SameAzureSubscriptionKeyVaultObject.yaml
@@ -0,0 +1,19 @@
+name: revcl-SameAzureSubscriptionKeyVaultObject
+title: When you back up a key vault object, such as a secret, key, or certificate,
+ the backup operation will download the object as an encrypted blob. This blob can't
+ be decrypted outside of Azure. To get usable data from this blob, you must restore
+ the blob into a key vault within the same Azure subscription and Azure geography.
+ Familiarize yourself with the Key Vault's backup and restore guidance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Reliability
+severity: 1
+labels:
+ guid: 9ef2b0d2-3206-4c94-b47a-4f07e6a1c509
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AppropriateRegionPairsDisasterRecoveryRegions.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AppropriateRegionPairsDisasterRecoveryRegions.yaml
new file mode 100644
index 000000000..516f2f5d2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AppropriateRegionPairsDisasterRecoveryRegions.yaml
@@ -0,0 +1,18 @@
+name: revcl-AppropriateRegionPairsDisasterRecoveryRegions
+title: If you want to bring your own keys, this might not be supported across all
+ considered services. Implement relevant mitigation so that inconsistencies don't
+ hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions
+ that minimize latency.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: 25d62688-6d70-4ba6-a97b-e99519048384
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AutomatedProcessCertificateRotation.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AutomatedProcessCertificateRotation.yaml
new file mode 100644
index 000000000..843f9bb2b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AutomatedProcessCertificateRotation.yaml
@@ -0,0 +1,15 @@
+name: revcl-AutomatedProcessCertificateRotation
+title: Establish an automated process for key and certificate rotation.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: 913156a1-2476-4e49-b541-acdce979377b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultApplication.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultApplication.yaml
new file mode 100644
index 000000000..f5b9a9de3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultApplication.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureKeyVaultApplication
+title: Use an Azure Key Vault per application per environment per region.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: 91163418-2ba5-4275-8694-4008be7d7e48
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultSecrets.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultSecrets.yaml
new file mode 100644
index 000000000..d292dd23b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultSecrets.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureKeyVaultSecrets
+title: Use Azure Key Vault to store your secrets and credentials
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 0
+labels:
+ guid: 5017f154-e3ab-4369-9829-e7e316183687
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultSoftDelete.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultSoftDelete.yaml
new file mode 100644
index 000000000..025765c9e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-AzureKeyVaultSoftDelete.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureKeyVaultSoftDelete
+title: Provision Azure Key Vault with the soft delete and purge policies enabled to
+ allow retention protection for deleted objects.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: 2ba52752-6944-4008-ae7d-7e4843276d8b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-CustomMicrosoftEntraIdRolesPrivilegeModel.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-CustomMicrosoftEntraIdRolesPrivilegeModel.yaml
new file mode 100644
index 000000000..761440c44
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-CustomMicrosoftEntraIdRolesPrivilegeModel.yaml
@@ -0,0 +1,16 @@
+name: revcl-CustomMicrosoftEntraIdRolesPrivilegeModel
+title: Follow a least privilege model by limiting authorization to permanently delete
+ keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: dc055bcf-619e-48a1-9f98-879525d62688
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-DelegateKeyVaultInstantiationPrivilegedAccess.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-DelegateKeyVaultInstantiationPrivilegedAccess.yaml
new file mode 100644
index 000000000..10067b86b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-DelegateKeyVaultInstantiationPrivilegedAccess.yaml
@@ -0,0 +1,16 @@
+name: revcl-DelegateKeyVaultInstantiationPrivilegedAccess
+title: Delegate Key Vault instantiation and privileged access and use Azure Policy
+ to enforce a consistent compliant configuration.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: b12308ca-5017-4f15-9e3a-b3693829e7e3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-DifferentAzureKeyVaultsTransactionScaleLimits.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-DifferentAzureKeyVaultsTransactionScaleLimits.yaml
new file mode 100644
index 000000000..92d6aaf9e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-DifferentAzureKeyVaultsTransactionScaleLimits.yaml
@@ -0,0 +1,23 @@
+name: revcl-DifferentAzureKeyVaultsTransactionScaleLimits
+title: Use different Azure Key Vaults for different applications and regions to avoid
+ transaction scale limits and restrict access to secrets.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: a0477a20-9945-4bda-9333-4f2491163418
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/overview-throttling
+queries:
+ arg: ResourceContainers | where type=='microsoft.resources/subscriptions'| parse
+ id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName
+ = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'|
+ project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources|
+ where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by
+ subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount),
+ 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-PlatformCentralAzureMonitorLogAnalyticsWorkspaceSecretUsage.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-PlatformCentralAzureMonitorLogAnalyticsWorkspaceSecretUsage.yaml
new file mode 100644
index 000000000..6f5dba0e1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-PlatformCentralAzureMonitorLogAnalyticsWorkspaceSecretUsage.yaml
@@ -0,0 +1,16 @@
+name: revcl-PlatformCentralAzureMonitorLogAnalyticsWorkspaceSecretUsage
+title: Use the platform-central Azure Monitor Log Analytics workspace to audit key,
+ certificate, and secret usage within each instance of Key Vault.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: 17d6326a-f625-4ca4-9e56-95f2223ace8c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-PublicCertificateAuthoritiesCertificateManagement.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-PublicCertificateAuthoritiesCertificateManagement.yaml
new file mode 100644
index 000000000..0db21e776
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-PublicCertificateAuthoritiesCertificateManagement.yaml
@@ -0,0 +1,16 @@
+name: revcl-PublicCertificateAuthoritiesCertificateManagement
+title: Automate the certificate management and renewal process with public certificate
+ authorities to ease administration.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: 6d70ba6c-97be-4995-8904-83845c986cb2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-SovereignLandingZoneAzureKeyVault.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-SovereignLandingZoneAzureKeyVault.yaml
new file mode 100644
index 000000000..6deade3bb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-SovereignLandingZoneAzureKeyVault.yaml
@@ -0,0 +1,16 @@
+name: revcl-SovereignLandingZoneAzureKeyVault
+title: For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets
+ and credentials.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: 4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb
+links:
+- type: docs
+ url: https://learn.microsoft.com/industry/sovereignty/key-management
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-VirtualNetworkServiceEndpointPrivateEndpoint.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-VirtualNetworkServiceEndpointPrivateEndpoint.yaml
new file mode 100644
index 000000000..9ba340588
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/Security/revcl-VirtualNetworkServiceEndpointPrivateEndpoint.yaml
@@ -0,0 +1,16 @@
+name: revcl-VirtualNetworkServiceEndpointPrivateEndpoint
+title: Enable firewall and virtual network service endpoint or private endpoint on
+ the vault to control access to the key vault.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.keyvault/vaults
+waf: Security
+severity: 1
+labels:
+ guid: cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/key-vault/general/best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-AzurePrivateLinkServicePublicInternetExposure.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-AzurePrivateLinkServicePublicInternetExposure.yaml
new file mode 100644
index 000000000..c2e75ed32
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-AzurePrivateLinkServicePublicInternetExposure.yaml
@@ -0,0 +1,26 @@
+name: aprl-AzurePrivateLinkServicePublicInternetExposure
+title: Private endpoint should be configured for Key Vault
+description: |-
+ Azure Private Link Service lets you securely and privately connect to Azure Key Vault via a Private Endpoint in your VNet, using a private IP and eliminating public Internet exposure.
+source:
+ type: aprl
+ file: azure-resources/KeyVault/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.KeyVault/vaults
+severity: 1
+labels:
+ guid: 00c3d2b0-ea6e-4c4b-89be-b78a35caeb51
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This resource graph query will return all Key Vaults that does not have a Private Endpoint Connection or where a private endpoint exists but public access is enabled
+
+ resources
+ | where type == "microsoft.keyvault/vaults"
+ | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ("Succeeded") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled')
+ | extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint'))
+ | extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled')))
+ | project recommendationId = "00c3d2b0-ea6e-4c4b-89be-b78a35caeb51", name, id, tags, param1, param2
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-KeyVaultAccessRetentionRequirements.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-KeyVaultAccessRetentionRequirements.yaml
new file mode 100644
index 000000000..5411106b1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-KeyVaultAccessRetentionRequirements.yaml
@@ -0,0 +1,18 @@
+name: aprl-KeyVaultAccessRetentionRequirements
+title: Diagnostic logs in Key Vault should be enabled
+description: |-
+ Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.
+source:
+ type: aprl
+ file: azure-resources/KeyVault/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.KeyVault/vaults
+severity: 2
+labels:
+ guid: 1dc0821d-4f14-7644-bab4-ba208ff5f7fa
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-PermanentDataLossKeyVaults.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-PermanentDataLossKeyVaults.yaml
new file mode 100644
index 000000000..a1229d550
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-PermanentDataLossKeyVaults.yaml
@@ -0,0 +1,23 @@
+name: aprl-PermanentDataLossKeyVaults
+title: Key vaults should have purge protection enabled
+description: |-
+ Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.
+source:
+ type: aprl
+ file: azure-resources/KeyVault/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.KeyVault/vaults
+severity: 1
+labels:
+ guid: 70fcfe6d-00e9-5544-a63a-fff42b9f2edb
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This resource graph query will return all Key Vaults that do not have Purge Protection enabled.
+ resources
+ | where type == "microsoft.keyvault/vaults"
+ | where isnull(properties.enablePurgeProtection) or properties.enablePurgeProtection != "true"
+ | project recommendationId = "70fcfe6d-00e9-5544-a63a-fff42b9f2edb", name, id, tags, param1 = "EnablePurgeProtection: Disabled"
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-SeparateKeyVaultsSecurityBoundaries.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-SeparateKeyVaultsSecurityBoundaries.yaml
new file mode 100644
index 000000000..6c2233e09
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-SeparateKeyVaultsSecurityBoundaries.yaml
@@ -0,0 +1,18 @@
+name: aprl-SeparateKeyVaultsSecurityBoundaries
+title: Use separate key vaults per application per environment
+description: |-
+ Key vaults are security boundaries for secret storage. Grouping secrets together increases risk during a security event, as attacks could access multiple secrets.
+source:
+ type: aprl
+ file: azure-resources/KeyVault/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.KeyVault/vaults
+severity: 0
+labels:
+ guid: e7091145-3642-bd41-bb58-66502e64d2cd
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-SoftDeleteKeyVault.yaml b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-SoftDeleteKeyVault.yaml
new file mode 100644
index 000000000..d5e83168c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKeyVault-vaults/aprl-SoftDeleteKeyVault.yaml
@@ -0,0 +1,23 @@
+name: aprl-SoftDeleteKeyVault
+title: Key vaults should have soft delete enabled
+description: |-
+ Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.
+source:
+ type: aprl
+ file: azure-resources/KeyVault/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.KeyVault/vaults
+severity: 0
+labels:
+ guid: 1cca00d2-d9ab-8e42-a788-5d40f49405cb
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This Resource Graph query will return all Key Vaults that do not have soft delete enabled.
+ resources
+ | where type == "microsoft.keyvault/vaults"
+ | where isnull(properties.enableSoftDelete) or properties.enableSoftDelete != "true"
+ | project recommendationId = "1cca00d2-d9ab-8e42-a788-5d40f49405cb", name, id, tags, param1 = "EnableSoftDelete: Disabled"
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ActiveHotStandbyConfigurationActiveHotConfiguration.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ActiveHotStandbyConfigurationActiveHotConfiguration.yaml
new file mode 100644
index 000000000..44d273363
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ActiveHotStandbyConfigurationActiveHotConfiguration.yaml
@@ -0,0 +1,23 @@
+name: revcl-ActiveHotStandbyConfigurationActiveHotConfiguration
+title: For applications, which required only read during failure, create Active-Hot
+ standby configuration
+description: The Active-Hot configuration is similar to the Active-Active configuration
+ in dual ingest, processing, and curation. While the standby cluster is online for
+ ingestion, process, and curation, it isn't available to query. The standby cluster
+ doesn't need to be in the same SKU as the primary cluster. It can be of a smaller
+ SKU and scale, which may result in it being less performant. In a disaster scenario,
+ users are redirected to the standby cluster, which can optionally be scaled up to
+ increase performance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 8fadfe27-7de2-483b-8ac3-52baa9b75708
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ContinuousDataExportOverviewLeverageExternalTables.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ContinuousDataExportOverviewLeverageExternalTables.yaml
new file mode 100644
index 000000000..c224df482
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ContinuousDataExportOverviewLeverageExternalTables.yaml
@@ -0,0 +1,17 @@
+name: revcl-ContinuousDataExportOverviewLeverageExternalTables
+title: Leverage External Tables and Continuous data export overview to reduce costs
+description: Using the correct approach to feed a datalake with cold data and having
+ the Kusto query engine at your disposal at the same time, as in the short-term storage
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: ba7da7be-9951-4914-a384-5d997cb39132
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-DemandDataRecoveryClusterConfigurationDisasterRecoveryScenario.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-DemandDataRecoveryClusterConfigurationDisasterRecoveryScenario.yaml
new file mode 100644
index 000000000..a9e3e3995
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-DemandDataRecoveryClusterConfigurationDisasterRecoveryScenario.yaml
@@ -0,0 +1,24 @@
+name: revcl-DemandDataRecoveryClusterConfigurationDisasterRecoveryScenario
+title: For applications, where cost is a concern and can withstand some downtime during
+ failure, create on-demand data recovery cluster configuration
+description: This solution offers the least resiliency (highest RPO and RTO), is the
+ lowest in cost and highest in effort. In this configuration, there's no data recovery
+ cluster. Configure continuous export of curated data (unless raw and intermediate
+ data is also required) to a storage account that is configured GRS (Geo Redundant
+ Storage). A data recovery cluster is spun up if there is a disaster recovery scenario.
+ At that time, DDLs, configuration, policies, and processes are applied. Data is
+ ingested from storage with the ingestion property kustoCreationTime to over-ride
+ the ingestion time that defaults to system time.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-IngestDataCluster.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-IngestDataCluster.yaml
new file mode 100644
index 000000000..110d80632
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-IngestDataCluster.yaml
@@ -0,0 +1,15 @@
+name: revcl-IngestDataCluster
+title: Ingest data into each cluster in parallel
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 18ca6017-0265-4f4b-a46a-393af7f31728
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-LeaderFollowerClusterConfigurationOptionalFollowerCapability.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-LeaderFollowerClusterConfigurationOptionalFollowerCapability.yaml
new file mode 100644
index 000000000..69057d1ea
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-LeaderFollowerClusterConfigurationOptionalFollowerCapability.yaml
@@ -0,0 +1,22 @@
+name: revcl-LeaderFollowerClusterConfigurationOptionalFollowerCapability
+title: To share data, explore Leader-follower cluster configuration
+description: Azure Data Explorer provides an optional follower capability for a leader
+ cluster to be followed by other follower clusters for read-only access to the leader's
+ data and metadata. Changes in the leader, such as create, append, and drop are automatically
+ synchronized to the follower. While the leaders could span Azure regions, the follower
+ clusters should be hosted in the same region(s) as the leader. If the leader cluster
+ is down or databases or tables are accidentally dropped, the follower clusters will
+ lose access until access is recovered in the leader.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 56a22586-f490-4641-addd-ea8a377cdeb3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-LeverageInfrastructureCluster.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-LeverageInfrastructureCluster.yaml
new file mode 100644
index 000000000..60266e866
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-LeverageInfrastructureCluster.yaml
@@ -0,0 +1,18 @@
+name: revcl-LeverageInfrastructureCluster
+title: Be fully cognizant of what it takes to build a cluster from scratch. Leverage
+ Infrastructure as a Code for your deployments
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 8b9fe5c4-1049-4d40-9a82-2c3474d00f18
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/devops
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ManagementActivitiesNewTables.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ManagementActivitiesNewTables.yaml
new file mode 100644
index 000000000..81d4b1cac
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ManagementActivitiesNewTables.yaml
@@ -0,0 +1,16 @@
+name: revcl-ManagementActivitiesNewTables
+title: Replicate all management activities such as creating new tables or managing
+ user roles on each cluster.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 436b0635-cb45-4e57-a603-324ace8cc123
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-MultipleAzureDataExplorerClustersAzurePairedRegions.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-MultipleAzureDataExplorerClustersAzurePairedRegions.yaml
new file mode 100644
index 000000000..981eed60c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-MultipleAzureDataExplorerClustersAzurePairedRegions.yaml
@@ -0,0 +1,19 @@
+name: revcl-MultipleAzureDataExplorerClustersAzurePairedRegions
+title: For critical application with no tolerance for outages, create Active-Active-Active
+ (always-on) configuration
+description: This configuration is also called 'always-on'. For critical application
+ deployments with no tolerance for outages, you should use multiple Azure Data Explorer
+ clusters across Azure paired regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 58a9c279-9c42-4bb6-9d0c-65556246b338
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ReleaseAutomationToolWrapDevops.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ReleaseAutomationToolWrapDevops.yaml
new file mode 100644
index 000000000..7fb6ec357
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ReleaseAutomationToolWrapDevops.yaml
@@ -0,0 +1,20 @@
+name: revcl-ReleaseAutomationToolWrapDevops
+title: Wrap DevOps and source control around all your code
+description: All database objects, policies, and configurations should be persisted
+ in source control so they can be released to the cluster from your release automation
+ tool.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 5a907e1e-348e-4f25-9c27-d32e8bbac757
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/devops
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-your-cloud-data/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-TwoAzurePairedRegionsEntireAzureRegion.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-TwoAzurePairedRegionsEntireAzureRegion.yaml
new file mode 100644
index 000000000..a26fd4f3d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-TwoAzurePairedRegionsEntireAzureRegion.yaml
@@ -0,0 +1,21 @@
+name: revcl-TwoAzurePairedRegionsEntireAzureRegion
+title: To protect against regional failure, create Multiple independent clusters,
+ preferably in two Azure Paired regions
+description: Azure Data Explorer doesn't support automatic protection against the
+ outage of an entire Azure region. This disruption can happen during a natural disaster,
+ like an earthquake. If you require a solution for a disaster recovery situation,
+ do the following steps to ensure business continuity. In these steps, you'll replicate
+ your clusters, management, and data ingestion in two Azure paired regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 861bb2bc-14ae-4a6e-95d8-d9a3adc218e6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-TwoAzurePairedRegionsTwoPairedRegions.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-TwoAzurePairedRegionsTwoPairedRegions.yaml
new file mode 100644
index 000000000..d05faa74a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-TwoAzurePairedRegionsTwoPairedRegions.yaml
@@ -0,0 +1,20 @@
+name: revcl-TwoAzurePairedRegionsTwoPairedRegions
+title: For critical applications, create Active-Active configuration in two paired
+ regions
+description: This configuration is identical to the active-active-active configuration,
+ but only involves two Azure paired regions. Configure dual ingestion, processing,
+ and curation. Users are routed to the nearest region. The cluster SKU must be the
+ same across regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 563a4dc7-4a74-48b6-922a-d190916a6649
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ValidationRoutinesDataPerspective.yaml b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ValidationRoutinesDataPerspective.yaml
new file mode 100644
index 000000000..36dab184d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftKusto-clusters/Reliability/revcl-ValidationRoutinesDataPerspective.yaml
@@ -0,0 +1,18 @@
+name: revcl-ValidationRoutinesDataPerspective
+title: Design, develop, and implement validation routines to ensure all clusters are
+ in-sync from a data perspective.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.kusto/clusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 1559ab91-53e8-4908-ae28-b84c33b6b780
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/data-explorer/devops
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-active-directory/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-AzureReservedVirtualMachineInstancesNextOneToThreeYears.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-AzureReservedVirtualMachineInstancesNextOneToThreeYears.yaml
new file mode 100644
index 000000000..8b939a528
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-AzureReservedVirtualMachineInstancesNextOneToThreeYears.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureReservedVirtualMachineInstancesNextOneToThreeYears
+title: 'Rate optimization: Purchase Azure Reserved Virtual Machine Instances if you
+ have a good estimate of usage over the next one to three years.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: f846a556-0f24-45ba-a2e2-43855e78ca2d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-CheaperVmSizesResourceUsage.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-CheaperVmSizesResourceUsage.yaml
new file mode 100644
index 000000000..1b6ca42de
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-CheaperVmSizesResourceUsage.yaml
@@ -0,0 +1,17 @@
+name: wafsg-CheaperVmSizesResourceUsage
+title: 'Monitor and optimize: Monitor your resource usage such as CPU and GPU usage
+ when training models. If the resources aren''t being fully used, modify your code
+ to better use resources or scale down to smaller or cheaper VM sizes.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 2905301e-e22b-4203-8fa0-6c7d740dd465
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-EarlyTerminationPoliciesTrainingTerminationPolicies.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-EarlyTerminationPoliciesTrainingTerminationPolicies.yaml
new file mode 100644
index 000000000..ac38379c7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-EarlyTerminationPoliciesTrainingTerminationPolicies.yaml
@@ -0,0 +1,16 @@
+name: wafsg-EarlyTerminationPoliciesTrainingTerminationPolicies
+title: 'Set training termination policies: Set early termination policies to limit
+ the duration of training runs or terminate them early.'
+description: Setting termination policies can help you save costs by stopping nonperforming
+ runs early.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: d02f1c6b-b32d-4027-8c23-dad429d06570
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-IdleShutdownComputeInstances.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-IdleShutdownComputeInstances.yaml
new file mode 100644
index 000000000..00f8b4b06
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-IdleShutdownComputeInstances.yaml
@@ -0,0 +1,17 @@
+name: wafsg-IdleShutdownComputeInstances
+title: 'Enable idle shutdown for compute instances: Enable idle shutdown for compute
+ instances or schedule a start and stop time if usage time is known.'
+description: By default, compute instances are available to you, accruing cost. Configuring
+ compute instances to shut down when idle or configuring a schedule for them saves
+ cost when they aren't in use.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: af8c167c-be44-45c2-bb57-a1bc383a8abd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LessIterativeExperimentationComputeScaling.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LessIterativeExperimentationComputeScaling.yaml
new file mode 100644
index 000000000..6137d9047
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LessIterativeExperimentationComputeScaling.yaml
@@ -0,0 +1,21 @@
+name: wafsg-LessIterativeExperimentationComputeScaling
+title: 'Optimize compute scaling: Configure your compute clusters for autoscaling
+ to ensure you only use what you need.For training clusters, set the minimum number
+ of nodes to 0 and configure the amount of time the node is idle to an appropriate
+ time. For less iterative experimentation, reduce the time to save costs. For more
+ iterative experimentation, use a higher time to prevent paying for scaling up or
+ down after each change.'
+description: Configure autoscaling for compute clusters to scale down when their usage
+ is low. Set the minimum number of nodes to 0 for training clusters to scale down
+ to 0 when not in use.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: f96f9439-c6c3-4bd1-a6ef-912307025375
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LowPriorityVirtualMachinesBatchWorkloads.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LowPriorityVirtualMachinesBatchWorkloads.yaml
new file mode 100644
index 000000000..19fcbb9e4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LowPriorityVirtualMachinesBatchWorkloads.yaml
@@ -0,0 +1,17 @@
+name: wafsg-LowPriorityVirtualMachinesBatchWorkloads
+title: 'Use low-priority virtual machines for batch workloads: Consider using low-priority
+ virtual machines for batch workloads that aren''t time-sensitive and in which interruptions
+ are recoverable.'
+description: Low-priority virtual machines enable a large amount of compute power
+ to be used for a low cost. They take advantage of surplus capacity in Azure.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 8fff224b-1d7f-4116-8624-e92ed5afc67a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LowerCostSkusUsageOptimization.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LowerCostSkusUsageOptimization.yaml
new file mode 100644
index 000000000..f91d67ac1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-LowerCostSkusUsageOptimization.yaml
@@ -0,0 +1,16 @@
+name: wafsg-LowerCostSkusUsageOptimization
+title: 'Usage optimization: Test parallelizing training workloads to determine if
+ training requirements can be met on lower cost SKUs.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: feac1256-41f0-435e-8d6c-c66c264deb5b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-MultipleSmallerInstancesTrainingWorkloads.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-MultipleSmallerInstancesTrainingWorkloads.yaml
new file mode 100644
index 000000000..bdec6be62
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-MultipleSmallerInstancesTrainingWorkloads.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MultipleSmallerInstancesTrainingWorkloads
+title: 'Parallelize training workloads: Consider parallelizing training workloads.
+ Test running them with the help of the parallel components in Machine Learning.'
+description: Parallel workloads can be run on multiple smaller instances, potentially
+ yielding cost savings.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 2c88452f-1c05-46c4-a541-54acbfc708b2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-NextOneToThreeYearsAzureReservedVmInstances.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-NextOneToThreeYearsAzureReservedVmInstances.yaml
new file mode 100644
index 000000000..988709ba8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-NextOneToThreeYearsAzureReservedVmInstances.yaml
@@ -0,0 +1,18 @@
+name: wafsg-NextOneToThreeYearsAzureReservedVmInstances
+title: 'Azure Reserved VM Instances: Purchase Azure Reserved VM Instances if you have
+ a good estimate of usage over the next one to three years. Take advantage of reserved
+ capacity options for services when you have good estimates of usage.'
+description: Purchase Azure Reserved VM Instances to prepay for virtual machine usage
+ and provide discounts with pay-as-you-go pricing. The discount is automatically
+ applied for virtual machine usage that matches the reservation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: bfc81863-3497-4a8d-a16e-aab55f3bae72
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationAppropriateResources.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationAppropriateResources.yaml
new file mode 100644
index 000000000..30c435ce6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationAppropriateResources.yaml
@@ -0,0 +1,17 @@
+name: wafsg-UsageOptimizationAppropriateResources
+title: 'Usage optimization: Choose the appropriate resources to ensure that they align
+ with your workload requirements. For example, choose between CPUs or GPUs, various
+ SKUs, or low versus regular-priority VMs.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: ac00077c-9c99-40f8-8b08-9938b9ab6445
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationLowerLimits.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationLowerLimits.yaml
new file mode 100644
index 000000000..71ac0fc89
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationLowerLimits.yaml
@@ -0,0 +1,16 @@
+name: wafsg-UsageOptimizationLowerLimits
+title: 'Usage optimization: Apply policies and configure quotas to comply with the
+ design''s upper and lower limits.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 66c94617-9ee4-4b81-be7a-ef5dbd521fc6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationResources.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationResources.yaml
new file mode 100644
index 000000000..d0582be6e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-UsageOptimizationResources.yaml
@@ -0,0 +1,16 @@
+name: wafsg-UsageOptimizationResources
+title: 'Usage optimization: Ensure compute resources that aren''t being used are scaled
+ down or shut down when idle to reduce waste.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 42466537-fe74-483d-94b7-3525c15f3cf8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-VeryLargeMachinesSpecializedCoreInstructions.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-VeryLargeMachinesSpecializedCoreInstructions.yaml
new file mode 100644
index 000000000..05b73bb4a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Cost/wafsg-VeryLargeMachinesSpecializedCoreInstructions.yaml
@@ -0,0 +1,29 @@
+name: wafsg-VeryLargeMachinesSpecializedCoreInstructions
+title: "Optimize compute resources: Optimize your compute resources based on the requirements\
+ \ of your workload. Choose the SKU that best suits your workload:
- General\
+ \ Purpose \u2013 Balanced CPU to memory ratio, good for all purposes.
- Compute\
+ \ Optimized \u2013 High CPU to memory ratio, good for math-heavy computations.
- Memory\
+ \ Optimized \u2013 High memory to CPU, good for in-memory computations or database\
+ \ applications.
- M Series \u2013 Very large machines that have huge amounts\
+ \ of memory and CPU.
- GPU \u2013 Better for models with a high number of\
+ \ variables that can benefit from higher parallelism and specialized core instructions.\
+ \ Typical applications are deep learning, image or video processing, scientific\
+ \ simulations, data mining, and taking advantage of GPU development frameworks.\
+ \ Test with multiple families and document the results as your baseline. As your\
+ \ model and data evolve, the most adequate compute resource might change. Monitor\
+ \ execution times and reevaluate as needed."
+description: Selecting the right compute is critical as it directly impacts the cost
+ of running your workload. Choosing a GPU or a high-performance SKU without proper
+ usage can lead to wasteful spending, while choosing undersized compute can lead
+ to prohibitively long training times and performance problems.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 1d3deb66-a7cf-4c9e-8071-3b3e3d60c478
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-CurateModelTrainingEnvironmentsUnnecessaryImageBuilds.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-CurateModelTrainingEnvironmentsUnnecessaryImageBuilds.yaml
new file mode 100644
index 000000000..d7d7622e1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-CurateModelTrainingEnvironmentsUnnecessaryImageBuilds.yaml
@@ -0,0 +1,19 @@
+name: wafsg-CurateModelTrainingEnvironmentsUnnecessaryImageBuilds
+title: 'Curate model training environments: Use curated environments optimized for
+ Machine Learning, when available.'
+description: Curated environments are pre-created environments provided by Machine
+ Learning that speed up deployment time and reduce deployment and training latency.
+ Using curated environments improves training and deployment success rates and avoids
+ unnecessary image builds. Curated environments, such as Azure Container for PyTorch,
+ can also be optimized for training large models on Machine Learning.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: 4addefe4-a8b2-4b05-8483-c8a96ada0ee0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-CuratedEnvironmentsMachineLearning.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-CuratedEnvironmentsMachineLearning.yaml
new file mode 100644
index 000000000..0f6c16d88
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-CuratedEnvironmentsMachineLearning.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CuratedEnvironmentsMachineLearning
+title: 'Simplicity: Use curated environments optimized for Machine Learning, when
+ available.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: d0afa393-bcfd-4e72-8cd2-304a988a6d0a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-DeployedModelsDataDrift.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-DeployedModelsDataDrift.yaml
new file mode 100644
index 000000000..cda946cda
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-DeployedModelsDataDrift.yaml
@@ -0,0 +1,16 @@
+name: wafsg-DeployedModelsDataDrift
+title: 'Observability: Monitor the performance of your deployed models including data
+ drift.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: 528dda34-794b-4acb-bd29-67d14b1cac5b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-DifferentPerformantSkusOnlineEndpoints.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-DifferentPerformantSkusOnlineEndpoints.yaml
new file mode 100644
index 000000000..0aaf4c855
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-DifferentPerformantSkusOnlineEndpoints.yaml
@@ -0,0 +1,24 @@
+name: wafsg-DifferentPerformantSkusOnlineEndpoints
+title: 'Monitor infrastructure: If your models are deployed to online endpoints, enable
+ Application Insights to monitor online endpoints and deployments.Monitor training
+ infrastructure to ensure you''re meeting your baseline requirements.Ensure you''re
+ collecting resource logs for Machine Learning.'
+description: Monitoring endpoints gives you visibility into metrics such as request
+ latency and requests per minute. You can compare your performance versus your baseline
+ and use this information to make changes to compute resources accordingly. Monitoring
+ metrics such as network bytes can alert you if you're approaching quota limits and
+ prevent throttling.Likewise, monitoring your training environment provides you with
+ the information to make changes to your training environment. Use that information
+ to decide to scale in or out, scale up or down with different performant SKUs, or
+ choose between CPUs or GPUs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: dce862d1-7b48-478a-bc39-39faa56f2531
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-FineTunePretrainedFoundationalMachineLearningModelsMachineLearningModelCatalogs.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-FineTunePretrainedFoundationalMachineLearningModelsMachineLearningModelCatalogs.yaml
new file mode 100644
index 000000000..137e767c7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-FineTunePretrainedFoundationalMachineLearningModelsMachineLearningModelCatalogs.yaml
@@ -0,0 +1,22 @@
+name: wafsg-FineTunePretrainedFoundationalMachineLearningModelsMachineLearningModelCatalogs
+title: 'Take advantage of model catalogs and registries: Take advantage of Machine
+ Learning model catalogs and registries to store, version, and share machine learning
+ assets.Use Machine Learning model catalogs to help you implement A/B testing and
+ deployment of models.'
+description: Use Machine Learning model registries to store and version your machine
+ learning models to track changes and maintain lineage with the job and datasets
+ used for training. With Machine Learning model catalogs, your data science teams
+ can discover, evaluate, and fine tune pretrained foundational machine learning models.
+ Storing versioned models in Machine Learning model registries supports deployment
+ strategies such as A/B releases, canary releases, and rollbacks.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: 53e64198-939d-4710-bb60-78240890442a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-GoodMachineLearningOperationsMlopsPractices.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-GoodMachineLearningOperationsMlopsPractices.yaml
new file mode 100644
index 000000000..3983a9b22
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-GoodMachineLearningOperationsMlopsPractices.yaml
@@ -0,0 +1,18 @@
+name: wafsg-GoodMachineLearningOperationsMlopsPractices
+title: 'Automate for efficiency: Follow good machine learning operations (MLOps) practices.
+ When possible, build end-to-end automated pipelines for data preparation, training,
+ and scoring processes. In development, use scripts instead of notebooks for training
+ models, as scripts are easier to integrate into automated pipelines.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: b796f824-2db6-452c-abf7-38292ba5b5f2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningModelCatalogsMachineLearningAssets.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningModelCatalogsMachineLearningAssets.yaml
new file mode 100644
index 000000000..2921c0070
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningModelCatalogsMachineLearningAssets.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MachineLearningModelCatalogsMachineLearningAssets
+title: 'Development standards: Take advantage of Machine Learning model catalogs and
+ registries to store, version, and share machine learning assets.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: f5da553a-b026-4714-a3e3-d34ff609f316
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningWorkspaceInstancesMultipleSeparateWorkspaces.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningWorkspaceInstancesMultipleSeparateWorkspaces.yaml
new file mode 100644
index 000000000..d59993d3b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningWorkspaceInstancesMultipleSeparateWorkspaces.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MachineLearningWorkspaceInstancesMultipleSeparateWorkspaces
+title: 'Minimize Machine Learning workspace instances: Minimize the number of workspaces,
+ when possible, to reduce maintenance.'
+description: Limiting the number of workspaces reduces the maintenance effort and
+ cost of operation. For requirements, such as security, you might need multiple separate
+ workspaces. Minimize the number of workspaces when possible.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: 89ba4602-237d-4482-ba98-bf25c262c8e8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningWorkspacesOtherDeploymentEnvironments.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningWorkspacesOtherDeploymentEnvironments.yaml
new file mode 100644
index 000000000..41252c9ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MachineLearningWorkspacesOtherDeploymentEnvironments.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MachineLearningWorkspacesOtherDeploymentEnvironments
+title: 'Deploy with confidence: Implement infrastructure as code (IaC) for Machine
+ Learning workspaces, compute clusters, compute instances, and other deployment environments.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: 47a26596-5524-4dd6-8fdd-fcc6ccbc9601
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MonitoringDataDriftInputData.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MonitoringDataDriftInputData.yaml
new file mode 100644
index 000000000..da61654d0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-MonitoringDataDriftInputData.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MonitoringDataDriftInputData
+title: 'Monitor model performance: Monitor the performance of your deployed models,
+ and detect data drift on datasets.'
+description: "Monitoring deployed models ensures your models meet the performance\
+ \ requirements.Monitoring data drift helps you detect changes in the input data\
+ \ that can lead to a decline in your model\u2019s performance. Managing data drift\
+ \ helps you ensure that your model provides accurate results over time."
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: 2ec618e1-844b-4b7f-bc41-be65bdf537d0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-OnlineEndpointsApplicationInsights.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-OnlineEndpointsApplicationInsights.yaml
new file mode 100644
index 000000000..7a28f8384
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Operations/wafsg-OnlineEndpointsApplicationInsights.yaml
@@ -0,0 +1,17 @@
+name: wafsg-OnlineEndpointsApplicationInsights
+title: 'Observability: If your models are deployed to online endpoints, enable Application
+ Insights to monitor online endpoints and deployments. Monitor training infrastructure
+ to ensure you''re meeting your baseline requirements.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Operations
+severity: 1
+labels:
+ guid: b5a47cd0-f65e-44bb-8001-66f68f8e0687
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AcceptableTrainingTimeTrainingTimeGoal.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AcceptableTrainingTimeTrainingTimeGoal.yaml
new file mode 100644
index 000000000..6e97421b2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AcceptableTrainingTimeTrainingTimeGoal.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AcceptableTrainingTimeTrainingTimeGoal
+title: 'Performance targets: Determine the acceptable training time and retrain frequency
+ for your model. Setting a clear target for training time, along with testing, helps
+ you determine the compute resources, CPU versus GPU, and CPU SKUs required to meet
+ the training time goal.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: 2b36442a-e682-4d91-9dac-75d02e6e90bf
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AppropriateActionsPerformance.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AppropriateActionsPerformance.yaml
new file mode 100644
index 000000000..2e0259f00
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AppropriateActionsPerformance.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AppropriateActionsPerformance
+title: 'Achieve and sustain performance: Continuously monitor the performance of your
+ deployed models, review results, and take appropriate actions.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: 97507b95-fd6d-4784-a678-0327e5427f31
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AppropriateActionsTrainingTime.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AppropriateActionsTrainingTime.yaml
new file mode 100644
index 000000000..0bd8e0cd6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AppropriateActionsTrainingTime.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AppropriateActionsTrainingTime
+title: 'Achieve and sustain performance: Continuously monitor the performance of your
+ infrastructure of deployed models, review results, and take appropriate actions.
+ Monitor training infrastructure to ensure you''re meeting your requirements for
+ training time.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: d5d78692-ab7b-45d0-8c91-93b4f6329f41
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AzureMonitorAutoscaleFeatureAksDeploymentEnvironments.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AzureMonitorAutoscaleFeatureAksDeploymentEnvironments.yaml
new file mode 100644
index 000000000..3ef42405d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-AzureMonitorAutoscaleFeatureAksDeploymentEnvironments.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureMonitorAutoscaleFeatureAksDeploymentEnvironments
+title: "Model deployment environment scaling: Use the deployment environment\u2019\
+ s autoscale capabilities. For AKS deployment environments, use the cluster autoscaler\
+ \ to scale to meet demand. For online endpoints, automatically scale via integration\
+ \ with the Azure Monitor autoscale feature."
+description: Autoscaling adjusts the number of instances of the deployed model to
+ match demand.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: bc3729bc-45fd-4ceb-9b5d-2135464eddfb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-CpuSkuChoicesAcceptablePerformanceTargets.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-CpuSkuChoicesAcceptablePerformanceTargets.yaml
new file mode 100644
index 000000000..046788c22
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-CpuSkuChoicesAcceptablePerformanceTargets.yaml
@@ -0,0 +1,18 @@
+name: wafsg-CpuSkuChoicesAcceptablePerformanceTargets
+title: 'Performance targets: Define the acceptable performance targets for your deployed
+ models including response time, requests per second, error rate, and uptime. Performance
+ targets act as a benchmark for your deployed model''s efficiency. Targets can help
+ you make CPU versus GPU determinations, CPU SKU choices, and scaling requirements.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: 224fccfe-921b-4854-a01c-429988f76fd0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-DeploymentEnvironmentsAutoscalingCapabilities.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-DeploymentEnvironmentsAutoscalingCapabilities.yaml
new file mode 100644
index 000000000..94aa6c9d4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-DeploymentEnvironmentsAutoscalingCapabilities.yaml
@@ -0,0 +1,16 @@
+name: wafsg-DeploymentEnvironmentsAutoscalingCapabilities
+title: 'Meet capacity requirements: Choose deployment environments with autoscaling
+ capabilities to add and remove capacity as demand fluctuates.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: def7165b-3e46-4bab-b1a1-a24681c4cacc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-DifferentPerformantSkusOnlineEndpoints-1.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-DifferentPerformantSkusOnlineEndpoints-1.yaml
new file mode 100644
index 000000000..0d8f0b714
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-DifferentPerformantSkusOnlineEndpoints-1.yaml
@@ -0,0 +1,25 @@
+name: wafsg-DifferentPerformantSkusOnlineEndpoints-1
+title: 'Monitor infrastructure: Monitor online endpoints and integrate with Monitor
+ to track and monitor the appropriate metrics and logs. Enable Application Insights
+ when creating online deployments.Monitor training infrastructure and review resource
+ usage such as memory and CPU or GPU usage when training models to ensure you''re
+ meeting your baseline requirements.'
+description: Monitoring endpoints gives you visibility into metrics such as request
+ latency and requests per minute. You can compare your performance versus your baseline
+ and use this information to make changes to compute resources accordingly. Monitoring
+ metrics such as network bytes can alert you if you're approaching quota limits and
+ prevent throttling.Likewise, monitoring your training environment provides you with
+ the information to make changes to your training environment. Use that information
+ to decide to scale in or out, scale up or down with different performant SKUs, or
+ choose between CPUs or GPUs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: ff1f7368-9980-4cf5-bfe0-31ebae0ebc7e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-FeatureAttributionDriftMonitoringDataDrift.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-FeatureAttributionDriftMonitoringDataDrift.yaml
new file mode 100644
index 000000000..a63a9aaa3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-FeatureAttributionDriftMonitoringDataDrift.yaml
@@ -0,0 +1,18 @@
+name: wafsg-FeatureAttributionDriftMonitoringDataDrift
+title: 'Monitor model performance: Monitor the performance of your deployed models.'
+description: "Tracking the performance of models in production alerts you to potential\
+ \ problems such as data drift, prediction drift, data quality, and feature attribution\
+ \ drift.Monitoring data drift helps you detect changes in the input data that can\
+ \ lead to a decline in your model\u2019s performance. Managing data drift helps\
+ \ you ensure that your model provides accurate results over time."
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: ce910d41-2b8b-4685-9e78-5dc683d84bc1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-MachineLearningComputeClustersAppropriateComputeServices.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-MachineLearningComputeClustersAppropriateComputeServices.yaml
new file mode 100644
index 000000000..595ad7999
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-MachineLearningComputeClustersAppropriateComputeServices.yaml
@@ -0,0 +1,26 @@
+name: wafsg-MachineLearningComputeClustersAppropriateComputeServices
+title: 'Select appropriate compute services for model training: Consider Machine Learning
+ compute clusters over compute instances for model training if you require autoscaling.Optimize
+ your compute resources based on the training requirements. First choose between
+ CPUs and GPUs. Default to CPUs, but consider GPUs for workloads such as deep learning,
+ image or video processing, or large amounts of data. Next, choose the image SKU
+ that best suits your workload.Use testing to choose the compute option that optimizes
+ cost against training time when determining your baseline.'
+description: Selecting the right compute is critical as it directly impacts the training
+ time. Choosing the right SKU and CPU versus GPU ensures your model training can
+ meet your requirements and performance targets. Choosing a low-performance SKU that's
+ overused can lead to prohibitively long training times and performance problems.
+ Compute clusters provide the ability to improve performance by scaling out workloads
+ that support horizontal scaling. This method provides flexibility for handling workloads
+ with different demands and lets you add or remove machines as needed.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: 8c75d7e5-34e6-4a55-85a1-db4c26eb15f2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-RightComputeResourcesCapacityRequirements-1.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-RightComputeResourcesCapacityRequirements-1.yaml
new file mode 100644
index 000000000..eaa07ec8a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-RightComputeResourcesCapacityRequirements-1.yaml
@@ -0,0 +1,15 @@
+name: wafsg-RightComputeResourcesCapacityRequirements-1
+title: 'Meet capacity requirements: Choose the right compute resources for model deployments.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: 31f9cf51-136d-4c41-93d3-59f89c253259
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-RightComputeResourcesCapacityRequirements.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-RightComputeResourcesCapacityRequirements.yaml
new file mode 100644
index 000000000..d357ee628
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Performance/wafsg-RightComputeResourcesCapacityRequirements.yaml
@@ -0,0 +1,15 @@
+name: wafsg-RightComputeResourcesCapacityRequirements
+title: 'Meet capacity requirements: Choose the right compute resources for model training.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Performance
+severity: 1
+labels:
+ guid: ff8ee1a1-242e-4f07-b027-41219ea774d8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-AzureContainerRegistryAzureStorage.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-AzureContainerRegistryAzureStorage.yaml
new file mode 100644
index 000000000..7b6eef7a7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-AzureContainerRegistryAzureStorage.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureContainerRegistryAzureStorage
+title: 'Recovery: Ensure you have a recovery strategy defined. Machine Learning doesn''t
+ have automatic failover. Therefore, you must design a strategy that encompasses
+ the workspace and all its dependencies, such as Key Vault, Azure Storage, and Azure
+ Container Registry.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: bfa8abfb-faee-4eff-aff9-240353e483e2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-BusinessRequirementsComputeClusters.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-BusinessRequirementsComputeClusters.yaml
new file mode 100644
index 000000000..29878d60d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-BusinessRequirementsComputeClusters.yaml
@@ -0,0 +1,17 @@
+name: wafsg-BusinessRequirementsComputeClusters
+title: 'Business requirements: Select your use of compute clusters, compute instances,
+ and externalized inference hosts based on reliability needs, considering service-level
+ agreements (SLAs) as a factor.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: a03b959b-6c2a-485f-824c-4d105fce8c68
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-DedicatedVirtualMachineTierLowPriorityVirtualMachines.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-DedicatedVirtualMachineTierLowPriorityVirtualMachines.yaml
new file mode 100644
index 000000000..9a1676df4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-DedicatedVirtualMachineTierLowPriorityVirtualMachines.yaml
@@ -0,0 +1,17 @@
+name: wafsg-DedicatedVirtualMachineTierLowPriorityVirtualMachines
+title: 'Use the Dedicated virtual machine tier for compute clusters: Use the Dedicated
+ virtual machine tier for compute clusters for batch inferencing to ensure your batch
+ job isn''t preempted.'
+description: Low-priority virtual machines come at a reduced price but are preemptible.
+ Clusters that use the Dedicated virtual machine tier aren't preempted.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 68b3ba0d-ab8c-44b9-b840-601535753fcc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MachineLearningWorkloadsDifferentGeographicalAreas.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MachineLearningWorkloadsDifferentGeographicalAreas.yaml
new file mode 100644
index 000000000..f5f6f8aba
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MachineLearningWorkloadsDifferentGeographicalAreas.yaml
@@ -0,0 +1,19 @@
+name: wafsg-MachineLearningWorkloadsDifferentGeographicalAreas
+title: 'Multi-region model deployment: For enhanced reliability and availability,
+ consider a multi-region deployment environment when possible.'
+description: A multi-region deployment ensures that your Machine Learning workloads
+ continue to run even if one region experiences an outage. Multi-region deployment
+ improves load distribution across regions, potentially enhancing performance for
+ users located in different geographical areas. For more information, see Failover
+ for business continuity and disaster recovery.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: c953c774-517c-48ce-82cb-105448b8a647
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MachineLearningWorkspacesExploratoryWork.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MachineLearningWorkspacesExploratoryWork.yaml
new file mode 100644
index 000000000..1dff1058e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MachineLearningWorkspacesExploratoryWork.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MachineLearningWorkspacesExploratoryWork
+title: 'Resiliency: Segregate Machine Learning workspaces used for exploratory work
+ from those used for production.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 3994dafd-ee4c-4768-8c9f-a3b8ff74b1ba
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MultiRegionDeploymentTopologyDatacenterFailure.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MultiRegionDeploymentTopologyDatacenterFailure.yaml
new file mode 100644
index 000000000..b82eef80f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-MultiRegionDeploymentTopologyDatacenterFailure.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MultiRegionDeploymentTopologyDatacenterFailure
+title: 'Resiliency: Deploy models to environments that support availability zones,
+ such as AKS. By ensuring deployments are distributed across availability zones,
+ you''re ensuring a deployment is available even in the event of a datacenter failure.
+ For enhanced reliability and availability, consider a multi-region deployment topology.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 0d13edb5-8966-463a-868e-c3ba9d94e644
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-OnlineEndpointsReleaseStrategy.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-OnlineEndpointsReleaseStrategy.yaml
new file mode 100644
index 000000000..121ccb339
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-OnlineEndpointsReleaseStrategy.yaml
@@ -0,0 +1,17 @@
+name: wafsg-OnlineEndpointsReleaseStrategy
+title: 'Resiliency: When using managed online endpoints for inferencing, use a release
+ strategy such as blue-green deployments to minimize downtime and reduce the risk
+ associated with deploying new versions.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: a8c2bbfa-d47f-44bd-ad33-4c635773259e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-SelfHealingCapabilitiesCheckpointingFeatures.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-SelfHealingCapabilitiesCheckpointingFeatures.yaml
new file mode 100644
index 000000000..b6cbbb6f6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-SelfHealingCapabilitiesCheckpointingFeatures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-SelfHealingCapabilitiesCheckpointingFeatures
+title: 'Recovery: Ensure you have self-healing capabilities, such as checkpointing
+ features supported by Machine Learning, when training large models.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 45f7fa49-0339-464b-94cb-b20ec1700e14
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-SufficientComputeResourcePlanning.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-SufficientComputeResourcePlanning.yaml
new file mode 100644
index 000000000..bd36abbb1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-SufficientComputeResourcePlanning.yaml
@@ -0,0 +1,17 @@
+name: wafsg-SufficientComputeResourcePlanning
+title: 'Resiliency: Ensure you have sufficient compute for both training and inferencing.
+ Through resource planning, make sure your compute SKU and scale settings meet the
+ requirements of your workload.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 9a42f7b9-41db-4c47-854d-90d08c4cbe22
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-TensorflowEstimatorClassModelTrainingResiliency.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-TensorflowEstimatorClassModelTrainingResiliency.yaml
new file mode 100644
index 000000000..849b72b2c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Reliability/wafsg-TensorflowEstimatorClassModelTrainingResiliency.yaml
@@ -0,0 +1,19 @@
+name: wafsg-TensorflowEstimatorClassModelTrainingResiliency
+title: 'Model training resiliency: Use checkpointing features supported by Machine
+ Learning including Azure Container for PyTorch, the TensorFlow Estimator class,
+ or the Run object and the FileDataset class that support model checkpointing.'
+description: Model checkpointing periodically saves the state of your machine learning
+ model during training, so that it can be restored in case of interruption, failure,
+ or termination. For more information, see Boost checkpoint speed and reduce cost
+ with Nebula.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 176382f6-20de-404a-a6c1-1cb00618b101
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ApprovedRegistriesModelRegistry.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ApprovedRegistriesModelRegistry.yaml
new file mode 100644
index 000000000..aec8b5837
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ApprovedRegistriesModelRegistry.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ApprovedRegistriesModelRegistry
+title: 'Integrity: Regulate access to foundational models. Ensure only approved registries
+ have access to models in the model registry.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: ad0a3245-9a51-46d2-81e0-1fa77b288902
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-IntegrityTrust.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-IntegrityTrust.yaml
new file mode 100644
index 000000000..b71fee263
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-IntegrityTrust.yaml
@@ -0,0 +1,16 @@
+name: wafsg-IntegrityTrust
+title: 'Integrity: Establish trust and verified access by implementing encryption
+ for data at rest and data in transit.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 99910102-9fb9-4526-ad60-f0ef309b0230
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-LatestOperatingSystemImageLatestSecurityPatches.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-LatestOperatingSystemImageLatestSecurityPatches.yaml
new file mode 100644
index 000000000..acf7e41af
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-LatestOperatingSystemImageLatestSecurityPatches.yaml
@@ -0,0 +1,16 @@
+name: wafsg-LatestOperatingSystemImageLatestSecurityPatches
+title: 'Get the latest operating system image: Recreate compute instances to get the
+ latest operating system image.'
+description: Using the latest images ensures you're maintaining a consistent, stable,
+ and secure environment, including ensuring you have the latest security patches.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 97fb061c-e8f2-49ae-9932-bc3b16cfd9e5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeClusterPublicSecureShell.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeClusterPublicSecureShell.yaml
new file mode 100644
index 000000000..ff7f9a6ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeClusterPublicSecureShell.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MachineLearningComputeClusterPublicSecureShell
+title: 'Disable the public SSH port: Ensure the public Secure Shell (SSH) port is
+ closed on the Machine Learning compute cluster by setting `remoteLoginPortPublicAccess`
+ to `Disabled`. Apply a similar configuration if you use a different compute.'
+description: Disabling SSH access helps prevent unauthorized individuals from gaining
+ access and potentially causing harm to your system and protects you against brute
+ force attacks.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 10b9366c-cd35-439f-ac46-68b330714d4d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeContainerRegistries.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeContainerRegistries.yaml
new file mode 100644
index 000000000..48212df30
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeContainerRegistries.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MachineLearningComputeContainerRegistries
+title: 'Integrity: Regulate access to approved container registries. Ensure Machine
+ Learning compute can only access approved registries.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 20487ff0-e5c9-436d-939c-35c856dd64aa
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeEnvironmentsRequiringCodeSigning.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeEnvironmentsRequiringCodeSigning.yaml
new file mode 100644
index 000000000..02044a34f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeEnvironmentsRequiringCodeSigning.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MachineLearningComputeEnvironmentsRequiringCodeSigning
+title: 'Integrity: Require code used for training in Machine Learning compute environments
+ to be signed. Requiring code signing ensures that the code running is from a trusted
+ source and hasn''t been tampered with.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 69440a0f-3fab-4ea2-95b1-ba0ec1c637fc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeLocalAuthentication.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeLocalAuthentication.yaml
new file mode 100644
index 000000000..41817137c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputeLocalAuthentication.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MachineLearningComputeLocalAuthentication
+title: 'Disable local authentication: Disable local authentication for Machine Learning
+ compute clusters and instances.'
+description: Disabling local authentication increases the security of your Machine
+ Learning compute and provides centralized control and management of identities and
+ resource credentials.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: f4b8cd6c-b939-4cd6-a88f-cb56c5f1958f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputePythonPackages.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputePythonPackages.yaml
new file mode 100644
index 000000000..bf17b27d4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningComputePythonPackages.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MachineLearningComputePythonPackages
+title: 'Integrity: Regulate the Python packages that can be run on Machine Learning
+ compute. Regulating the Python packages ensures only trusted packages are run.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: a6718d1d-a5e1-4064-a501-7068066d74ba
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningCustomerManagedKeys.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningCustomerManagedKeys.yaml
new file mode 100644
index 000000000..186ccf8a3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningCustomerManagedKeys.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MachineLearningCustomerManagedKeys
+title: 'Encrypt data at rest: Consider using customer-managed keys with Machine Learning.'
+description: Encrypting data at rest enhances data security by ensuring that sensitive
+ data is encrypted by using keys directly managed by you. If you have a regulatory
+ requirement to manage your own encryption keys, use this feature to comply with
+ that requirement.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: bf8d8030-a273-4136-b91b-3e926b3265b1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningNetworkIsolationMachineLearningWorkspace.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningNetworkIsolationMachineLearningWorkspace.yaml
new file mode 100644
index 000000000..82a0f4067
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningNetworkIsolationMachineLearningWorkspace.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MachineLearningNetworkIsolationMachineLearningWorkspace
+title: 'Machine Learning network isolation: Configure a private endpoint for your
+ Machine Learning workspace and connect to the workspace over that private endpoint.'
+description: Machine Learning network isolation enhances security by ensuring that
+ access to your workspace is secure and controlled. With a private endpoint configured
+ for your workspace, you can then limit access to your workspace to only occur over
+ the private IP addresses.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: a4cde3d0-7ea2-40b0-b2a8-b047c132dab2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningServiceAzureSecurityBaseline.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningServiceAzureSecurityBaseline.yaml
new file mode 100644
index 000000000..259f04464
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningServiceAzureSecurityBaseline.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MachineLearningServiceAzureSecurityBaseline
+title: 'Security baseline: To enhance the security and compliance of your Machine
+ Learning Service, apply the Azure security baseline for Machine Learning.'
+description: The security baseline provides tailored guidance on crucial security
+ aspects such as network security, identity management, data protection, and privileged
+ access. For optimal security, use Microsoft Defender for Cloud to monitor these
+ aspects.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 255aca7d-7c4e-4b83-a0d8-aee85f7c2695
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceAttackSurface.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceAttackSurface.yaml
new file mode 100644
index 000000000..f1a699089
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceAttackSurface.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MachineLearningWorkspaceAttackSurface
+title: 'Availability: Reduce the attack surface of the Machine Learning workspace
+ by restricting access to the workspace to resources within the virtual network.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 53cd2461-3b8d-47ca-ab08-a9b4491d71ae
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceLeastPrivilegePrinciple.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceLeastPrivilegePrinciple.yaml
new file mode 100644
index 000000000..13847daa4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceLeastPrivilegePrinciple.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MachineLearningWorkspaceLeastPrivilegePrinciple
+title: 'Integrity: Implement access controls that authenticate and authorize the Machine
+ Learning workspace for external resources based on the least privilege principle.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: dad6ac87-fd6d-44a4-9882-6d51b37bc564
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceOtherExternalResources.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceOtherExternalResources.yaml
new file mode 100644
index 000000000..20ae78ecd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceOtherExternalResources.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MachineLearningWorkspaceOtherExternalResources
+title: 'Confidentiality: Guard against data exfiltration from the Machine Learning
+ workspace by implementing network isolation. Ensure access to all external resources
+ is explicitly approved and access to all other external resources isn''t permitted.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: bad5ff5c-bdeb-4648-b667-1ea0a76266dc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceQualifiedDomainNames.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceQualifiedDomainNames.yaml
new file mode 100644
index 000000000..21aeb20e1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-MachineLearningWorkspaceQualifiedDomainNames.yaml
@@ -0,0 +1,19 @@
+name: wafsg-MachineLearningWorkspaceQualifiedDomainNames
+title: 'Allow only approved outbound access: Configure the outbound mode on the Machine
+ Learning workspace managed outbound access to `Allow only approved outbound` to
+ minimize the risk of data exfiltration. Configure private endpoints, service tags,
+ or fully qualified domain names (FQDNs) for resources that you need to access.'
+description: "This configuration minimizes the risk of data exfiltration, improving\
+ \ data security. With this configuration enabled, a malicious actor who gains access\
+ \ to your system can\u2019t send your data to an unapproved external destination."
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 6b50845b-0ab2-416a-bbd9-2b4295f8ffcc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ManagedIdentityManagedIdentities.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ManagedIdentityManagedIdentities.yaml
new file mode 100644
index 000000000..5a9261320
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ManagedIdentityManagedIdentities.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ManagedIdentityManagedIdentities
+title: 'Managed identity: Use managed identities for authentication between Machine
+ Learning and other services.'
+description: Managed identities improve security by eliminating the need to store
+ credentials and manually manage and rotate service principals.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 75bc1a96-b2a0-449e-b0e5-93c8a658a39d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ManagedVirtualNetworkIsolationNetworkTopologyRecommendations.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ManagedVirtualNetworkIsolationNetworkTopologyRecommendations.yaml
new file mode 100644
index 000000000..c1ac73baa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-ManagedVirtualNetworkIsolationNetworkTopologyRecommendations.yaml
@@ -0,0 +1,24 @@
+name: wafsg-ManagedVirtualNetworkIsolationNetworkTopologyRecommendations
+title: 'Managed virtual network isolation: Configure managed virtual network isolation
+ for Machine Learning. When you enable managed virtual network isolation, a managed
+ virtual network is created for the workspace. Managed compute resources you create
+ for the workspace automatically use this managed virtual network. If you can''t
+ implement managed virtual network isolation, then you must follow the network topology
+ recommendations to separate compute into a dedicated subnet away from the rest of
+ the resources in the solution, including the private endpoints for workspace resources.'
+description: Managed virtual network isolation enhances security by isolating your
+ workspace from other networks, reducing the risk of unauthorized access. In a scenario
+ in which a breach occurs in another network within your organization, the isolated
+ network of your Machine Learning workspace remains unaffected, protecting your machine
+ learning workloads.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: afb9783e-67e0-4aca-9f01-0299630c34f0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-OpenSourceFoundationalModelsModelCatalogDeployments.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-OpenSourceFoundationalModelsModelCatalogDeployments.yaml
new file mode 100644
index 000000000..34079081b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-OpenSourceFoundationalModelsModelCatalogDeployments.yaml
@@ -0,0 +1,17 @@
+name: wafsg-OpenSourceFoundationalModelsModelCatalogDeployments
+title: 'Restrict model catalog deployments: Restrict model deployments to specific
+ registries.'
+description: Restricting the deployments from the model catalog to specific registries
+ ensures you only deploy models to approved registries. This approach helps regulate
+ access to the open-source foundational models.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: ce858034-a1e7-475c-82df-73878cfb2b42
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-PrivateIpAddressesVirtualNetworkIsolation.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-PrivateIpAddressesVirtualNetworkIsolation.yaml
new file mode 100644
index 000000000..494fa7783
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-PrivateIpAddressesVirtualNetworkIsolation.yaml
@@ -0,0 +1,17 @@
+name: wafsg-PrivateIpAddressesVirtualNetworkIsolation
+title: 'Virtual network isolation for dependent services: Configure dependent services,
+ such as Storage, Key Vault, and Container Registry with private endpoints and disable
+ public access.'
+description: Network isolation bolsters security by restricting access to Azure platform
+ as a service (PaaS) solutions to private IP addresses only.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: f2bbde49-82c0-4b92-b593-5b66537909de
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-PublicIpAddressesMachineLearningCompute.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-PublicIpAddressesMachineLearningCompute.yaml
new file mode 100644
index 000000000..4cf5799a2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-PublicIpAddressesMachineLearningCompute.yaml
@@ -0,0 +1,17 @@
+name: wafsg-PublicIpAddressesMachineLearningCompute
+title: 'Don''t provision public IP addresses for Machine Learning compute: Set enableNodePublicIp
+ to `false` when provisioning Machine Learning compute clusters or compute instances.
+ Apply a similar configuration if you use a different compute.'
+description: Refrain from provisioning public IP addresses to enhance security by
+ limiting the potential for unauthorized access to your compute instance or clusters.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: aa25efe6-19ad-455e-8bae-886c75a8092b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-RoleBasedAccessControlMachineLearningWorkspace.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-RoleBasedAccessControlMachineLearningWorkspace.yaml
new file mode 100644
index 000000000..defdf6add
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-RoleBasedAccessControlMachineLearningWorkspace.yaml
@@ -0,0 +1,18 @@
+name: wafsg-RoleBasedAccessControlMachineLearningWorkspace
+title: 'Confidentiality: Adhere to the principle of least privilege for role-based
+ access control (RBAC) to the Machine Learning workspace and related resources, such
+ as the workspace storage account, to ensure individuals have only the necessary
+ permissions for their role, thereby minimizing potential security risks.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 3fff9526-ef3a-487b-b89e-cb04d344c691
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-SpecificAzureStorageAccountsServiceEndpointPolicy.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-SpecificAzureStorageAccountsServiceEndpointPolicy.yaml
new file mode 100644
index 000000000..97076deb2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-SpecificAzureStorageAccountsServiceEndpointPolicy.yaml
@@ -0,0 +1,17 @@
+name: wafsg-SpecificAzureStorageAccountsServiceEndpointPolicy
+title: 'Minimize the risk of data exfiltration: Implement data exfiltration prevention.
+ For example, create a service endpoint policy to filter egress virtual network traffic
+ and permit data exfiltration only to specific Azure Storage accounts.'
+description: Minimize the risk of data exfiltration by limiting inbound and outbound
+ requirements.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 5842dc88-8f4b-4f34-9cba-9a3ecbd083f7
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-SpecificUseCasesUseCaseSegregation.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-SpecificUseCasesUseCaseSegregation.yaml
new file mode 100644
index 000000000..850fe0363
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-SpecificUseCasesUseCaseSegregation.yaml
@@ -0,0 +1,19 @@
+name: wafsg-SpecificUseCasesUseCaseSegregation
+title: 'Integrity: Implement use case segregation for Machine Learning workspaces
+ by setting up workspaces based on specific use cases or projects. This approach
+ adheres to the principle of least privilege by ensuring that workspaces are only
+ accessible to individuals that require access to data and experimentation assets
+ for the use case or project.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-machine-learning.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 18119160-8531-45fb-b169-3e5488b9bd30
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-StrictMachineLearningWorkspaceAccessControlsStrictWorkspaceAccessControls.yaml b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-StrictMachineLearningWorkspaceAccessControlsStrictWorkspaceAccessControls.yaml
new file mode 100644
index 000000000..a293d6e0e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftMachineLearningServices-workspaces/Security/wafsg-StrictMachineLearningWorkspaceAccessControlsStrictWorkspaceAccessControls.yaml
@@ -0,0 +1,19 @@
+name: wafsg-StrictMachineLearningWorkspaceAccessControlsStrictWorkspaceAccessControls
+title: 'Strict Machine Learning workspace access controls: Use Microsoft Entra ID
+ groups to manage workspace access and adhere to the principle of least privilege
+ for RBAC.'
+description: Strict workspace access controls enhance security by ensuring that individuals
+ have only the necessary permissions for their role. A data scientist, for instance,
+ might have access to run experiments but not to modify security settings, minimizing
+ potential security risks.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.machinelearningservices/workspaces
+waf: Security
+severity: 1
+labels:
+ guid: 07d3c478-039d-4654-9e75-44712f822a98
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesAvailabilityZoneAzVolumePlacementFeature.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesAvailabilityZoneAzVolumePlacementFeature.yaml
new file mode 100644
index 000000000..3598e3c1e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesAvailabilityZoneAzVolumePlacementFeature.yaml
@@ -0,0 +1,19 @@
+name: aprl-AzureNetappFilesAvailabilityZoneAzVolumePlacementFeature
+title: Deploy ANF volumes in the same availability zone with Azure compute and other
+ services
+description: |-
+ Azure NetApp Files' availability zone (AZ) volume placement feature lets you deploy volumes in the same AZ with Azure compute and other services to have within AZ latency and share the same AZ failure domain.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: 8bb690e8-64d5-4838-8703-9ee3dbac688f
+ area: Other Best Practices
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesAzurePolicyIntegration.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesAzurePolicyIntegration.yaml
new file mode 100644
index 000000000..77134f394
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesAzurePolicyIntegration.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureNetappFilesAzurePolicyIntegration
+title: Enforce standards and assess compliance in Azure NetApp Files with Azure policy
+description: |-
+ Azure NetApp Files supports Azure policy integration using either built-in policy definitions or by creating custom ones to maintain organizational standards and compliance.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 1
+labels:
+ guid: 687ae58f-517f-ca43-90fe-922497e61283
+ area: Governance
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesDataProtection.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesDataProtection.yaml
new file mode 100644
index 000000000..524b0e10c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesDataProtection.yaml
@@ -0,0 +1,23 @@
+name: aprl-AzureNetappFilesDataProtection
+title: Enable backup for data protection in Azure NetApp Files
+description: |-
+ Azure NetApp Files offers a fully managed backup solution enhancing long-term recovery, archiving, and compliance.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: b2fb3e60-97ec-e34d-af29-b16a0d61c2ac
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // This Resource Graph query will return all Azure NetApp Files volumes without a backup policy defined.
+ resources
+ | where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
+ | where properties.dataProtection.backup.backupPolicyId == ""
+ | project recommendationId = "b2fb3e60-97ec-e34d-af29-b16a0d61c2ac", name, id, tags
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesMetricsNetappAccounts.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesMetricsNetappAccounts.yaml
new file mode 100644
index 000000000..ccbce7a23
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesMetricsNetappAccounts.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureNetappFilesMetricsNetappAccounts
+title: Monitor Azure NetApp Files metrics to better understand usage pattern and performance
+description: |-
+ Azure NetApp Files offers metrics like allocated storage, actual usage, volume IOPS, and latency, enabling a better understanding of usage patterns and volume performance for NetApp accounts.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 1
+labels:
+ guid: 2f579fc9-e599-0d44-8b97-254f50ae04d8
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesMultipleAvailabilityZones.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesMultipleAvailabilityZones.yaml
new file mode 100644
index 000000000..e46ef885e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesMultipleAvailabilityZones.yaml
@@ -0,0 +1,23 @@
+name: aprl-AzureNetappFilesMultipleAvailabilityZones
+title: Use availability zones for high availability in Azure NetApp Files
+description: |-
+ Availability zones are distinct locations within an Azure region to withstand local failures. Deploy your workload in multiple availability zones and use application-based replication or Azure NetApp Files cross-zone replication to achieve high availability. Note that failover is a manual process.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: 47d100a5-7f85-5742-967a-67eb5081240a
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This Resource Graph query will return all Azure NetApp Files volumes without an availability zone defined.
+ Resources
+ | where type =~ "Microsoft.NetApp/netAppAccounts/capacityPools/volumes"
+ | where array_length(zones) == 0 or isnull(zones)
+ | project recommendationId = "47d100a5-7f85-5742-967a-67eb5081240a", name, id, tags
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesReplicationAzureNetappFilesVolumes.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesReplicationAzureNetappFilesVolumes.yaml
new file mode 100644
index 000000000..67b89c232
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesReplicationAzureNetappFilesVolumes.yaml
@@ -0,0 +1,25 @@
+name: aprl-AzureNetappFilesReplicationAzureNetappFilesVolumes
+title: Enable Cross-region replication of Azure NetApp Files volumes
+description: |-
+ Azure NetApp Files replication offers data protection by allowing asynchronous cross-region volume replication for application failover in case of regional outages. Volumes can be replicated across regions, not concurrently with cross-zone replication. Note that failover is a manual process.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: e30317d2-c502-4dfe-a2d3-0a737cc79545
+ area: Disaster Recovery
+links: []
+queries:
+ arg: "// Azure Resource Graph Query\n// This Resource Graph query will return all\
+ \ Azure NetApp Files volumes without cross-region replication.\nresources\n|\_\
+ where\_type\_==\_\"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n|\_\
+ extend\_remoteVolumeRegion\_=\_properties.dataProtection.replication.remoteVolumeRegion\n\
+ |\_extend\_volumeType\_=\_properties.volumeType\n|\_extend\_replicationType\_\
+ =\_iff((remoteVolumeRegion\_==\_location),\_\"CZR\",\_iff((remoteVolumeRegion\_\
+ ==\_\"\"),\"n/a\",\"CRR\"))\n| where replicationType != \"CRR\" and volumeType\
+ \ != \"DataProtection\"\n| project recommendationId = \"e30317d2-c502-4dfe-a2d3-0a737cc79545\"\
+ , name, id, tags\n"
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesSnapshotTechnologyAzureNetappFilesData.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesSnapshotTechnologyAzureNetappFilesData.yaml
new file mode 100644
index 000000000..39003bc59
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesSnapshotTechnologyAzureNetappFilesData.yaml
@@ -0,0 +1,21 @@
+name: aprl-AzureNetappFilesSnapshotTechnologyAzureNetappFilesData
+title: Use snapshots for data protection in Azure NetApp Files
+description: |-
+ Azure NetApp Files snapshot technology ensures stability, scalability, and swift data recoverability without affecting performance. It supports automatic snapshot creation via policies for Azure NetApp Files data.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: 72827434-c773-4345-9493-34848ddf5803
+ area: High Availability
+links: []
+queries:
+ arg: "// Azure Resource Graph Query\n// This Resource Graph query will return all\
+ \ Azure NetApp Files volumes without a snapshot policy defined.\nresources\n|\_\
+ where\_type\_==\_\"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n|\
+ \ where properties.dataProtection.snapshot.snapshotPolicyId == \"\"\n| project\
+ \ recommendationId = \"72827434-c773-4345-9493-34848ddf5803\", name, id, tags\n"
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesVolumesDifferentAvailabilityZones.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesVolumesDifferentAvailabilityZones.yaml
new file mode 100644
index 000000000..792c357b5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-AzureNetappFilesVolumesDifferentAvailabilityZones.yaml
@@ -0,0 +1,25 @@
+name: aprl-AzureNetappFilesVolumesDifferentAvailabilityZones
+title: Enable Cross-zone replication of Azure NetApp Files volumes
+description: |-
+ The cross-zone replication (CZR) feature enables asynchronous data replication between Azure NetApp Files volumes across different availability zones, ensuring data protection and critical application failover in case of zone-wide disasters. Note that failover is a manual process.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: e3d742e1-dacd-9b48-b6b1-510ec9f87c96
+ area: Disaster Recovery
+links: []
+queries:
+ arg: "// Azure Resource Graph Query\n// This Resource Graph query will return all\
+ \ Azure NetApp Files volumes without cross-zone replication.\nresources\n|\_where\_\
+ type\_==\_\"microsoft.netapp/netappaccounts/capacitypools/volumes\"\n|\_extend\_\
+ remoteVolumeRegion\_=\_properties.dataProtection.replication.remoteVolumeRegion\n\
+ |\_extend\_volumeType\_=\_properties.volumeType\n|\_extend\_replicationType\_\
+ =\_iff((remoteVolumeRegion\_==\_location),\_\"CZR\",\_iff((remoteVolumeRegion\_\
+ ==\_\"\"),\"n/a\",\"CRR\"))\n| where replicationType != \"CZR\" and volumeType\
+ \ != \"DataProtection\"\n| project recommendationId = \"e3d742e1-dacd-9b48-b6b1-510ec9f87c96\"\
+ , name, id, tags\n"
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-CapacityPoolAttributesAzureNetappFiles.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-CapacityPoolAttributesAzureNetappFiles.yaml
new file mode 100644
index 000000000..0665f8845
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-CapacityPoolAttributesAzureNetappFiles.yaml
@@ -0,0 +1,19 @@
+name: aprl-CapacityPoolAttributesAzureNetappFiles
+title: Use the correct service level and volume quota size for the expected performance
+ level
+description: |-
+ Service levels, part of capacity pool attributes, determine the maximum throughput per volume quota in Azure NetApp Files. It combines read and write speed, offering three levels: Standard (16 MiB/s per 1TiB), Premium (64 MiB/s per 1TiB), and Ultra (128 MiB/s per 1TiB) throughput.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 1
+labels:
+ guid: af426a99-62a6-6b4c-9662-42d220b413b8
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-SmbContinuousAvailabilitySmbTransparentFailover.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-SmbContinuousAvailabilitySmbTransparentFailover.yaml
new file mode 100644
index 000000000..7b8c8a79e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-SmbContinuousAvailabilitySmbTransparentFailover.yaml
@@ -0,0 +1,18 @@
+name: aprl-SmbContinuousAvailabilitySmbTransparentFailover
+title: Make use of SMB continuous availability for supported applications
+description: |-
+ Certain SMB applications need SMB Transparent Failover for maintenance without interrupting server connectivity. Azure NetApp Files provides this through SMB Continuous Availability for applications like Citrix App Layering, FSLogix user/profile containers, Microsoft SQL Server, MSIX app attach.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: d1e7ccc3-e6c1-40e9-a36e-fd134711c808
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-SpecificAzureVirtualNetworksAzureNetappFilesVolumes.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-SpecificAzureVirtualNetworksAzureNetappFilesVolumes.yaml
new file mode 100644
index 000000000..bc0a9b6e5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-SpecificAzureVirtualNetworksAzureNetappFilesVolumes.yaml
@@ -0,0 +1,18 @@
+name: aprl-SpecificAzureVirtualNetworksAzureNetappFilesVolumes
+title: Restrict default access to Azure NetApp Files volumes
+description: |-
+ Access to the delegated subnet should be limited to specific Azure Virtual Networks. SMB-enabled volumes' share permissions should move away from 'Everyone/Full control'. NFS-enabled volumes' access needs to be controlled via export policies and/or NFSv4.1 ACLs.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 1
+labels:
+ guid: cfa2244b-5436-47de-8287-b217875d3b0a
+ area: Security
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-StandardNetworkFeaturesAzureNetappFiles.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-StandardNetworkFeaturesAzureNetappFiles.yaml
new file mode 100644
index 000000000..ffdb9cdc6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-StandardNetworkFeaturesAzureNetappFiles.yaml
@@ -0,0 +1,23 @@
+name: aprl-StandardNetworkFeaturesAzureNetappFiles
+title: Use standard network features for production in Azure NetApp Files
+description: |-
+ Standard network feature in Azure NetApp Files enhances IP limits and VNet capabilities, including network security groups, user-defined routes on subnets, and diverse connectivity options.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 0
+labels:
+ guid: ab984130-c57b-6c4a-8d04-6723b4e1bdb6
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This Resource Graph query will return all Azure NetApp Files volumes without standard network features.
+ resources
+ | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
+ | where properties.networkFeatures != "Standard"
+ | project recommendationId = "ab984130-c57b-6c4a-8d04-6723b4e1bdb6", name, id, tags
diff --git a/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-StorageServiceMaintenanceEventsOccasionalPlannedMaintenance.yaml b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-StorageServiceMaintenanceEventsOccasionalPlannedMaintenance.yaml
new file mode 100644
index 000000000..fe25404a6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetApp-netAppAccounts/aprl-StorageServiceMaintenanceEventsOccasionalPlannedMaintenance.yaml
@@ -0,0 +1,18 @@
+name: aprl-StorageServiceMaintenanceEventsOccasionalPlannedMaintenance
+title: Ensure application resilience for service maintenance events
+description: |-
+ Azure NetApp Files might undergo occasional planned maintenance such as platform updates or service and software upgrades. It's important to be aware of the application's resiliency settings to cope with these storage service maintenance events.
+source:
+ type: aprl
+ file: azure-resources/NetApp/netAppAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetApp/netAppAccounts
+severity: 1
+labels:
+ guid: 60f36f9b-fac9-4160-bbf5-57af04da4f53
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-AzureExpressrouteDirectAdminState.yaml b/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-AzureExpressrouteDirectAdminState.yaml
new file mode 100644
index 000000000..81b277c3e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-AzureExpressrouteDirectAdminState.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureExpressrouteDirectAdminState
+title: The Admin State of both Links of an ExpressRoute Direct should be in Enabled
+ state
+description: |-
+ In Azure ExpressRoute Direct, the "Admin State" indicates the administrative status of layer 1 links, showing if a link is enabled or disabled, effectively turning the physical port on or off.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRoutePorts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/ExpressRoutePorts
+severity: 0
+labels:
+ guid: 60077378-7cb1-4b35-89bb-393884d9921d
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Express Route Directs that do not have Admin State of both Links Enabled
+ resources
+ | where type == "microsoft.network/expressrouteports"
+ | where properties['links'][0]['properties']['adminState'] == "Disabled" or properties['links'][1]['properties']['adminState'] == "Disabled"
+ | project recommendationId = "60077378-7cb1-4b35-89bb-393884d9921d", name, id, tags, param1 = strcat("Link1AdminState: ", properties['links'][0]['properties']['adminState']), param2 = strcat("Link2AdminState: ", properties['links'][1]['properties']['adminState'])
diff --git a/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-AzureMonitorBaselineAlertsExpressroutePortLightLevels.yaml b/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-AzureMonitorBaselineAlertsExpressroutePortLightLevels.yaml
new file mode 100644
index 000000000..fff7aa7fa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-AzureMonitorBaselineAlertsExpressroutePortLightLevels.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureMonitorBaselineAlertsExpressroutePortLightLevels
+title: Configure monitoring and alerting for ExpressRoute Ports
+description: |-
+ Use Network Insights for monitoring ExpressRoute Port light levels, bits per second in/out, and line protocol. Set alerts based on Azure Monitor Baseline Alerts for light levels, bits per second in/out, and line protocol exceeding specific thresholds.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRoutePorts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRoutePorts
+severity: 0
+labels:
+ guid: 55815823-d588-4cb7-a5b8-ae581837356e
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-GbpsExpressrouteDirectResourceExpressrouteDirectPort.yaml b/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-GbpsExpressrouteDirectResourceExpressrouteDirectPort.yaml
new file mode 100644
index 000000000..6c4216bfa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-ExpressRoutePorts/aprl-GbpsExpressrouteDirectResourceExpressrouteDirectPort.yaml
@@ -0,0 +1,23 @@
+name: aprl-GbpsExpressrouteDirectResourceExpressrouteDirectPort
+title: Ensure you do not over-subscribe an ExpressRoute Direct
+description: |-
+ Provisioning ExpressRoute circuits on a 10-Gbps or 100-Gbps ExpressRoute Direct resource up to 20-Gbps or 200-Gbps is possible but not recommended for resiliency. If an ExpressRoute Direct port fails, and circuits are using full capacity, the remaining port won't handle the extra load.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRoutePorts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/ExpressRoutePorts
+severity: 0
+labels:
+ guid: 0bee356b-7348-4799-8cab-0c71ffe13018
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Express Route Directs that are over subscribed
+ resources
+ | where type == "microsoft.network/expressrouteports"
+ | where toint(properties['provisionedBandwidthInGbps']) > toint(properties['bandwidthInGbps'])
+ | project recommendationId = "0bee356b-7348-4799-8cab-0c71ffe13018", name, id, tags, param1 = strcat("provisionedBandwidthInGbps: ", properties['provisionedBandwidthInGbps']), param2 = strcat("bandwidthInGbps: ", properties['bandwidthInGbps'])
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallDeploymentsTestingEnvironments.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallDeploymentsTestingEnvironments.yaml
new file mode 100644
index 000000000..a3a98e8be
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallDeploymentsTestingEnvironments.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallDeploymentsTestingEnvironments
+title: Stop Azure Firewall deployments that don't need to run for 24x7.
+description: You might have development or testing environments that are used only
+ during business hours. For more information, see Deallocate and allocate Azure Firewall.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: e3cd59af-4664-4d35-b291-45076f5452bd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallManagerOneFirewallAssociation.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallManagerOneFirewallAssociation.yaml
new file mode 100644
index 000000000..0f77afab2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallManagerOneFirewallAssociation.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFirewallManagerOneFirewallAssociation
+title: Use Azure Firewall Manager and its Policies to reduce operational costs, increase
+ efficiency, and reduce management overhead.
+description: Review your Firewall Manager policies, associations, and inheritance
+ carefully. Policies are billed based on firewall associations. A policy with zero
+ or one firewall association is free of charge. A policy with multiple firewall associations
+ is billed at a fixed rate.For more information, see Pricing - Azure Firewall Manager.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: a8ac7739-8682-4369-84c6-e0fd8185f1a6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallSku.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallSku.yaml
new file mode 100644
index 000000000..4c7859442
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-AzureFirewallSku.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallSku
+title: Select the Azure Firewall SKU to deploy.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: e23cca89-b750-4a14-8187-038aa999ab81
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-CostEffectiveApproachThirdPartySolutions.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-CostEffectiveApproachThirdPartySolutions.yaml
new file mode 100644
index 000000000..e22d5445e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-CostEffectiveApproachThirdPartySolutions.yaml
@@ -0,0 +1,20 @@
+name: wafsg-CostEffectiveApproachThirdPartySolutions
+title: Review logging requirements.
+description: Azure Firewall has the ability to comprehensively log metadata of all
+ traffic it sees, to Log Analytics Workspaces, Storage or third party solutions through
+ Event Hubs. However, all logging solutions incur costs for data processing and storage.
+ At very large volumes these costs can be significant, a cost effective approach
+ and alternative to Log Analytics should be considered and cost estimated. Consider
+ whether it is required to log traffic metadata for all logging categories and modify
+ in Diagnostic Settings if needed.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: 9fba472e-101a-4d6c-b9e9-762ce0e6035d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-FirewallInstancesUsageCostEffectiveness.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-FirewallInstancesUsageCostEffectiveness.yaml
new file mode 100644
index 000000000..632675387
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-FirewallInstancesUsageCostEffectiveness.yaml
@@ -0,0 +1,15 @@
+name: wafsg-FirewallInstancesUsageCostEffectiveness
+title: Monitor and optimize firewall instances usage to determine cost-effectiveness.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: 5f8eaf16-cabf-4fc4-82f9-1b9069b3bac2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-FirewallUseWorkloads.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-FirewallUseWorkloads.yaml
new file mode 100644
index 000000000..dcedc4d57
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-FirewallUseWorkloads.yaml
@@ -0,0 +1,15 @@
+name: wafsg-FirewallUseWorkloads
+title: Determine where you can optimize firewall use across workloads.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: b68aec37-acbd-4101-be19-3e99e8d641f6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-LoggingRequirementsEstimate.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-LoggingRequirementsEstimate.yaml
new file mode 100644
index 000000000..1cabb9945
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-LoggingRequirementsEstimate.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LoggingRequirementsEstimate
+title: Review logging requirements, estimate cost and control over time.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: ed8185a5-8f3a-402b-bd40-a3db15b390fd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-ManySpokeVirtualNetworksVirtualWanSecureHub.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-ManySpokeVirtualNetworksVirtualWanSecureHub.yaml
new file mode 100644
index 000000000..365f88326
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-ManySpokeVirtualNetworksVirtualWanSecureHub.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ManySpokeVirtualNetworksVirtualWanSecureHub
+title: Share the same instance of Azure Firewall across multiple workloads and Azure
+ Virtual Networks.
+description: You can use a central instance of Azure Firewall in the hub virtual network
+ or Virtual WAN secure hub and share the same firewall across many spoke virtual
+ networks that are connected to the same hub from the same region. Ensure there's
+ no unexpected cross-region traffic as part of the hub-spoke topology.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: 0648162b-e60c-4625-811d-8e844e53d297
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-PermanentXAllocationInstances.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-PermanentXAllocationInstances.yaml
new file mode 100644
index 000000000..322ba40fe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-PermanentXAllocationInstances.yaml
@@ -0,0 +1,15 @@
+name: wafsg-PermanentXAllocationInstances
+title: Determine if some instances don't need permanent 24x7 allocation.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: c606fee7-9b75-4ce1-921f-aac5591768f8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-ProperAzureFirewallSkuRightAzureFirewallSku.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-ProperAzureFirewallSkuRightAzureFirewallSku.yaml
new file mode 100644
index 000000000..771d3ffc1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-ProperAzureFirewallSkuRightAzureFirewallSku.yaml
@@ -0,0 +1,21 @@
+name: wafsg-ProperAzureFirewallSkuRightAzureFirewallSku
+title: Deploy the proper Azure Firewall SKU.
+description: "Azure Firewall can be deployed in three different SKUs: Basic, Standard\
+ \ and Premium. Azure Firewall Premium is recommended to secure highly sensitive\
+ \ applications (such as payment processing). Azure Firewall Standard is recommended\
+ \ for customers looking for Layer 3\u2013Layer 7 firewall and needs autoscaling\
+ \ to handle peak traffic periods of up to 30 Gbps. Azure Firewall Basic is recommended\
+ \ for SMB customers with throughput needs of 250 Mbps. If required, downgrade or\
+ \ upgrade is possible between Standard and Premium as documented here. For more\
+ \ information, see Choose the right Azure Firewall SKU to meet your needs."
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: f91761cf-5135-4dc1-bebc-0f25ebd32c55
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-PublicIpAddressesNumber.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-PublicIpAddressesNumber.yaml
new file mode 100644
index 000000000..3f30dc935
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-PublicIpAddressesNumber.yaml
@@ -0,0 +1,16 @@
+name: wafsg-PublicIpAddressesNumber
+title: Review and optimize the number of public IP addresses required and Policies
+ used.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: c88ea77e-1e9c-4d30-8b5e-c5e35cd4d93f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-TopFlowsLogFatFlows.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-TopFlowsLogFatFlows.yaml
new file mode 100644
index 000000000..ab2ffe711
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-TopFlowsLogFatFlows.yaml
@@ -0,0 +1,18 @@
+name: wafsg-TopFlowsLogFatFlows
+title: Regularly review traffic processed by Azure Firewall and look for originating
+ workload optimizations
+description: Top Flows log (known in the industry as Fat Flows), shows the top connections
+ that are contributing to the highest throughput through the firewall. It is recommended
+ to regularly review traffic processed by the Azure Firewall and search for possible
+ optimizations to reduce the amount of traffic traversing the firewall.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: c6b65421-d9c6-46aa-85c5-9e891c888744
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-UnusedAzureFirewallDeploymentsAzureFirewallInstances.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-UnusedAzureFirewallDeploymentsAzureFirewallInstances.yaml
new file mode 100644
index 000000000..11d5673f9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-UnusedAzureFirewallDeploymentsAzureFirewallInstances.yaml
@@ -0,0 +1,22 @@
+name: wafsg-UnusedAzureFirewallDeploymentsAzureFirewallInstances
+title: Review under-utilized Azure Firewall instances. Identify and delete unused
+ Azure Firewall deployments.
+description: To identify unused Azure Firewall deployments, start by analyzing the
+ monitoring metrics and UDRs associated with subnets pointing to the firewall's private
+ IP. Combine that information with other validations, such as if your instance of
+ Azure Firewall has any rules (classic) for NAT, Network and Application, or even
+ if the DNS Proxy setting is configured to Disabled, and with internal documentation
+ about your environment and deployments. You can detect deployments that are cost-effective
+ over time. For more information about monitoring logs and metrics, see Monitor
+ Azure Firewall logs and metrics and SNAT port utilization.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: ef951ddc-d36a-4194-a039-48af1cd3b1dd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-UnusedPublicIpAddressesSnatPortUtilization.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-UnusedPublicIpAddressesSnatPortUtilization.yaml
new file mode 100644
index 000000000..6ff24e3d1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Cost/wafsg-UnusedPublicIpAddressesSnatPortUtilization.yaml
@@ -0,0 +1,18 @@
+name: wafsg-UnusedPublicIpAddressesSnatPortUtilization
+title: Delete unused public IP addresses.
+description: Validate whether all the associated public IP addresses are in use. If
+ they aren't in use, disassociate and delete them. Evaluate SNAT port utilization
+ before removing any IP addresses.You'll only use the number of public IPs your firewall
+ needs. For more information, see Monitor Azure Firewall logs and metrics and SNAT
+ port utilization.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Cost
+severity: 1
+labels:
+ guid: 01e92d97-de38-46fd-a4b3-a180301ada9b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-AzureFirewallAzureMonitor.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-AzureFirewallAzureMonitor.yaml
new file mode 100644
index 000000000..e7541136e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-AzureFirewallAzureMonitor.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureFirewallAzureMonitor
+title: Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to
+ store and analyze firewall logs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 2
+labels:
+ guid: 1dc04554-dece-4ffb-a49e-5c683e09f8da
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/firewall-diagnostics
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-AzureFirewallClassicRulesFirewallPolicy.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-AzureFirewallClassicRulesFirewallPolicy.yaml
new file mode 100644
index 000000000..b8ab4998f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-AzureFirewallClassicRulesFirewallPolicy.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureFirewallClassicRulesFirewallPolicy
+title: Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+labels:
+ guid: e960fc6b-4ab2-4db6-9609-3745135f9ffa
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
+filepath: C:\Users\jomore\Repos\review-checklists\v2\recos\Services\MicrosoftNetwork-azureFirewalls\Operations\revcl-AzureFirewallClassicRulesFirewallPolicy.yaml
+severity: 1
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-FirewallRulesBackups.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-FirewallRulesBackups.yaml
new file mode 100644
index 000000000..db648f378
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-FirewallRulesBackups.yaml
@@ -0,0 +1,15 @@
+name: revcl-FirewallRulesBackups
+title: Implement backups for your firewall rules
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 2
+labels:
+ guid: 64e7000e-3c06-485e-b455-ced7f454cba3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-ResourceSpecificDestinationTableAzureFirewallDeployments.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-ResourceSpecificDestinationTableAzureFirewallDeployments.yaml
new file mode 100644
index 000000000..800cc64b5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/revcl-ResourceSpecificDestinationTableAzureFirewallDeployments.yaml
@@ -0,0 +1,18 @@
+name: revcl-ResourceSpecificDestinationTableAzureFirewallDeployments
+title: Add diagnostic settings to save logs, using the Resource Specific destination
+ table, for all Azure Firewall deployments.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 715d833d-4708-4527-90ac-1b142c7045ba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/firewall-structured-logs
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzfwLatencyProbeMetricsAzureFirewallCapacity.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzfwLatencyProbeMetricsAzureFirewallCapacity.yaml
new file mode 100644
index 000000000..1ee6f3056
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzfwLatencyProbeMetricsAzureFirewallCapacity.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzfwLatencyProbeMetricsAzureFirewallCapacity
+title: Monitor key metrics and create alerts for indicators of the utilization of
+ Azure Firewall capacity.
+description: Alerts should be created to monitor at least Throughput, Firewall health
+ state, SNAT port utilization and AZFW Latency Probe metrics.For information about
+ monitoring logs and metrics, see Monitor Azure Firewall logs and metrics.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 912d5cba-1c0b-4a40-8ec0-81e5492c3023
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallConfigurationInventory.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallConfigurationInventory.yaml
new file mode 100644
index 000000000..232bf5afa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallConfigurationInventory.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallConfigurationInventory
+title: Maintain inventory and backup of Azure Firewall configuration and Policies.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 3309c420-34ee-475f-983a-d258c92d73d1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallMicrosoftDefender.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallMicrosoftDefender.yaml
new file mode 100644
index 000000000..1a2a7a436
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallMicrosoftDefender.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallMicrosoftDefender
+title: Integrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 9b0b7514-18c1-4687-8a29-66e9e15c570d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallPortalExperienceAzureFirewallMonitoringWorkbook.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallPortalExperienceAzureFirewallMonitoringWorkbook.yaml
new file mode 100644
index 000000000..4e475f4c4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-AzureFirewallPortalExperienceAzureFirewallMonitoringWorkbook.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFirewallPortalExperienceAzureFirewallMonitoringWorkbook
+title: Use the built-in Azure Firewall Monitoring Workbook.
+description: Azure Firewall portal experience now includes a new workbook under the
+ Monitoring section UI, a separate installation is no more required. With the Azure
+ Firewall Workbook, you can extract valuable insights from Azure Firewall events,
+ delve into your application and network rules, and examine statistics regarding
+ firewall activities across URLs, ports, and addresses.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: c108c3a4-1cb0-4b5f-84dc-060e313574c4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-ExternalLogicAppAzurePolicyArtifacts.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-ExternalLogicAppAzurePolicyArtifacts.yaml
new file mode 100644
index 000000000..731f0ebf2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-ExternalLogicAppAzurePolicyArtifacts.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExternalLogicAppAzurePolicyArtifacts
+title: Maintain regular backups of Azure Policy artifacts.
+description: If Infrastructure-as-Code (IaC) approach is used to maintain Azure Firewall
+ and all dependencies then backup and versioning of Azure Firewall Policies should
+ be already in place. If not, a companion mechanism based on external Logic App can
+ be deployed to automate and provide an effective solution.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 1fe21c62-7800-4bd8-b1ed-b13c020a0759
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance.yaml
new file mode 100644
index 000000000..67eb8b6d4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance.yaml
@@ -0,0 +1,18 @@
+name: wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance
+title: Regularly review Policy Analytics dashboard to identify potential issues.
+description: Policy Analytics is a new feature that provides insights into the impact
+ of your Azure Firewall policies. It helps you identify potential issues (hitting
+ policy limits, low utilization rules, redundant rules, rules too generic, IP Groups
+ usage recommendation) in your policies and provides recommendations to improve your
+ security posture and rule processing performance.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 8ad68872-c312-4c23-9f23-be376493dfdb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-KustoQueryLanguageQueriesAzureFirewallLogs.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-KustoQueryLanguageQueriesAzureFirewallLogs.yaml
new file mode 100644
index 000000000..29fcc3670
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-KustoQueryLanguageQueriesAzureFirewallLogs.yaml
@@ -0,0 +1,17 @@
+name: wafsg-KustoQueryLanguageQueriesAzureFirewallLogs
+title: Become familiar with KQL (Kusto Query Language) queries to allow quick analysis
+ and troubleshooting using Azure Firewall logs.
+description: Sample queries are provided for Azure Firewall. Those will enable you
+ to quickly identify what's happening inside your firewall and check to see which
+ rule was triggered, or which rule is allowing/blocking a request.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: bc0c5e49-a3d6-4d3d-b95d-aa96ce824f4b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-LeverageAzureFirewallMonitoringWorkbook.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-LeverageAzureFirewallMonitoringWorkbook.yaml
new file mode 100644
index 000000000..978d8d69f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-LeverageAzureFirewallMonitoringWorkbook.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LeverageAzureFirewallMonitoringWorkbook
+title: Leverage Azure Firewall Monitoring workbook.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 35c3a850-dd12-46fc-8748-d8e549a9b70e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-LeverageDiagnosticLogsFirewallMonitoring.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-LeverageDiagnosticLogsFirewallMonitoring.yaml
new file mode 100644
index 000000000..e161aac22
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-LeverageDiagnosticLogsFirewallMonitoring.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LeverageDiagnosticLogsFirewallMonitoring
+title: Leverage diagnostic logs for firewall monitoring and troubleshooting.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 32f7e307-f271-46d7-a0ea-e32ce5cf5f9a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-ManyMonitoringToolsAzureFirewallResources.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-ManyMonitoringToolsAzureFirewallResources.yaml
new file mode 100644
index 000000000..2ba19a724
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-ManyMonitoringToolsAzureFirewallResources.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ManyMonitoringToolsAzureFirewallResources
+title: Enable Diagnostic Logs for Azure Firewall.
+description: Diagnostic Logs is a key component for many monitoring tools and strategies
+ for Azure Firewall and should be enabled. You can monitor Azure Firewall by using
+ firewall logs or workbooks. You can also use activity logs for auditing operations
+ on Azure Firewall resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: afcc1df9-da67-4db4-a2d4-bad67422d890
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-MicrosoftSentinelSolutionsAzureNetworkSecurity.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-MicrosoftSentinelSolutionsAzureNetworkSecurity.yaml
new file mode 100644
index 000000000..a52dd8d19
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-MicrosoftSentinelSolutionsAzureNetworkSecurity.yaml
@@ -0,0 +1,20 @@
+name: wafsg-MicrosoftSentinelSolutionsAzureNetworkSecurity
+title: Configure Azure Firewall integration with Microsoft Defender for Cloud and
+ Microsoft Sentinel.
+description: If these tools are available in the environment, it is recommended to
+ leverage integration with Microsoft Defender for Cloud and Microsoft Sentinel solutions.
+ With Microsoft Defender for Cloud integration, you can visualize the all-up status
+ of network infrastructure and network security in one place, including Azure Network
+ Security across all VNets and Virtual Hubs spread across different regions in Azure.
+ Integration with Microsoft Sentinel provides threat detection and prevention capabilities.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: e900c615-4865-4658-8cba-0d0f5fb6d169
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-NetworkSecurityGroupsIntraVnetTrafficControl.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-NetworkSecurityGroupsIntraVnetTrafficControl.yaml
new file mode 100644
index 000000000..1098aba0d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-NetworkSecurityGroupsIntraVnetTrafficControl.yaml
@@ -0,0 +1,17 @@
+name: wafsg-NetworkSecurityGroupsIntraVnetTrafficControl
+title: Do not use Azure Firewall for intra-VNet traffic control.
+description: Azure Firewall should be used to control traffic across VNets, between
+ VNets and on-premises networks, outbound traffic to the Internet and incoming non-HTTP/s
+ traffic. For intra-VNet traffic control, it is recommended to use Network Security
+ Groups.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 0405f896-a746-4bd5-831e-9914e4cb840f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-PolicyInsightsAnalytics.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-PolicyInsightsAnalytics.yaml
new file mode 100644
index 000000000..e8940551e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-PolicyInsightsAnalytics.yaml
@@ -0,0 +1,15 @@
+name: wafsg-PolicyInsightsAnalytics
+title: Regularly review your Policy insights and analytics.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: bc079e69-8f2f-43e6-94a7-61a05d1dd447
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-PreviousDiagnosticLogsFormatStructuredFirewallLogsFormat.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-PreviousDiagnosticLogsFormatStructuredFirewallLogsFormat.yaml
new file mode 100644
index 000000000..a29222660
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Operations/wafsg-PreviousDiagnosticLogsFormatStructuredFirewallLogsFormat.yaml
@@ -0,0 +1,19 @@
+name: wafsg-PreviousDiagnosticLogsFormatStructuredFirewallLogsFormat
+title: Use Structured Firewall Logs format.
+description: Structured Firewall Logs are a type of log data that are organized in
+ a specific new format. They use a predefined schema to structure log data in a way
+ that makes it easy to search, filter, and analyze. The latest monitoring tools are
+ based on this type of logs hence it is often a pre-requisite. Use the previous Diagnostic
+ Logs format only if there is an existing tool with a pre-requisite on that. Do not
+ enable both logging formats at the same time.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 4f3d5677-801a-48f2-834c-4a2326a6a1c8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-AzureAppGatewaysTlsInspection.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-AzureAppGatewaysTlsInspection.yaml
new file mode 100644
index 000000000..ef616d420
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-AzureAppGatewaysTlsInspection.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureAppGatewaysTlsInspection
+title: As part of your TLS inspection, plan for receiving traffic from Azure App Gateways
+ for inspection.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-IpTableRulesIpGroups.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-IpTableRulesIpGroups.yaml
new file mode 100644
index 000000000..27c542ffb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-IpTableRulesIpGroups.yaml
@@ -0,0 +1,15 @@
+name: revcl-IpTableRulesIpGroups
+title: Use IP Groups or IP prefixes to reduce number of IP table rules
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 0da83bb1-2f39-49af-b5c9-835fc455e3d1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/ip-groups
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-NatGatewaySettingsSnatPortUsage.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-NatGatewaySettingsSnatPortUsage.yaml
new file mode 100644
index 000000000..32151b735
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-NatGatewaySettingsSnatPortUsage.yaml
@@ -0,0 +1,17 @@
+name: revcl-NatGatewaySettingsSnatPortUsage
+title: "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT\
+ \ Gateway settings, and ensuring seamless failover. If the port count approaches\
+ \ the limit, it\xE2\u20AC\u2122s a sign that SNAT exhaustion might be imminent."
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 7371dc21-251a-47a3-af14-6e01b9da4757
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-RuleCollectionGroupsRuleCollections.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-RuleCollectionGroupsRuleCollections.yaml
new file mode 100644
index 000000000..9c4a0038b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-RuleCollectionGroupsRuleCollections.yaml
@@ -0,0 +1,16 @@
+name: revcl-RuleCollectionGroupsRuleCollections
+title: Arrange rules within the firewall policy into Rule Collection Groups and Rule
+ Collections and based on their frequency of use
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 828cec2e-af6c-40c2-8fa2-1b681ee63eb7
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-SourceIpIncomingDnats.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-SourceIpIncomingDnats.yaml
new file mode 100644
index 000000000..cd82ec138
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-SourceIpIncomingDnats.yaml
@@ -0,0 +1,16 @@
+name: revcl-SourceIpIncomingDnats
+title: Avoid wildcards as a source IP for DNATS, such as * or any, you should specify
+ source IPs for incoming DNATs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: c44c6f0e-1642-4a61-a17b-0922f835c93a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-TlsInspection.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-TlsInspection.yaml
new file mode 100644
index 000000000..ff2461e4a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-TlsInspection.yaml
@@ -0,0 +1,15 @@
+name: revcl-TlsInspection
+title: Enable TLS Inspection
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 0
+labels:
+ guid: 346840b8-1064-496e-8396-4b1340172d52
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-WebCategoriesOutboundAccess.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-WebCategoriesOutboundAccess.yaml
new file mode 100644
index 000000000..916dd48d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/revcl-WebCategoriesOutboundAccess.yaml
@@ -0,0 +1,15 @@
+name: revcl-WebCategoriesOutboundAccess
+title: Use web categories to allow or deny outbound access to specific topics.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 2
+labels:
+ guid: 39990a13-915c-45f9-a2d3-562d7d6c4b7c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/premium-features#web-categories
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-AzureFirewallWebCategoriesPublicInternetSites.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-AzureFirewallWebCategoriesPublicInternetSites.yaml
new file mode 100644
index 000000000..b71f11923
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-AzureFirewallWebCategoriesPublicInternetSites.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFirewallWebCategoriesPublicInternetSites
+title: Consider Web Categories to allow or deny outbound access in bulk.
+description: Instead of explicitly building and maintaining a long list of public
+ Internet sites, consider the usage of Azure Firewall Web Categories. This feature
+ will dynamically categorize web content and will permit the creation of compact
+ Application Rules.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 0fb0141c-f1ac-4149-a10c-4b7954050b12
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-AzureLoadTestingServiceAzureFirewallInstance.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-AzureLoadTestingServiceAzureFirewallInstance.yaml
new file mode 100644
index 000000000..890c66b80
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-AzureLoadTestingServiceAzureFirewallInstance.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureLoadTestingServiceAzureFirewallInstance
+title: Properly warm up Azure Firewall before any performance test.
+description: Create initial traffic that isn't part of your load tests 20 minutes
+ before the test. Use diagnostics settings to capture scale-up and scale-down events.
+ You can use the Azure Load Testing service to generate the initial traffic. Allows
+ the Azure Firewall instance to scale up its instances to the maximum.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 0ec844d3-4b8c-41ee-ad0a-89c2b23f007b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-BackendVirtualMachineScaleSetInstanceTwoVirtualMachineScaleSetInstances.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-BackendVirtualMachineScaleSetInstanceTwoVirtualMachineScaleSetInstances.yaml
new file mode 100644
index 000000000..889a55db2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-BackendVirtualMachineScaleSetInstanceTwoVirtualMachineScaleSetInstances.yaml
@@ -0,0 +1,19 @@
+name: wafsg-BackendVirtualMachineScaleSetInstanceTwoVirtualMachineScaleSetInstances
+title: Assess potential SNAT port exhaustion problem.
+description: Azure Firewall currently supports 2496 ports per Public IP address per
+ backend Virtual Machine Scale Set instance. By default, there are two Virtual Machine
+ Scale Set instances. So, there are 4992 ports per flow destination IP, destination
+ port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances.
+ You can work around the limits by configuring Azure Firewall deployments with a
+ minimum of five public IP addresses for deployments susceptible to SNAT exhaustion.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: b2acb591-6e44-49f2-97f9-1196094776f3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-DiagnosticToolsLogging.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-DiagnosticToolsLogging.yaml
new file mode 100644
index 000000000..06d4b599d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-DiagnosticToolsLogging.yaml
@@ -0,0 +1,15 @@
+name: wafsg-DiagnosticToolsLogging
+title: Do not enable diagnostic tools and logging if not required.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 565d2322-9a28-4f3d-a657-95391fa683a5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-FirewallRules.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-FirewallRules.yaml
new file mode 100644
index 000000000..c80bbfa78
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-FirewallRules.yaml
@@ -0,0 +1,15 @@
+name: wafsg-FirewallRules
+title: Regularly review and optimize firewall rules.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 0a96b331-2efc-47d2-8e25-f5c57b890ea9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-FlowTraceLogsAdvancedLoggingCapabilities.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-FlowTraceLogsAdvancedLoggingCapabilities.yaml
new file mode 100644
index 000000000..db4b532d6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-FlowTraceLogsAdvancedLoggingCapabilities.yaml
@@ -0,0 +1,18 @@
+name: wafsg-FlowTraceLogsAdvancedLoggingCapabilities
+title: Do not enable advanced logging if not required
+description: Azure Firewall provides some advanced logging capabilities that can be
+ expensive to maintain always active. Instead, they should be used for troubleshooting
+ purposes only, and limited in duration, then disabled when no more necessary. For
+ example, Top flows and Flow trace logs are expensive can cause excessive CPU and
+ storage usage on the Azure Firewall infrastructure.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 60d6a84a-dcc9-4fbb-a68f-810341b9253c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-IdpsModeAlertDenyMode.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-IdpsModeAlertDenyMode.yaml
new file mode 100644
index 000000000..55524f34e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-IdpsModeAlertDenyMode.yaml
@@ -0,0 +1,15 @@
+name: wafsg-IdpsModeAlertDenyMode
+title: Evaluate the performance impact of IDPS in Alert and deny mode.
+description: If Azure Firewall is required to operate in IDPS mode Alert and deny,
+ carefully consider the performance impact as documented in this page.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 9263120f-b82d-4784-9c9a-73941e85079b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance-1.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance-1.yaml
new file mode 100644
index 000000000..ea223e073
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance-1.yaml
@@ -0,0 +1,19 @@
+name: wafsg-IpGroupsUsageRecommendationRuleProcessingPerformance-1
+title: Use Policy Analytics dashboard to identify potential optimizations for Firewall
+ Policies.
+description: Policy Analytics is a new feature that provides insights into the impact
+ of your Azure Firewall policies. It helps you identify potential issues (hitting
+ policy limits, low utilization rules, redundant rules, rules too generic, IP Groups
+ usage recommendation) in your policies and provides recommendations to improve your
+ security posture and rule processing performance.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: e104f2f7-c376-4ed8-b536-a10a16be484d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-LoadTestsAutoScalePerformance.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-LoadTestsAutoScalePerformance.yaml
new file mode 100644
index 000000000..8c2969ea6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-LoadTestsAutoScalePerformance.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LoadTestsAutoScalePerformance
+title: Plan load tests to test auto-scale performance in your environment.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 5dcb4cd3-a501-4d37-b2a6-3f59c3e1bd32
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-PolicyRequirementsIpRanges.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-PolicyRequirementsIpRanges.yaml
new file mode 100644
index 000000000..3563bbdbf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-PolicyRequirementsIpRanges.yaml
@@ -0,0 +1,16 @@
+name: wafsg-PolicyRequirementsIpRanges
+title: Review policy requirements and opportunities to summarize IP ranges and URLs
+ list.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: be71278e-b14a-4c1b-9007-b7513095b138
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-SnatPortRequirements.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-SnatPortRequirements.yaml
new file mode 100644
index 000000000..33e6fd865
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-SnatPortRequirements.yaml
@@ -0,0 +1,15 @@
+name: wafsg-SnatPortRequirements
+title: Assess your SNAT port requirements.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: 503f63e3-bdd2-4e37-9a44-644670d204f0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-TheAzureFirewallSubnetNameEnoughIpAddresses.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-TheAzureFirewallSubnetNameEnoughIpAddresses.yaml
new file mode 100644
index 000000000..759eac6fe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Performance/wafsg-TheAzureFirewallSubnetNameEnoughIpAddresses.yaml
@@ -0,0 +1,20 @@
+name: wafsg-TheAzureFirewallSubnetNameEnoughIpAddresses
+title: Configure an Azure Firewall subnet (AzureFirewallSubnet) with a /26 address
+ space.
+description: Azure Firewall is a dedicated deployment in your virtual network. Within
+ your virtual network, a dedicated subnet is required for the instance of Azure Firewall.
+ Azure Firewall provisions more capacity as it scales.A /26 address space for its
+ subnets ensures that the firewall has enough IP addresses available to accommodate
+ the scaling. Azure Firewall doesn't need a subnet bigger than /26. The Azure Firewall
+ subnet name must be AzureFirewallSubnet.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Performance
+severity: 1
+labels:
+ guid: d1510802-2f00-4995-8a04-fbebce7fe966
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureCloudAdoptionFrameworkDocumentationAzureVirtualWanNetworkTopologies.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureCloudAdoptionFrameworkDocumentationAzureVirtualWanNetworkTopologies.yaml
new file mode 100644
index 000000000..7308a867f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureCloudAdoptionFrameworkDocumentationAzureVirtualWanNetworkTopologies.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureCloudAdoptionFrameworkDocumentationAzureVirtualWanNetworkTopologies
+title: Use Azure Firewall Manager with traditional Hub & Spokes or Azure Virtual WAN
+ network topologies to deploy and manage instances of Azure Firewall.
+description: Easily create hub-and-spoke and transitive architectures with native
+ security services for traffic governance and protection. For more information on
+ network topologies, see the Azure Cloud Adoption Framework documentation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 22e4993d-53d4-4655-84fa-4d1bc8523e41
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallClassicRulesAzureFirewallManagerPolicies.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallClassicRulesAzureFirewallManagerPolicies.yaml
new file mode 100644
index 000000000..af4d83949
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallClassicRulesAzureFirewallManagerPolicies.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFirewallClassicRulesAzureFirewallManagerPolicies
+title: Migrate Azure Firewall Classic Rules to Azure Firewall Manager Policies for
+ existing deployments.
+description: For existing deployments, migrate Azure Firewall rules to Azure Firewall
+ Manager policies. Use Azure Firewall Manager to centrally manage your firewalls
+ and policies. For more information, see Migrate to Azure Firewall Premium.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 15329f1b-13d3-43a7-b76c-d110d7933148
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallHealthState.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallHealthState.yaml
new file mode 100644
index 000000000..8778488b9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallHealthState.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallHealthState
+title: Monitor Azure Firewall health state.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 4ab78087-97ce-4ec5-ab5d-f67e47b20854
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallPolicyStructure.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallPolicyStructure.yaml
new file mode 100644
index 000000000..a29b9f87b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallPolicyStructure.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallPolicyStructure
+title: Create Azure Firewall Policy structure.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 457a41f6-6cc9-48a8-b16b-01f2312b6537
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallProductGroupAzureFirewallKnownIssues.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallProductGroupAzureFirewallKnownIssues.yaml
new file mode 100644
index 000000000..1d95ace6b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallProductGroupAzureFirewallKnownIssues.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFirewallProductGroupAzureFirewallKnownIssues
+title: Review the list of Azure Firewall Known Issues.
+description: Azure Firewall Product Group maintains an updated list of known-issues
+ at this location. This list contains important information related to by-design
+ behavior, fixes under construction, platform limitations, along with possible workarounds
+ or mitigation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 8af66a9f-689a-4e52-a9f1-08cf07f86047
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallResourceHealthCheckAzfwLatencyProbeMetrics.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallResourceHealthCheckAzfwLatencyProbeMetrics.yaml
new file mode 100644
index 000000000..19fea63dd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureFirewallResourceHealthCheckAzfwLatencyProbeMetrics.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureFirewallResourceHealthCheckAzfwLatencyProbeMetrics
+title: Monitor Azure Firewall Metrics and Resource Health state.
+description: Closely monitor key metrics indicator of Azure Firewall health state
+ such as Throughput, Firewall health state, SNAT port utilization and AZFW Latency
+ Probe metrics. Additionally, Azure Firewall now integrates with Azure Resource Health.
+ With the Azure Firewall Resource Health check, you can now view the health status
+ of your Azure Firewall and address service problems that might affect your Azure
+ Firewall resource.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 778a05b2-ee67-42f2-b35e-0adfe817cded
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureVirtualWanAzureVirtualNetwork.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureVirtualWanAzureVirtualNetwork.yaml
new file mode 100644
index 000000000..c16e38b67
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureVirtualWanAzureVirtualNetwork.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureVirtualWanAzureVirtualNetwork
+title: In multi-region environments, deploy an Azure Firewall instance per region.
+description: For traditional Hub & Spokes architectures, multi-region details are
+ explained in this article. For secured virtual hubs (Azure Virtual WAN), Routing
+ Intent and Policies must be configured to secure inter-hub and branch-to-branch
+ communications. For workloads designed to be resistant to failures and fault tolerant,
+ remember to consider that instances of Azure Firewall and Azure Virtual Network
+ as regional resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 82ee097d-7480-4896-92e9-78b3b335cfcb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureVirtualWanHubsHubVirtualNetworks.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureVirtualWanHubsHubVirtualNetworks.yaml
new file mode 100644
index 000000000..9ed422fec
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-AzureVirtualWanHubsHubVirtualNetworks.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureVirtualWanHubsHubVirtualNetworks
+title: Deploy Azure Firewall in hub virtual networks or as part of Azure Virtual WAN
+ hubs.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 29c79d8a-974d-4768-9036-6b7c3980258b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-GlobalNetworkEnvironmentsCentralBasePolicy.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-GlobalNetworkEnvironmentsCentralBasePolicy.yaml
new file mode 100644
index 000000000..6eeefb2bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-GlobalNetworkEnvironmentsCentralBasePolicy.yaml
@@ -0,0 +1,20 @@
+name: wafsg-GlobalNetworkEnvironmentsCentralBasePolicy
+title: Create Azure Firewall Policies to govern the security posture across global
+ network environments. Assign policies to all instances of Azure Firewall.
+description: Azure Firewall Policies can be arranged in an hierarchical structure
+ to overlay a central base policy. Allow for granular policies to meet the requirements
+ of specific regions. Delegate incremental firewall policies to local security teams
+ through role-based access control (RBAC). Some settings are specific per instance,
+ for example DNAT Rules and DNS configuration, then multiple specialized policies
+ might be required.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 965fde84-1253-4833-93bc-9476a10ce2ad
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-HigherServiceLevelAgreementSingleAvailabilityZone.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-HigherServiceLevelAgreementSingleAvailabilityZone.yaml
new file mode 100644
index 000000000..8781ffa87
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-HigherServiceLevelAgreementSingleAvailabilityZone.yaml
@@ -0,0 +1,18 @@
+name: wafsg-HigherServiceLevelAgreementSingleAvailabilityZone
+title: Deploy Azure Firewall across multiple availability zones for higher service-level
+ agreement (SLA).
+description: Azure Firewall provides different SLAs when it's deployed in a single
+ availability zone and when it's deployed in multiple zones. For more information,
+ see SLA for Azure Firewall. For information about all Azure SLAs, see SLA summary
+ for Azure services.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: bc96dc36-32aa-404b-b450-aaacf0b1becc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-KnownIssueList.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-KnownIssueList.yaml
new file mode 100644
index 000000000..9dca3dc7c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-KnownIssueList.yaml
@@ -0,0 +1,15 @@
+name: wafsg-KnownIssueList
+title: Review the Known Issue list.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 8af18b41-9be2-4bb2-aaac-8c2a5734539a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-LeverageAvailabilityZonesResiliency.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-LeverageAvailabilityZonesResiliency.yaml
new file mode 100644
index 000000000..bfd16491a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-LeverageAvailabilityZonesResiliency.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LeverageAvailabilityZonesResiliency
+title: Leverage Availability Zones resiliency.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: 59945fc0-9f70-4b5d-a8b6-2ac38dc2508d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-RuleCollectionGroupsAzureFirewallPolicy.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-RuleCollectionGroupsAzureFirewallPolicy.yaml
new file mode 100644
index 000000000..44f42d892
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Reliability/wafsg-RuleCollectionGroupsAzureFirewallPolicy.yaml
@@ -0,0 +1,16 @@
+name: wafsg-RuleCollectionGroupsAzureFirewallPolicy
+title: Ensure your Azure Firewall Policy adheres to Azure Firewall limits and recommendations.
+description: There are limits on the policy structure, including numbers of Rules
+ and Rule Collection Groups, total policy size, source/target destinations. Be sure
+ to compose your policy and stay behind the documented thresholds.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Reliability
+severity: 1
+labels:
+ guid: c673cfb7-5f2f-40ff-a878-c4ffeb26acd9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallDnsProxyConfiguration.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallDnsProxyConfiguration.yaml
new file mode 100644
index 000000000..11cb10341
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallDnsProxyConfiguration.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFirewallDnsProxyConfiguration
+title: 'Enable Azure Firewall DNS proxy configuration '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 94f3eede-9aa3-4088-92a3-bb9a56509fad
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/dns-details
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallIdpsModeAdditionalProtection.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallIdpsModeAdditionalProtection.yaml
new file mode 100644
index 000000000..f0117c9e8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallIdpsModeAdditionalProtection.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureFirewallIdpsModeAdditionalProtection
+title: Configure Azure Firewall IDPS mode to Deny for additional protection.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 0
+labels:
+ guid: b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/premium-features#idps
+queries:
+ arg: resources | where type=='microsoft.network/firewallpolicies' | extend compliant
+ = (properties.intrusionDetection.mode == 'Deny') | project id, compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallPremiumAdditionalSecurity.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallPremiumAdditionalSecurity.yaml
new file mode 100644
index 000000000..42a6d2786
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallPremiumAdditionalSecurity.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureFirewallPremiumAdditionalSecurity
+title: Use Azure Firewall Premium for additional security and protection.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 0
+labels:
+ guid: c10d51ef-f999-455d-bba0-5c90ece07447
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/premium-features
+queries:
+ arg: resources | where type=='microsoft.network/firewallpolicies' | extend compliant
+ = (properties.sku.tier == 'Premium') | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallSubnets.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallSubnets.yaml
new file mode 100644
index 000000000..2f036549e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallSubnets.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureFirewallSubnets
+title: Use a /26 prefix for your Azure Firewall subnets.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 0
+labels:
+ guid: 22d6419e-b627-4d95-9e7d-019fa759387f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size
+queries:
+ arg: resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets
+ | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix
+ | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName ==
+ 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct
+ id, compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallThreatIntelligenceModeAdditionalProtection.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallThreatIntelligenceModeAdditionalProtection.yaml
new file mode 100644
index 000000000..ac8216a86
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureFirewallThreatIntelligenceModeAdditionalProtection.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureFirewallThreatIntelligenceModeAdditionalProtection
+title: Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional
+ protection.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 0
+labels:
+ guid: e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/premium-features
+queries:
+ arg: resources | where type=='microsoft.network/firewallpolicies' | extend compliant
+ = (properties.threatIntelMode == 'Deny') | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzurePaasServicesAzureFirewall.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzurePaasServicesAzureFirewall.yaml
new file mode 100644
index 000000000..a5a94c77a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzurePaasServicesAzureFirewall.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzurePaasServicesAzureFirewall
+title: Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses
+ in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link
+ you can block all FQDNs, otherwise allow only the required PaaS services.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 7e7a8ed4-b30e-438c-9f29-812b2363cefe
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking-features
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureRoleBasedAccessControlGlobalAzureFirewallPolicy.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureRoleBasedAccessControlGlobalAzureFirewallPolicy.yaml
new file mode 100644
index 000000000..e7c92b945
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-AzureRoleBasedAccessControlGlobalAzureFirewallPolicy.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureRoleBasedAccessControlGlobalAzureFirewallPolicy
+title: Create a global Azure Firewall policy to govern security posture across the
+ global network environment and assign it to all Azure Firewall instances. Allow
+ for granular policies to meet requirements of specific regions by delegating incremental
+ firewall policies to local security teams via Azure role-based access control.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 5a4b1511-e43a-458a-ac22-99c4d7b57d0c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-FqdnBasedNetworkRulesApplicationRules.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-FqdnBasedNetworkRulesApplicationRules.yaml
new file mode 100644
index 000000000..0a2cc1ba9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-FqdnBasedNetworkRulesApplicationRules.yaml
@@ -0,0 +1,18 @@
+name: revcl-FqdnBasedNetworkRulesApplicationRules
+title: Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress
+ traffic to the Internet over protocols not supported by application rules.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 0
+labels:
+ guid: 14d99880-2f88-47e8-a134-62a7d85c94af
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules
+queries:
+ arg: resources | where type=='microsoft.network/firewallpolicies' | extend compliant
+ = (properties.dnsSettings.enableProxy == true) | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-HttpSInboundConnectionsEastWestTrafficFiltering.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-HttpSInboundConnectionsEastWestTrafficFiltering.yaml
new file mode 100644
index 000000000..627c38eb8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-HttpSInboundConnectionsEastWestTrafficFiltering.yaml
@@ -0,0 +1,19 @@
+name: revcl-HttpSInboundConnectionsEastWestTrafficFiltering
+title: Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S
+ inbound connections, and East/West traffic filtering (if the organization requires
+ it)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 0
+labels:
+ guid: e6c4cfd3-e504-4547-a244-7ec66138a720
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking-features
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-NetworkVirtualApplianceVirtualWan.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-NetworkVirtualApplianceVirtualWan.yaml
new file mode 100644
index 000000000..57199a9a1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-NetworkVirtualApplianceVirtualWan.yaml
@@ -0,0 +1,28 @@
+name: revcl-NetworkVirtualApplianceVirtualWan
+title: For subnets in VNets not connected to Virtual WAN, attach a route table so
+ that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 0
+labels:
+ guid: a3784907-9836-4271-aafc-93535f8ec08b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview
+queries:
+ arg: resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets
+ | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id
+ | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet',
+ 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT,
+ subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks'
+ | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name,
+ '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project
+ id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name)
+ | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer
+ = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1),
+ subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend
+ compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-PublicIpAddressesPolicyAssignment.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-PublicIpAddressesPolicyAssignment.yaml
new file mode 100644
index 000000000..24dffc166
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-PublicIpAddressesPolicyAssignment.yaml
@@ -0,0 +1,16 @@
+name: revcl-PublicIpAddressesPolicyAssignment
+title: "Ensure there is a policy assignment to deny Public IP addresses\xC2\_directly\
+ \ tied to Virtual Machines"
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 3c5a808d-c695-4c14-a63c-c7ab7a510e41
+links:
+- type: docs
+ url: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-SupportedPartnerSaasSecurityProvidersFirewallManager.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-SupportedPartnerSaasSecurityProvidersFirewallManager.yaml
new file mode 100644
index 000000000..804165d82
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/revcl-SupportedPartnerSaasSecurityProvidersFirewallManager.yaml
@@ -0,0 +1,18 @@
+name: revcl-SupportedPartnerSaasSecurityProvidersFirewallManager
+title: Configure supported partner SaaS security providers within Firewall Manager
+ if the organization wants to use such solutions to help protect outbound connections.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 2
+labels:
+ guid: 655562f2-b3e4-4563-a4d8-739748b662d6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-ADdosProtectionPlanAzureDdosProtectionPlan.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-ADdosProtectionPlanAzureDdosProtectionPlan.yaml
new file mode 100644
index 000000000..07296b712
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-ADdosProtectionPlanAzureDdosProtectionPlan.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ADdosProtectionPlanAzureDdosProtectionPlan
+title: Use Azure Firewall Manager to create and associate a DDoS protection plan with
+ your hub virtual network (does not apply to Azure Virtual WAN).
+description: A DDoS protection plan provides enhanced mitigation features to defend
+ your firewall from DDoS attacks. Azure Firewall Manager is an integrated tool to
+ create your firewall infrastructure and DDoS protection plans. For more information,
+ see Configure an Azure DDoS Protection Plan using Azure Firewall Manager.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 1b052318-dd38-486c-97f3-b20c584c1bcd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzFirewallServiceTagsSecurityRuleCreation.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzFirewallServiceTagsSecurityRuleCreation.yaml
new file mode 100644
index 000000000..3ccb29547
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzFirewallServiceTagsSecurityRuleCreation.yaml
@@ -0,0 +1,21 @@
+name: wafsg-AzFirewallServiceTagsSecurityRuleCreation
+title: Use Service Tags in Network Rules to enable selective access to specific Microsoft
+ services.
+description: 'A service tag represents a group of IP address prefixes to help minimize
+ complexity for security rule creation. Using Service Tags in Network Rules, it is
+ possible to enable outbound access to specific services in Azure, Dynamics and Office
+ 365 without opening wide ranges of IP addresses. Azure will maintain automatically
+ the mapping between these tags and underlying IP addresses used by each service.
+ The list of Service Tags available to Azure Firewall are listed here: Az Firewall
+ Service Tags.'
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 2747c05a-f1a0-44e2-918a-f673f409e9aa
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallDnsProxy.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallDnsProxy.yaml
new file mode 100644
index 000000000..357c53bdf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallDnsProxy.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallDnsProxy
+title: Enable Azure Firewall DNS proxy.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: eb9ee852-eda8-41a8-917d-4a5a25a6d866
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallDnsProxyConfigurationFullyQualifiedDomainName.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallDnsProxyConfigurationFullyQualifiedDomainName.yaml
new file mode 100644
index 000000000..e95f793f3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallDnsProxyConfigurationFullyQualifiedDomainName.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFirewallDnsProxyConfigurationFullyQualifiedDomainName
+title: Use Fully Qualified Domain Name (FQDN) filtering in network rules.
+description: You can use FQDN based on DNS resolution in Azure Firewall and firewall
+ policies. This capability allows you to filter outbound traffic with any TCP/UDP
+ protocol (including NTP, SSH, RDP, and more). You must enable the Azure Firewall
+ DNS Proxy configuration to use FQDNs in your network rules. To learn how it works,
+ see Azure Firewall FQDN filtering in network rules.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: edad73e6-11f4-4f3d-ad4d-85a803631d88
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallManagementSubnetExistingAzureFirewallInstance.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallManagementSubnetExistingAzureFirewallInstance.yaml
new file mode 100644
index 000000000..26e456246
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallManagementSubnetExistingAzureFirewallInstance.yaml
@@ -0,0 +1,23 @@
+name: wafsg-AzureFirewallManagementSubnetExistingAzureFirewallInstance
+title: If required to route all internet-bound traffic to a designated next hop instead
+ of going directly to the internet, configure Azure Firewall in forced tunneling
+ mode (does not apply to Azure Virtual WAN).
+description: Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet
+ learns a default route to your on-premises network via the Border Gateway Protocol,
+ you must configure Azure Firewall in the forced tunneling mode. Using the forced
+ tunneling feature, you'll need another /26 address space for the Azure Firewall
+ Management subnet. You're required to name it AzureFirewallManagementSubnet.If this
+ is an existing Azure Firewall instance that can't be reconfigured in the forced
+ tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as
+ Internet. Associate it with AzureFirewallSubnet to maintain internet connectivity.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 00be10aa-262b-44b5-a82a-8c68aad4cccd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallPublicIpAddressesDdos.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallPublicIpAddressesDdos.yaml
new file mode 100644
index 000000000..c64ee17f2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureFirewallPublicIpAddressesDdos.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFirewallPublicIpAddressesDdos
+title: Protect your Azure Firewall public IP addresses with DDoS.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: b64f5de8-7f72-4545-a18e-9e75bc46a712
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureVirtualWanAzureFirewallInstance.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureVirtualWanAzureFirewallInstance.yaml
new file mode 100644
index 000000000..dfa63ce79
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-AzureVirtualWanAzureFirewallInstance.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureVirtualWanAzureFirewallInstance
+title: Configure user-defined routes (UDR) to force traffic through Azure Firewall.
+description: In a traditional Hub & Spokes architecture, configure UDRs to force traffic
+ through Azure Firewall for `SpoketoSpoke`, `SpoketoInternet`, and `SpoketoHybrid`
+ connectivity. In Azure Virtual WAN, instead, configure Routing Intent and Policies
+ to redirect private and/or Internet traffic through the Azure Firewall instance
+ integrated into the hub.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 0eb2861e-50ba-479a-93d2-ca98a617e5fb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-BreedThirdPartySecaasOfferingsAzureVirtualWan.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-BreedThirdPartySecaasOfferingsAzureVirtualWan.yaml
new file mode 100644
index 000000000..a4834a044
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-BreedThirdPartySecaasOfferingsAzureVirtualWan.yaml
@@ -0,0 +1,20 @@
+name: wafsg-BreedThirdPartySecaasOfferingsAzureVirtualWan
+title: Configure supported third-party software as a service (SaaS) security providers
+ within Firewall Manager if you want to use these solutions to protect outbound connections.
+description: You can use your familiar, best-in-breed, third-party SECaaS offerings
+ to protect internet access for your users. This scenario does require Azure Virtual
+ WAN with a S2S VPN Gateway in the Hub, as it uses an IPSec tunnel to connect to
+ the provider's infrastructure. SECaaS providers might charge additional license
+ fees and limit throughput on IPSec connections. Alternative solutions such as ZScaler
+ Cloud Connector exist and might be more suitable.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: b1b6c964-c59a-42fb-85fe-61e5ec11da56
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-DirectNetworkTrafficAzureFirewall.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-DirectNetworkTrafficAzureFirewall.yaml
new file mode 100644
index 000000000..bfff61129
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-DirectNetworkTrafficAzureFirewall.yaml
@@ -0,0 +1,15 @@
+name: wafsg-DirectNetworkTrafficAzureFirewall
+title: Direct network traffic through Azure Firewall.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 0d173bba-16e4-4779-bbc6-b18447718271
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-DnsProxyConfigurationInternalDnsInfrastructure.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-DnsProxyConfigurationInternalDnsInfrastructure.yaml
new file mode 100644
index 000000000..84239e162
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-DnsProxyConfigurationInternalDnsInfrastructure.yaml
@@ -0,0 +1,17 @@
+name: wafsg-DnsProxyConfigurationInternalDnsInfrastructure
+title: Enable Azure Firewall (DNS) proxy configuration.
+description: Enabling this feature points clients in the VNets to Azure Firewall as
+ a DNS server. It will protect internal DNS infrastructure that will not be directly
+ accessed and exposed. Azure Firewall must be also configured to use custom DNS that
+ will be used to forward DNS queries.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 35c2f653-acd6-471c-91a9-f7e4a3fcce3e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-InternalEnterpriseCertificationAuthorityAzureFirewallPremium.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-InternalEnterpriseCertificationAuthorityAzureFirewallPremium.yaml
new file mode 100644
index 000000000..ccc1ed642
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-InternalEnterpriseCertificationAuthorityAzureFirewallPremium.yaml
@@ -0,0 +1,17 @@
+name: wafsg-InternalEnterpriseCertificationAuthorityAzureFirewallPremium
+title: Use an Enterprise PKI to generate certificates for TLS Inspection.
+description: With Azure Firewall Premium, if TLS Inspection feature is used, it is
+ recommended to leverage an internal Enterprise Certification Authority (CA) for
+ production environment. Self-signed certificates should be used for testing/PoC
+ purposes only.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: c5db7b18-fa0c-48be-a754-ddb21f1acdcb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeastPrivilegeAccessCriteriaRules.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeastPrivilegeAccessCriteriaRules.yaml
new file mode 100644
index 000000000..685b59a4c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeastPrivilegeAccessCriteriaRules.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LeastPrivilegeAccessCriteriaRules
+title: Create rules for Policies based on least privilege access criteria.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: a8db6917-b19a-4e97-a797-97a3cc882b45
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeastPrivilegeAccessZeroTrustPrincipleLeastPrivilegeAccessCriteria.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeastPrivilegeAccessZeroTrustPrincipleLeastPrivilegeAccessCriteria.yaml
new file mode 100644
index 000000000..aa078dc74
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeastPrivilegeAccessZeroTrustPrincipleLeastPrivilegeAccessCriteria.yaml
@@ -0,0 +1,19 @@
+name: wafsg-LeastPrivilegeAccessZeroTrustPrincipleLeastPrivilegeAccessCriteria
+title: Create rules for Firewall Policies based on least privilege access criteria.
+description: Azure Firewall Policies can be arranged in an hierarchical structure
+ to overlay a central base policy. Allow for granular policies to meet the requirements
+ of specific regions. Each policy can contains different sets of DNAT, Network and
+ Application rules with specific priority, action and processing order. Create your
+ rules based on least privilege access Zero Trust principle . How rules are processed
+ is explained in this article.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: eea03b99-3b97-4c7a-b1ab-76404535a87f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeverageThreatIntelligence.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeverageThreatIntelligence.yaml
new file mode 100644
index 000000000..31d16ce6f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-LeverageThreatIntelligence.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LeverageThreatIntelligence
+title: Leverage Threat Intelligence.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: dbfeaa71-3a9d-4c45-b68c-05fd8ccd6d66
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-NewAzureFirewallInstancePrivateDataPlane.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-NewAzureFirewallInstancePrivateDataPlane.yaml
new file mode 100644
index 000000000..9581a04f9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-NewAzureFirewallInstancePrivateDataPlane.yaml
@@ -0,0 +1,20 @@
+name: wafsg-NewAzureFirewallInstancePrivateDataPlane
+title: Set the public IP address to None to deploy a fully private data plane when
+ you configure Azure Firewall in the forced tunneling mode (does not apply to Azure
+ Virtual WAN).
+description: When you deploy a new Azure Firewall instance, if you enable the forced
+ tunneling mode, you can set the public IP address to None to deploy a fully private
+ data plane. However, the management plane still requires a public IP for management
+ purposes only. The internal traffic from virtual and on-premises networks won't
+ use that public IP. For more about forced tunneling, see Azure Firewall forced tunneling.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 0b4f833f-2a39-4d49-85b2-221317d24865
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-PowerfulAzureFirewallPremiumSecurityFeatures.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-PowerfulAzureFirewallPremiumSecurityFeatures.yaml
new file mode 100644
index 000000000..96d4647c8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-PowerfulAzureFirewallPremiumSecurityFeatures.yaml
@@ -0,0 +1,17 @@
+name: wafsg-PowerfulAzureFirewallPremiumSecurityFeatures
+title: Enable IDPS in Alert or Alert and deny mode.
+description: IDPS is one of the most powerful Azure Firewall (Premium) security features
+ and should be enabled. Based on security and application requirements, and considering
+ the performance impact (see the Cost section below), Alert or Alert and deny modes
+ can be selected.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 25ca3e7f-b569-4ddf-8f50-3577a7f8a86c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-PrivateIpAddressExistingNetworkRoutes.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-PrivateIpAddressExistingNetworkRoutes.yaml
new file mode 100644
index 000000000..75038df15
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-PrivateIpAddressExistingNetworkRoutes.yaml
@@ -0,0 +1,20 @@
+name: wafsg-PrivateIpAddressExistingNetworkRoutes
+title: If not possible to apply UDR, and only web traffic redirection is required,
+ consider using Azure Firewall as an Explicit Proxy
+description: With explicit proxy feature enabled on the outbound path, you can configure
+ a proxy setting on the sending web application (such as a web browser) with Azure
+ Firewall configured as the proxy. As a result, web traffic will reach the firewall's
+ private IP address and therefore egresses directly from the firewall without using
+ a UDR. This feature also facilitates the usage of multiple firewalls without modifying
+ existing network routes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 24f05ffb-5b19-4ff8-8168-0884bfd131cd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-QualifiedDomainNamesOutboundNetworkTraffic.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-QualifiedDomainNamesOutboundNetworkTraffic.yaml
new file mode 100644
index 000000000..e5a24a2a0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-QualifiedDomainNamesOutboundNetworkTraffic.yaml
@@ -0,0 +1,18 @@
+name: wafsg-QualifiedDomainNamesOutboundNetworkTraffic
+title: Use FQDN Tags in Application Rules to enable selective access to specific Microsoft
+ services.
+description: An FQDN tag represents a group of fully qualified domain names (FQDNs)
+ associated with well known Microsoft services. You can use an FQDN tag in application
+ rules to allow the required outbound network traffic through your firewall for some
+ specific Azure services, Office 365, Windows 365 and Intune.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 2ee28c36-0f0e-4da4-96a9-985f44b29615
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-ThirdPartySecuritySecaasProviders.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-ThirdPartySecuritySecaasProviders.yaml
new file mode 100644
index 000000000..3e0848f79
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-ThirdPartySecuritySecaasProviders.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ThirdPartySecuritySecaasProviders
+title: Determine if you want to use third-party security as a service (SECaaS) providers.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 6cf7bc2c-7416-48d1-8966-05f18b4c77dc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-Tunneling.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-Tunneling.yaml
new file mode 100644
index 000000000..d43d3998f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-Tunneling.yaml
@@ -0,0 +1,15 @@
+name: wafsg-Tunneling
+title: Determine if you need Forced Tunneling.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-firewall.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: f3ff369e-56ed-45da-ad6a-c135803249ba
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-VirtualWanScenariosZeroTrustConfigurationGuide.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-VirtualWanScenariosZeroTrustConfigurationGuide.yaml
new file mode 100644
index 000000000..5b9c34677
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/Security/wafsg-VirtualWanScenariosZeroTrustConfigurationGuide.yaml
@@ -0,0 +1,17 @@
+name: wafsg-VirtualWanScenariosZeroTrustConfigurationGuide
+title: Review Zero-Trust configuration guide for Azure Firewall and Application Gateway
+description: If your security requirements necessitate implementing a Zero-Trust approach
+ for web applications (inspection and encryption), it is recommended to follow this
+ guide. In this document, how to integrate together Azure Firewall and Application
+ Gateway will be explained, in both traditional Hub & Spoke and Virtual WAN scenarios.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/azurefirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 96522d15-f2d0-41d0-b021-c87b47bf8b59
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-AzfwLatencyProbeMetricFirewallInstanceCpus.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-AzfwLatencyProbeMetricFirewallInstanceCpus.yaml
new file mode 100644
index 000000000..bee6bb9ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-AzfwLatencyProbeMetricFirewallInstanceCpus.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzfwLatencyProbeMetricFirewallInstanceCpus
+title: Monitor "AZFW Latency Probe" metric
+description: |-
+ Creating a metric to monitor latency probes over 20ms for periods longer than 30ms helps identify when firewall instance CPUs are stressed, potentially indicating issues.
+source:
+ type: aprl
+ file: azure-resources/Network/azureFirewalls/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/azureFirewalls
+severity: 0
+labels:
+ guid: 8faace2d-a36e-425c-aa58-2ad99e3e0b7a
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under development
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-LeverageAzureFirewallPolicyInheritanceModelAzureCustomRoles.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-LeverageAzureFirewallPolicyInheritanceModelAzureCustomRoles.yaml
new file mode 100644
index 000000000..5c6061b61
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-LeverageAzureFirewallPolicyInheritanceModelAzureCustomRoles.yaml
@@ -0,0 +1,18 @@
+name: aprl-LeverageAzureFirewallPolicyInheritanceModelAzureCustomRoles
+title: Leverage Azure Firewall policy inheritance model
+description: |-
+ Azure Firewall policy supports rule hierarchies for compliance enforcement, using a central base policy with higher priority over child policies, and employs Azure custom roles to safeguard base policy and manage access within subscriptions or groups.
+source:
+ type: aprl
+ file: azure-resources/Network/azureFirewalls/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/azureFirewalls
+severity: 1
+labels:
+ guid: 3a63560a-1ed3-6140-acd1-d1d23f9a2e12
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-OutboundSnatPortUsageSecureVirtualHubNetworks.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-OutboundSnatPortUsageSecureVirtualHubNetworks.yaml
new file mode 100644
index 000000000..b21d95d36
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-OutboundSnatPortUsageSecureVirtualHubNetworks.yaml
@@ -0,0 +1,38 @@
+name: aprl-OutboundSnatPortUsageSecureVirtualHubNetworks
+title: Monitor Azure Firewall metrics
+description: |-
+ Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.
+source:
+ type: aprl
+ file: azure-resources/Network/azureFirewalls/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/azureFirewalls
+severity: 0
+labels:
+ guid: 3c8fa7c6-6b78-a24a-a63f-348a7c71acb9
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // List all Azure Firewalls resources in-scope, along with any metrics associated to Azure Monitor alert rules, that are not fully configured.
+ resources
+ | where type == "microsoft.network/azurefirewalls"
+ | project firewallId = tolower(id), name, tags
+ | join kind = leftouter (
+ resources
+ | where type == "microsoft.insights/metricalerts"
+ | mv-expand properties.scopes
+ | mv-expand properties.criteria.allOf
+ | where properties_scopes contains "azureFirewalls"
+ | project metricId = tolower(properties_scopes), monitoredMetric = properties_criteria_allOf.metricName, tags
+ | summarize monitoredMetrics = make_list(monitoredMetric) by tostring(metricId)
+ | project
+ metricId,
+ monitoredMetrics,
+ allAlertsConfigured = monitoredMetrics contains("FirewallHealth") and monitoredMetrics contains ("Throughput") and monitoredMetrics contains ("SNATPortUtilization")
+ ) on $left.firewallId == $right.metricId
+ | extend alertsNotFullyConfigured = isnull(allAlertsConfigured) or not(allAlertsConfigured)
+ | where alertsNotFullyConfigured
+ | project recommendationId = "c8fa7c6-6b78-a24a-a63f-348a7c71acb9", name, id = firewallId, tags, param1 = strcat("MetricsAlerts:", monitoredMetrics)
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-SingleAvailabilityZoneMultipleAvailabilityZones.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-SingleAvailabilityZoneMultipleAvailabilityZones.yaml
new file mode 100644
index 000000000..532d1ae80
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-SingleAvailabilityZoneMultipleAvailabilityZones.yaml
@@ -0,0 +1,24 @@
+name: aprl-SingleAvailabilityZoneMultipleAvailabilityZones
+title: Deploy Azure Firewall across multiple availability zones
+description: |-
+ Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.
+source:
+ type: aprl
+ file: azure-resources/Network/azureFirewalls/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/azureFirewalls
+severity: 0
+labels:
+ guid: c72b7fee-1fa0-5b4b-98e5-54bcae95bb74
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // List all Azure Firewalls that are not configured with multiple availability zones or deployed without a zone
+ resources
+ | where type == 'microsoft.network/azurefirewalls'
+ | where array_length(zones) <= 1 or isnull(zones)
+ | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)
+ | project recommendationId = "c72b7fee-1fa0-5b4b-98e5-54bcae95bb74", name, id, tags, param1="multipleZones:false"
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-TwoToFourPublicIpAddressesSnatPortUtilization.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-TwoToFourPublicIpAddressesSnatPortUtilization.yaml
new file mode 100644
index 000000000..bddf8f83f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-TwoToFourPublicIpAddressesSnatPortUtilization.yaml
@@ -0,0 +1,18 @@
+name: aprl-TwoToFourPublicIpAddressesSnatPortUtilization
+title: Configure 2-4 PIPs for SNAT Port utilization
+description: |-
+ Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.
+source:
+ type: aprl
+ file: azure-resources/Network/azureFirewalls/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/azureFirewalls
+severity: 1
+labels:
+ guid: d2e4a38e-2307-4299-a217-4c0cebc9a7f6
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under development
diff --git a/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-VirtualNetworkHostingAzureFirewallVnet.yaml b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-VirtualNetworkHostingAzureFirewallVnet.yaml
new file mode 100644
index 000000000..f167c1783
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-azureFirewalls/aprl-VirtualNetworkHostingAzureFirewallVnet.yaml
@@ -0,0 +1,38 @@
+name: aprl-VirtualNetworkHostingAzureFirewallVnet
+title: Configure DDoS Protection on the Azure Firewall VNet
+description: |-
+ Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans.
+source:
+ type: aprl
+ file: azure-resources/Network/azureFirewalls/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/azureFirewalls
+severity: 0
+labels:
+ guid: 1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d
+ area: Security
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // List all in-scope Azure Firewall resources, where the VNet is not associated to a DDoS Protection Plan
+ resources
+ | where type =~ "Microsoft.Network/azureFirewalls"
+ | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id)
+ | mv-expand ipConfig = properties.ipConfigurations
+ | project
+ name,
+ firewallId = id,
+ tags,
+ vNetName = split(ipConfig.properties.subnet.id, "/", 8)[0],
+ vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, "/subnet")))
+ | join kind=fullouter (
+ resources
+ | where type =~ "Microsoft.Network/ddosProtectionPlans"
+ | mv-expand vNet = properties.virtualNetworks
+ | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id)
+ )
+ on vNetId
+ | where isempty(ddosProtectionPlanId)
+ | project recommendationId = "1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d", name, id = firewallId, tags, param1 = strcat("vNet: ", vNetName), param2 = "ddosProtection: Disabled"
diff --git a/v2/recos/Services/MicrosoftNetwork-connections/aprl-GatewayConnectionResourcesAzureResourceLock.yaml b/v2/recos/Services/MicrosoftNetwork-connections/aprl-GatewayConnectionResourcesAzureResourceLock.yaml
new file mode 100644
index 000000000..4a95e7565
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-connections/aprl-GatewayConnectionResourcesAzureResourceLock.yaml
@@ -0,0 +1,18 @@
+name: aprl-GatewayConnectionResourcesAzureResourceLock
+title: Configure an Azure Resource Lock on connections to prevent accidental deletion
+description: |-
+ Configure an Azure Resource lock for Gateway Connection resources to prevent accidental deletion and maintain connectivity between on-premises networks and Azure workloads.
+source:
+ type: aprl
+ file: azure-resources/Network/connections/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/connections
+severity: 0
+labels:
+ guid: a5f3a4bd-4cf1-4196-a3cb-f5a0876198b2
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-connections/aprl-VirtualNetworkDataPathPerformanceVirtualMachines.yaml b/v2/recos/Services/MicrosoftNetwork-connections/aprl-VirtualNetworkDataPathPerformanceVirtualMachines.yaml
new file mode 100644
index 000000000..9b26a7006
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-connections/aprl-VirtualNetworkDataPathPerformanceVirtualMachines.yaml
@@ -0,0 +1,19 @@
+name: aprl-VirtualNetworkDataPathPerformanceVirtualMachines
+title: For better data path performance enable FastPath on ExpressRoute Direct and
+ Gateway
+description: |-
+ ExpressRoute gateways facilitate network traffic and route exchanges. FastPath enhances on-premises to virtual network data path performance by directing traffic straight to virtual machines, bypassing the gateway for improved resiliency through reduced gateway utilization.
+source:
+ type: aprl
+ file: azure-resources/Network/connections/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/connections
+severity: 1
+labels:
+ guid: f6a14b32-a727-4ace-b5fa-7b1c6bdff402
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-ddosProtectionPlans/aprl-AzureDdosProtectionPlanMetricsAzureDdosPlanMetrics.yaml b/v2/recos/Services/MicrosoftNetwork-ddosProtectionPlans/aprl-AzureDdosProtectionPlanMetricsAzureDdosPlanMetrics.yaml
new file mode 100644
index 000000000..4e030c12d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-ddosProtectionPlans/aprl-AzureDdosProtectionPlanMetricsAzureDdosPlanMetrics.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureDdosProtectionPlanMetricsAzureDdosPlanMetrics
+title: Monitor Azure DDoS Protection Plan metrics
+description: |-
+ Azure DDoS Plan metrics differentiate packets and bytes by tags: Dropped (packets scrubbed by DDoS), Forwarded (packets to VIP not filtered), and No tag (total packets, sum of dropped and forwarded).
+source:
+ type: aprl
+ file: azure-resources/Network/ddosProtectionPlans/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/ddosProtectionPlans
+severity: 1
+labels:
+ guid: ae054bf2-aefa-cf4a-8282-741194cef8da
+ area: Security
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-AzureDnsDnsRecords.yaml b/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-AzureDnsDnsRecords.yaml
new file mode 100644
index 000000000..b989b2c6e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-AzureDnsDnsRecords.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureDnsDnsRecords
+title: Enable auto-registration for Azure DNS to automatically manage the lifecycle
+ of the DNS records for the virtual machines deployed within a virtual network.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/dnszones
+waf: Operations
+severity: 0
+labels:
+ guid: 614658d3-558f-4d77-849b-821112df27ee
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/dns/private-dns-autoregistration
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-AzurePrivateDnsDelegatedZone.yaml b/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-AzurePrivateDnsDelegatedZone.yaml
new file mode 100644
index 000000000..a44a2a70f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-AzurePrivateDnsDelegatedZone.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzurePrivateDnsDelegatedZone
+title: For environments where name resolution in Azure is all that's required, use
+ Azure Private DNS for resolution with a delegated zone for name resolution (such
+ as 'azure.contoso.com').
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/dnszones
+waf: Operations
+severity: 1
+labels:
+ guid: 153e8908-ae28-4c84-a33b-6b7808b9fe5c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-RedHatOpenshiftPreferredDnsSolution.yaml b/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-RedHatOpenshiftPreferredDnsSolution.yaml
new file mode 100644
index 000000000..5d1e16905
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-dnsZones/Operations/revcl-RedHatOpenshiftPreferredDnsSolution.yaml
@@ -0,0 +1,16 @@
+name: revcl-RedHatOpenshiftPreferredDnsSolution
+title: Special workloads that require and deploy their own DNS (such as Red Hat OpenShift)
+ should use their preferred DNS solution.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/dnszones
+waf: Operations
+severity: 2
+labels:
+ guid: 1e6a83de-5de3-42c1-a924-81607d5d1e4e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-dnsZones/Reliability/revcl-AzureDnsPrivateResolversPremisesDnsServices.yaml b/v2/recos/Services/MicrosoftNetwork-dnsZones/Reliability/revcl-AzureDnsPrivateResolversPremisesDnsServices.yaml
new file mode 100644
index 000000000..6f8edac64
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-dnsZones/Reliability/revcl-AzureDnsPrivateResolversPremisesDnsServices.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureDnsPrivateResolversPremisesDnsServices
+title: Implement DNS Failover using Azure DNS Private Resolvers
+description: To eliminate a single point of failure in your on-premises DNS services
+ and ensure reliable DNS resolution during business continuity and disaster recovery
+ scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple
+ regions. By deploying two or more Azure DNS private resolvers across different regions,
+ you can enable DNS failover and achieve resiliency in your DNS infrastructure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/dnszones
+waf: Reliability
+severity: 2
+labels:
+ guid: 43da1dae-2cc8-4814-9060-7c1cca0e6146
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-dnsZones/Security/revcl-AzureDnsPrivateResolverNameResolution.yaml b/v2/recos/Services/MicrosoftNetwork-dnsZones/Security/revcl-AzureDnsPrivateResolverNameResolution.yaml
new file mode 100644
index 000000000..25d943b48
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-dnsZones/Security/revcl-AzureDnsPrivateResolverNameResolution.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureDnsPrivateResolverNameResolution
+title: For environments where name resolution across Azure and on-premises is required,
+ consider using Azure DNS Private Resolver.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/dnszones
+waf: Security
+severity: 1
+labels:
+ guid: 41049d40-3a92-43c3-974d-00018ac6a9e0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/dns/dns-private-resolver-overview
+- type: docs
+ url: https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-expressRouteGateways/aprl-DiversePeeringLocationsDifferentPeeringLocation.yaml b/v2/recos/Services/MicrosoftNetwork-expressRouteGateways/aprl-DiversePeeringLocationsDifferentPeeringLocation.yaml
new file mode 100644
index 000000000..0d335fb61
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-expressRouteGateways/aprl-DiversePeeringLocationsDifferentPeeringLocation.yaml
@@ -0,0 +1,21 @@
+name: aprl-DiversePeeringLocationsDifferentPeeringLocation
+title: Connect v-Hub's ExpressRoute gateway to circuits from diverse peering locations
+ for resilience
+description: To increase reliability, it's advised that each v-Hub's ExpressRoute
+ gateway connects to at least two circuits, with each circuit originating from a
+ different peering location than the other, ensuring diverse connectivity paths for
+ enhanced resilience.|
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteGateways
+severity: 0
+labels:
+ guid: 9987c813-d687-4163-a511-95f31bc5e536
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-expressRouteGateways/aprl-VirtualWanExpressRouteGatewayBgpRoutesPrefixes.yaml b/v2/recos/Services/MicrosoftNetwork-expressRouteGateways/aprl-VirtualWanExpressRouteGatewayBgpRoutesPrefixes.yaml
new file mode 100644
index 000000000..751b32e17
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-expressRouteGateways/aprl-VirtualWanExpressRouteGatewayBgpRoutesPrefixes.yaml
@@ -0,0 +1,20 @@
+name: aprl-VirtualWanExpressRouteGatewayBgpRoutesPrefixes
+title: Monitor health for v-Hub's ExpressRoute gateway
+description: Set up monitoring and alerts for Virtual WAN Express Route Gateway. Create
+ alert rule for ensuring promptly response to critical events such as exceeding packets
+ per second, exceeding BGP routes prefixes, Gateway overutilization and high frequency
+ in route changes.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteGateways
+severity: 0
+labels:
+ guid: 17e8d380-e4b4-41a1-9b37-2e4df9fd5125
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-AzureApplicationGatewayWafLogsFalsePositives.yaml b/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-AzureApplicationGatewayWafLogsFalsePositives.yaml
new file mode 100644
index 000000000..f4436ae1d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-AzureApplicationGatewayWafLogsFalsePositives.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureApplicationGatewayWafLogsFalsePositives
+title: Check Azure Application Gateway WAF logs for mistakenly blocked valid requests
+description: |-
+ WAF may block legitimate requests as false positives. Identifying blocked requests within the last 24 hours through Log Analytics can help manage and mitigate these incorrect blockages efficiently.
+source:
+ type: aprl
+ file: azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/frontdoorWebApplicationFirewallPolicies
+severity: 0
+labels:
+ guid: 537b4d94-edd1-4041-b13d-8217dfa485f0
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-AzureFrontDoorWafLogsFalsePositives.yaml b/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-AzureFrontDoorWafLogsFalsePositives.yaml
new file mode 100644
index 000000000..4fda54430
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-AzureFrontDoorWafLogsFalsePositives.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureFrontDoorWafLogsFalsePositives
+title: Inspect Azure Front Door WAF logs for wrongfully blocked legitimate requests
+description: |-
+ WAF may mistakenly block legitimate requests (false positives). These can be identified by examining the last 24 hours of blocked requests in Log Analytics.
+source:
+ type: aprl
+ file: azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/frontdoorWebApplicationFirewallPolicies
+severity: 0
+labels:
+ guid: d0cfe47f-686b-5043-bf83-5a3868acb80a
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-WebApplicationFirewallAzureMonitorLogs.yaml b/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-WebApplicationFirewallAzureMonitorLogs.yaml
new file mode 100644
index 000000000..4ab12d5bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-frontdoorWebApplicationFirewallPolicies/aprl-WebApplicationFirewallAzureMonitorLogs.yaml
@@ -0,0 +1,18 @@
+name: aprl-WebApplicationFirewallAzureMonitorLogs
+title: Monitor Web Application Firewall
+description: |-
+ Monitoring the health of your Web Application Firewall and the applications it protects is crucial. This can be achieved through integration with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs, ensuring optimal performance and security.
+source:
+ type: aprl
+ file: azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/frontdoorWebApplicationFirewallPolicies
+severity: 0
+labels:
+ guid: 5357ae22-0f52-1a49-9fd4-1f00ace6add0
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/Reliability/revcl-LoadBalancerOutboundRulesAzureNatGateway.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/Reliability/revcl-LoadBalancerOutboundRulesAzureNatGateway.yaml
new file mode 100644
index 000000000..5509971b9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/Reliability/revcl-LoadBalancerOutboundRulesAzureNatGateway.yaml
@@ -0,0 +1,18 @@
+name: revcl-LoadBalancerOutboundRulesAzureNatGateway
+title: Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT
+ scalability
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/loadbalancers
+waf: Reliability
+severity: 0
+labels:
+ guid: 97a2fd46-64b0-1dfa-b72d-9c8869496d75
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity
+queries:
+ arg: resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules)
+ | extend compliant = (countOutRules == 0) | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/Security/revcl-AzureLoadBalancersStandardSku.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/Security/revcl-AzureLoadBalancersStandardSku.yaml
new file mode 100644
index 000000000..514a435ad
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/Security/revcl-AzureLoadBalancersStandardSku.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureLoadBalancersStandardSku
+title: Ensure you are using the Standard SKU for your Azure Load Balancers
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/loadbalancers
+waf: Security
+severity: 1
+labels:
+ guid: 4e35fbf5-0ae2-48b2-97ce-753353edbd1a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-overview
+queries:
+ arg: resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name)
+ == 'standard')
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/Security/revcl-LoadBalancersFrontendIpAddressesZonalFrontends.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/Security/revcl-LoadBalancersFrontendIpAddressesZonalFrontends.yaml
new file mode 100644
index 000000000..b7c37c026
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/Security/revcl-LoadBalancersFrontendIpAddressesZonalFrontends.yaml
@@ -0,0 +1,16 @@
+name: revcl-LoadBalancersFrontendIpAddressesZonalFrontends
+title: Ensure your Load Balancers frontend IP addresses are zone-redundant (unless
+ you require zonal frontends).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/loadbalancers
+waf: Security
+severity: 1
+labels:
+ guid: 9432621a-8397-4654-a882-5bc856b7ef83
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-AzureLoadBalancersBackendInstancesAvailability.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-AzureLoadBalancersBackendInstancesAvailability.yaml
new file mode 100644
index 000000000..85a37d5c4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-AzureLoadBalancersBackendInstancesAvailability.yaml
@@ -0,0 +1,23 @@
+name: aprl-AzureLoadBalancersBackendInstancesAvailability
+title: Use Health Probes to detect backend instances availability
+description: |-
+ Health probes are used by Azure Load Balancers to determine the status of backend endpoints. Using custom health probes that are aligned with vendor recommendations enhances understanding of backend availability and facilitates monitoring of backend services for any impact.
+source:
+ type: aprl
+ file: azure-resources/Network/loadBalancers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/loadBalancers
+severity: 0
+labels:
+ guid: e5f5fcea-f925-4578-8599-9a391e888a60
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // List the load balancers which don't have health probe configured
+ resources
+ | where type =~ "microsoft.network/loadbalancers"
+ | where array_length(properties.probes) == 0
+ | project recommendationId="e5f5fcea-f925-4578-8599-9a391e888a60", name, id, tags, param1="customHealthProbeUsed: false"
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardLoadBalancerSkuStandardSkuLoadBalancer.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardLoadBalancerSkuStandardSkuLoadBalancer.yaml
new file mode 100644
index 000000000..45b8d7cfa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardLoadBalancerSkuStandardSkuLoadBalancer.yaml
@@ -0,0 +1,23 @@
+name: aprl-StandardLoadBalancerSkuStandardSkuLoadBalancer
+title: Use Standard Load Balancer SKU
+description: |-
+ Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.
+source:
+ type: aprl
+ file: azure-resources/Network/loadBalancers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/loadBalancers
+severity: 0
+labels:
+ guid: 38c3bca1-97a1-eb42-8cd3-838b243f35ba
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all LoadBalancers using Basic SKU
+ resources
+ | where type =~ 'Microsoft.Network/loadBalancers'
+ | where sku.name == 'Basic'
+ | project recommendationId = "38c3bca1-97a1-eb42-8cd3-838b243f35ba", name, id, tags, Param1=strcat("sku-tier: basic")
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardLoadBalancerZoneRedundantFrontendIp.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardLoadBalancerZoneRedundantFrontendIp.yaml
new file mode 100644
index 000000000..18141eb49
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardLoadBalancerZoneRedundantFrontendIp.yaml
@@ -0,0 +1,50 @@
+name: aprl-StandardLoadBalancerZoneRedundantFrontendIp
+title: Ensure Standard Load Balancer is zone-redundant
+description: |-
+ In regions with Availability Zones, assigning a zone-redundant frontend IP to a Standard Load Balancer ensures continuous traffic distribution even if one availability zone fails, provided other healthy zones and backend instances are available to receive the traffic.
+source:
+ type: aprl
+ file: azure-resources/Network/loadBalancers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/loadBalancers
+severity: 0
+labels:
+ guid: 621dbc78-3745-4d32-8eac-9e65b27b7512
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all LoadBalancers with with regional or zonal public IP Addresses
+ resources
+ | where type == "microsoft.network/loadbalancers"
+ | where tolower(sku.name) != 'basic'
+ | mv-expand feIPconfigs = properties.frontendIPConfigurations
+ | extend
+ feConfigName = (feIPconfigs.name),
+ PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id),
+ PrivateIPZones = feIPconfigs.zones,
+ PIPid = toupper(feIPconfigs.properties.publicIPAddress.id),
+ JoinID = toupper(id)
+ | where isnotempty(PrivateSubnetId)
+ | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2
+ | project name, feConfigName, id
+ | union (resources
+ | where type == "microsoft.network/loadbalancers"
+ | where tolower(sku.name) != 'basic'
+ | mv-expand feIPconfigs = properties.frontendIPConfigurations
+ | extend
+ feConfigName = (feIPconfigs.name),
+ PIPid = toupper(feIPconfigs.properties.publicIPAddress.id),
+ JoinID = toupper(id)
+ | where isnotempty(PIPid)
+ | join kind=innerunique (
+ resources
+ | where type == "microsoft.network/publicipaddresses"
+ | where isnull(zones) or array_length(zones) < 2
+ | extend
+ LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))),
+ InnerID = toupper(id)
+ ) on $left.PIPid == $right.InnerID)
+ | project recommendationId = "621dbc78-3745-4d32-8eac-9e65b27b7512", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Frontend IP Configuration:", " ", feConfigName)
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardPublicLoadBalancerManualPortAllocation.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardPublicLoadBalancerManualPortAllocation.yaml
new file mode 100644
index 000000000..e3530ebb2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-StandardPublicLoadBalancerManualPortAllocation.yaml
@@ -0,0 +1,24 @@
+name: aprl-StandardPublicLoadBalancerManualPortAllocation
+title: Use NAT Gateway instead of Outbound Rules for Production Workloads
+description: |-
+ Outbound rules for Standard Public Load Balancer involve manual port allocation for backend pools, limiting scalability and risk of SNAT port exhaustion. NAT Gateway is recommended for its dynamic scaling and secure internet connectivity.
+source:
+ type: aprl
+ file: azure-resources/Network/loadBalancers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/loadBalancers
+severity: 1
+labels:
+ guid: 8d319a05-677b-944f-b9b4-ca0fb42e883c
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all LoadBalancers with Outbound rules configured
+ resources
+ | where type =~ 'Microsoft.Network/loadBalancers'
+ | extend outboundRules = array_length(properties.outboundRules)
+ | where outboundRules > 0
+ | project recommendationId = "8d319a05-677b-944f-b9b4-ca0fb42e883c", name, id, tags, Param1 = "outboundRules: >=1"
diff --git a/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-VirtualMachineScaleSetsOptimalScaleBuilding.yaml b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-VirtualMachineScaleSetsOptimalScaleBuilding.yaml
new file mode 100644
index 000000000..b27efe933
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-loadBalancers/aprl-VirtualMachineScaleSetsOptimalScaleBuilding.yaml
@@ -0,0 +1,52 @@
+name: aprl-VirtualMachineScaleSetsOptimalScaleBuilding
+title: Ensure the Backend Pool contains at least two instances
+description: |-
+ Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building.
+source:
+ type: aprl
+ file: azure-resources/Network/loadBalancers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/loadBalancers
+severity: 0
+labels:
+ guid: 6d82d042-6d61-ad49-86f0-6a5455398081
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool
+ resources
+ | where type =~ 'Microsoft.Network/loadBalancers'
+ | extend bep = properties.backendAddressPools
+ | extend BackEndPools = array_length(bep)
+ | where BackEndPools == 0
+ | project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", name, id, Param1="backendPools", Param2=toint(0), tags
+ | union (resources
+ | where type =~ 'Microsoft.Network/loadBalancers'
+ | where sku.name == "Standard"
+ | extend bep = properties.backendAddressPools
+ | extend BackEndPools = toint(array_length(bep))
+ | mv-expand bip = properties.backendAddressPools
+ | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses)
+ | where toint(BackendAddresses) <= 1
+ | project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", name, id, tags, Param1="backendAddresses", Param2=toint(BackendAddresses))
+ | union (
+ resources
+ | where type =~ 'Microsoft.Network/loadBalancers'
+ | where sku.name == "Basic"
+ | mv-expand properties.backendAddressPools
+ | extend backendPoolId = properties_backendAddressPools.id
+ | project id, name, tags, tostring(backendPoolId), recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", Param1="BackEndPools"
+ | join kind = leftouter (
+ resources
+ | where type =~ "Microsoft.Network/networkInterfaces"
+ | mv-expand properties.ipConfigurations
+ | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools
+ | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id)
+ | summarize poolMembers = count() by backendPoolId
+ | project tostring(backendPoolId), poolMembers ) on backendPoolId
+ | where toint(poolMembers) <= 1
+ | extend BackendAddresses = poolMembers
+ | project id, name, tags, recommendationId, Param1="backendAddresses", Param2=toint(BackendAddresses))
diff --git a/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-TotalSnatConnectionCountMetricAzureMonitorBaselineAlerts.yaml b/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-TotalSnatConnectionCountMetricAzureMonitorBaselineAlerts.yaml
new file mode 100644
index 000000000..bf36e0bcf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-TotalSnatConnectionCountMetricAzureMonitorBaselineAlerts.yaml
@@ -0,0 +1,18 @@
+name: aprl-TotalSnatConnectionCountMetricAzureMonitorBaselineAlerts
+title: Configure monitoring and alerting for NAT gateway
+description: |-
+ Use Network Insights for monitoring and alerting on your NAT gateway.Use Total SNAT connection count metric to determine if you're nearing the connection limit of NAT gateway. Set alerts based on Azure Monitor Baseline Alerts (AMBA) thresholds for NAT Gateway
+source:
+ type: aprl
+ file: azure-resources/Network/natGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/natGateways
+severity: 0
+labels:
+ guid: babf75d6-6407-4d90-b01e-5a1768e621f5
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-TotalSnatConnectionCountMetricPublicIpAddress.yaml b/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-TotalSnatConnectionCountMetricPublicIpAddress.yaml
new file mode 100644
index 000000000..8035b02b1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-TotalSnatConnectionCountMetricPublicIpAddress.yaml
@@ -0,0 +1,18 @@
+name: aprl-TotalSnatConnectionCountMetricPublicIpAddress
+title: Scale a NAT gateway to meet the demand of a dynamic workload
+description: |-
+ NAT Gateway provides 64,512 SNAT ports per public IP address and supports up to 16 public IP addresses. Monitor "Total SNAT connection count" metric to determine if you're nearing the connection limit of NAT gateway. You can scale the NAT gateway by adding more public IP addresses.
+source:
+ type: aprl
+ file: azure-resources/Network/natGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/natGateways
+severity: 1
+labels:
+ guid: 4281631c-3d19-4994-8d96-084c2a51a534
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-ZonalNatGatewayDeploymentNatGatewayResource.yaml b/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-ZonalNatGatewayDeploymentNatGatewayResource.yaml
new file mode 100644
index 000000000..5d0015542
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-natGateways/aprl-ZonalNatGatewayDeploymentNatGatewayResource.yaml
@@ -0,0 +1,18 @@
+name: aprl-ZonalNatGatewayDeploymentNatGatewayResource
+title: Consider zonal NAT gateway deployment for zone isolation scenarios
+description: |-
+ A zonal promise for zone isolation scenarios exists when a virtual machine instance using a NAT gateway resource is in the same zone as the NAT gateway resource and its public IP addresses. The pattern you want to use for zone isolation is creating a "zonal stack" per availability zone.
+source:
+ type: aprl
+ file: azure-resources/Network/natGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/natGateways
+severity: 1
+labels:
+ guid: 419df1ea-336b-460a-b6b2-fefe2588fcef
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Reliability/revcl-NsgRulesLimit.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Reliability/revcl-NsgRulesLimit.yaml
new file mode 100644
index 000000000..c71c30596
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Reliability/revcl-NsgRulesLimit.yaml
@@ -0,0 +1,20 @@
+name: revcl-NsgRulesLimit
+title: Consider the limit of NSG rules per NSG (1000).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/networksecuritygroups
+waf: Reliability
+severity: 1
+labels:
+ guid: 0390417d-53dc-44d9-b3f4-c8832f359b41
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works
+queries:
+ arg: resources | where type == 'microsoft.network/networksecuritygroups' | project
+ id, rules = array_length(properties.securityRules) | project id, compliant = (rules
+ < 900)
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-ApplicationSecurityGroupsApplicationTeam.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-ApplicationSecurityGroupsApplicationTeam.yaml
new file mode 100644
index 000000000..d7f67b461
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-ApplicationSecurityGroupsApplicationTeam.yaml
@@ -0,0 +1,20 @@
+name: revcl-ApplicationSecurityGroupsApplicationTeam
+title: The application team should use application security groups at the subnet-level
+ NSGs to help protect multi-tier VMs within the landing zone.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/networksecuritygroups
+waf: Security
+severity: 1
+labels:
+ guid: 9c2299c4-d7b5-47d0-a655-562f2b3e4563
+links:
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-network-security/
+queries:
+ arg: Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets
+ | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup
+ | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet',
+ 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-ApplicationSecurityGroupsMicroSegmentTraffic.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-ApplicationSecurityGroupsMicroSegmentTraffic.yaml
new file mode 100644
index 000000000..7915a3898
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-ApplicationSecurityGroupsMicroSegmentTraffic.yaml
@@ -0,0 +1,18 @@
+name: revcl-ApplicationSecurityGroupsMicroSegmentTraffic
+title: Use NSGs and application security groups to micro-segment traffic within the
+ landing zone and avoid using a central NVA to filter traffic flows.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/networksecuritygroups
+waf: Security
+severity: 1
+labels:
+ guid: a4d87397-48b6-462d-9d15-f512a65498f6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-network-security/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-LandingZonesEastWestTraffic.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-LandingZonesEastWestTraffic.yaml
new file mode 100644
index 000000000..092c2311b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-LandingZonesEastWestTraffic.yaml
@@ -0,0 +1,18 @@
+name: revcl-LandingZonesEastWestTraffic
+title: Use NSGs to help protect traffic across subnets, as well as east/west traffic
+ across the platform (traffic between landing zones).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/networksecuritygroups
+waf: Security
+severity: 1
+labels:
+ guid: 872e52e3-611c-4c58-a5a4-b1511e43a58a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-network-security/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-NsgInboundDefaultRulesVirtualnetworkServiceTag.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-NsgInboundDefaultRulesVirtualnetworkServiceTag.yaml
new file mode 100644
index 000000000..0ae77f440
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-NsgInboundDefaultRulesVirtualnetworkServiceTag.yaml
@@ -0,0 +1,23 @@
+name: revcl-NsgInboundDefaultRulesVirtualnetworkServiceTag
+title: Don't rely on the NSG inbound default rules using the VirtualNetwork service
+ tag to limit connectivity.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/networksecuritygroups
+waf: Security
+severity: 1
+labels:
+ guid: 11deb39d-8299-4e47-bbe0-0fb5a36318a8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags
+queries:
+ arg: resources | where type=='microsoft.network/networksecuritygroups' | mvexpand
+ properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange
+ | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*'
+ and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection
+ == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where
+ type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0
+ | extend compliant=false | project id,compliant)
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-VnetFlowLogsExternalTrafficFlows.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-VnetFlowLogsExternalTrafficFlows.yaml
new file mode 100644
index 000000000..67733477f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/Security/revcl-VnetFlowLogsExternalTrafficFlows.yaml
@@ -0,0 +1,18 @@
+name: revcl-VnetFlowLogsExternalTrafficFlows
+title: Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights
+ into internal and external traffic flows.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/networksecuritygroups
+waf: Security
+severity: 1
+labels:
+ guid: dfe237de-143b-416c-91d7-aa9b64704489
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-AzureNetworkSecurityGroupsDefaultSecurityRules.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-AzureNetworkSecurityGroupsDefaultSecurityRules.yaml
new file mode 100644
index 000000000..44da201a3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-AzureNetworkSecurityGroupsDefaultSecurityRules.yaml
@@ -0,0 +1,25 @@
+name: aprl-AzureNetworkSecurityGroupsDefaultSecurityRules
+title: The NSG only has Default Security Rules, make sure to configure the necessary
+ rules
+description: |-
+ Azure network security groups filter network traffic between resources in a virtual network, using security rules to allow or deny inbound or outbound traffic based on source, destination, port, and protocol.
+source:
+ type: aprl
+ file: azure-resources/Network/networkSecurityGroups/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkSecurityGroups
+severity: 1
+labels:
+ guid: 8291c1fa-650c-b44b-b008-4deb7465919d
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This query will return all NSGs that have NO security rules
+ resources
+ | where type =~ "microsoft.network/networksecuritygroups"
+ | extend sr = string_size(properties.securityRules)
+ | where sr <=2 or isnull(properties.securityRules)
+ | project recommendationId = "8291c1fa-650c-b44b-b008-4deb7465919d", name, id
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupRulesNetworkSecurityGroups.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupRulesNetworkSecurityGroups.yaml
new file mode 100644
index 000000000..b39f3ace8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupRulesNetworkSecurityGroups.yaml
@@ -0,0 +1,39 @@
+name: aprl-NetworkSecurityGroupRulesNetworkSecurityGroups
+title: Monitor changes in Network Security Groups with Azure Monitor
+description: |-
+ Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.
+source:
+ type: aprl
+ file: azure-resources/Network/networkSecurityGroups/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkSecurityGroups
+severity: 2
+labels:
+ guid: 8bb4a57b-55e4-d24e-9c19-2679d8bc779f
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Network Security Groups without alerts for modification configured.
+ resources
+ | where type =~ "Microsoft.Network/networkSecurityGroups"
+ | project name, id, tags, lowerCaseNsgId = tolower(id)
+ | join kind = leftouter (
+ resources
+ | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
+ | mv-expand scope = properties.scopes
+ | where scope has "Microsoft.Network/networkSecurityGroups"
+ | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
+ | where conditionJson has '"Administrative"' and (
+ // Create or Update Network Security Group
+ (conditionJson has '"Microsoft.Network/networkSecurityGroups/write"') or
+ // All administrative operations
+ (conditionJson !has '"Microsoft.Network/networkSecurityGroups/write"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/delete"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/join/action"')
+ )
+ | project lowerCaseNsgIdOfScope = tolower(scope)
+ )
+ on $left.lowerCaseNsgId == $right.lowerCaseNsgIdOfScope
+ | where isempty(lowerCaseNsgIdOfScope)
+ | project recommendationId = "8bb4a57b-55e4-d24e-9c19-2679d8bc779f", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupsAccidentalChanges.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupsAccidentalChanges.yaml
new file mode 100644
index 000000000..b00c7d022
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupsAccidentalChanges.yaml
@@ -0,0 +1,19 @@
+name: aprl-NetworkSecurityGroupsAccidentalChanges
+title: Configure locks for Network Security Groups to avoid accidental changes and/or
+ deletion
+description: |-
+ As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental deletions and modifications. The lock overrides user permissions. Locks can prevent either deletions or modifications and are known as Delete and Read-only in the portal.
+source:
+ type: aprl
+ file: azure-resources/Network/networkSecurityGroups/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkSecurityGroups
+severity: 2
+labels:
+ guid: 52ac35e8-9c3e-f84d-8ce8-2fab955333d3
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupsDiagnosticSettings.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupsDiagnosticSettings.yaml
new file mode 100644
index 000000000..83eb707b5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NetworkSecurityGroupsDiagnosticSettings.yaml
@@ -0,0 +1,18 @@
+name: aprl-NetworkSecurityGroupsDiagnosticSettings
+title: Configure Diagnostic Settings for all network security groups
+description: |-
+ Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
+source:
+ type: aprl
+ file: azure-resources/Network/networkSecurityGroups/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkSecurityGroups
+severity: 1
+labels:
+ guid: d2976d3e-294b-4b49-a1f0-c42566a3758f
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NsgFlowLogsOpenInternetPorts.yaml b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NsgFlowLogsOpenInternetPorts.yaml
new file mode 100644
index 000000000..1392d78e6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-networkSecurityGroups/aprl-NsgFlowLogsOpenInternetPorts.yaml
@@ -0,0 +1,30 @@
+name: aprl-NsgFlowLogsOpenInternetPorts
+title: Configure NSG Flow Logs
+description: |-
+ Monitoring, managing, and understanding your network is crucial for protection and optimization. Knowing the current state, who and from where connections are made, open internet ports, expected and irregular behavior, and traffic spikes is essential.
+source:
+ type: aprl
+ file: azure-resources/Network/networkSecurityGroups/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkSecurityGroups
+severity: 1
+labels:
+ guid: da1a3c06-d1d5-a940-9a99-fcc05966fe7c
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Network Security Groups without NSG Flow logs configured or disabled.
+ resources
+ | where type =~ "Microsoft.Network/networkSecurityGroups"
+ | project name, id, tags, lowerCaseNsgId = tolower(id)
+ | join kind = leftouter (
+ resources
+ | where type == "microsoft.network/networkwatchers/flowlogs" and properties.enabled == true
+ | project flowLogName = name, lowerCaseTargetNsgId = tolower(properties.targetResourceId)
+ )
+ on $left.lowerCaseNsgId == $right.lowerCaseTargetNsgId
+ | where isempty(lowerCaseTargetNsgId)
+ | project recommendationId = "da1a3c06-d1d5-a940-9a99-fcc05966fe7c", name, id, tags, param1 = "NSGFlowLog: Not configured/Disabled"
diff --git a/v2/recos/Services/MicrosoftNetwork-p2sVpnGateways/aprl-UserVpnRouteLimitsConnectionCountLimits.yaml b/v2/recos/Services/MicrosoftNetwork-p2sVpnGateways/aprl-UserVpnRouteLimitsConnectionCountLimits.yaml
new file mode 100644
index 000000000..6d6631538
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-p2sVpnGateways/aprl-UserVpnRouteLimitsConnectionCountLimits.yaml
@@ -0,0 +1,19 @@
+name: aprl-UserVpnRouteLimitsConnectionCountLimits
+title: Monitor health for v-Hub's Point-to-Site VPN gateways
+description: Set up monitoring and alerts for Point-to-Site VPN gateways. Create alert
+ rule for ensuring promptly response to critical events such as Gateway overutilization,
+ connection count limits and User VPN route limits.
+source:
+ type: aprl
+ file: azure-resources/Network/p2sVpnGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/p2sVpnGateways
+severity: 0
+labels:
+ guid: fd43ea32-2ccf-49a8-ada4-9a78794e3ff1
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-PrivateDnsZoneContributorRolePrivateDnsZones.yaml b/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-PrivateDnsZoneContributorRolePrivateDnsZones.yaml
new file mode 100644
index 000000000..f4fd49731
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-PrivateDnsZoneContributorRolePrivateDnsZones.yaml
@@ -0,0 +1,18 @@
+name: aprl-PrivateDnsZoneContributorRolePrivateDnsZones
+title: Protect private DNS zones and records
+description: |-
+ Private DNS zones and records are critical and their deletion can cause service outages. To protect against unauthorized or accidental changes, the Private DNS Zone Contributor role, a built-in role for managing these resources, should be assigned to specific users or groups.
+source:
+ type: aprl
+ file: azure-resources/Network/privateDnsZones/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/privateDnsZones
+severity: 1
+labels:
+ guid: 2820f6d6-a23c-7a40-aec5-506f3bd1aeb6
+ area: Security
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-PrivateDnsZonesHealthDnsRecords.yaml b/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-PrivateDnsZonesHealthDnsRecords.yaml
new file mode 100644
index 000000000..b9438e842
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-PrivateDnsZonesHealthDnsRecords.yaml
@@ -0,0 +1,18 @@
+name: aprl-PrivateDnsZonesHealthDnsRecords
+title: Monitor Private DNS Zones health and set up alerts
+description: |-
+ The records in a private DNS zone are only resolvable from linked virtual networks. You can link a private DNS zone to multiple networks and enable autoregistration to manage DNS records for virtual machines automatically.
+source:
+ type: aprl
+ file: azure-resources/Network/privateDnsZones/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/privateDnsZones
+severity: 0
+labels:
+ guid: ab896e8c-49b9-2c44-adec-98339aff7821
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-ResourceFailoverEntriesAzurePrivateDns.yaml b/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-ResourceFailoverEntriesAzurePrivateDns.yaml
new file mode 100644
index 000000000..164e697d6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-privateDnsZones/aprl-ResourceFailoverEntriesAzurePrivateDns.yaml
@@ -0,0 +1,19 @@
+name: aprl-ResourceFailoverEntriesAzurePrivateDns
+title: Align Production and DR zones with identical workload and resource failover
+ entries
+description: |-
+ Azure Private DNS offers a reliable, secure way to handle domain names within virtual networks, using custom domains instead of default Azure names. Records in these zones aren't internet-accessible, only resolvable within linked virtual networks.
+source:
+ type: aprl
+ file: azure-resources/Network/privateDnsZones/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/privateDnsZones
+severity: 1
+labels:
+ guid: 1e02335c-1f90-fd4e-a5a5-d359c7b22d70
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-privateEndpoints/aprl-TwoCustomPropertiesStaticIpAddress.yaml b/v2/recos/Services/MicrosoftNetwork-privateEndpoints/aprl-TwoCustomPropertiesStaticIpAddress.yaml
new file mode 100644
index 000000000..6f70b77a3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-privateEndpoints/aprl-TwoCustomPropertiesStaticIpAddress.yaml
@@ -0,0 +1,23 @@
+name: aprl-TwoCustomPropertiesStaticIpAddress
+title: Resolve issues with Private Endpoints in non Succeeded connection state
+description: |-
+ A private endpoint has two custom properties, static IP address and the network interface name, which must be set at creation. If not in Succeeded state, there may be issues with the endpoint or associated resource.
+source:
+ type: aprl
+ file: azure-resources/Network/privateEndpoints/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/privateEndpoints
+severity: 1
+labels:
+ guid: b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // This query will return all Private Endpoints that are not in a Succeeded state
+ resources
+ | where type =~ "microsoft.network/privateendpoints"
+ | where (properties.provisioningState =~ "Succeeded" and (properties.privateLinkServiceConnections[0].properties.provisioningState =~ "Succeeded" or properties.manualPrivateLinkServiceConnections[0].properties.provisioningState =~ "Succeeded")) == false
+ | project recommendationId = "b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7", name, id, tags, param1 = strcat("provisioningState: ", tostring(properties.provisioningState)), param2 = strcat("provisioningState: ", tostring(properties.privateLinkServiceConnections[0].properties.provisioningState)), param3 = strcat("manualProvisioningState: ", tostring(properties.manualPrivateLinkServiceConnections[0].properties.provisioningState))
diff --git a/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-BasicSkuPublicIpAddressesStandardSkuPublicIpAddresses.yaml b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-BasicSkuPublicIpAddressesStandardSkuPublicIpAddresses.yaml
new file mode 100644
index 000000000..b0b81462d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-BasicSkuPublicIpAddressesStandardSkuPublicIpAddresses.yaml
@@ -0,0 +1,23 @@
+name: aprl-BasicSkuPublicIpAddressesStandardSkuPublicIpAddresses
+title: Upgrade Basic SKU public IP addresses to Standard SKU
+description: |-
+ Basic SKU public IP addresses will be retired on September 30, 2025. Users are advised to upgrade to Standard SKU public IP addresses before this date to avoid service disruptions.
+source:
+ type: aprl
+ file: azure-resources/Network/publicIPAddresses/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/publicIPAddresses
+severity: 1
+labels:
+ guid: 5cea1501-6fe4-4ec4-ac8f-f72320eb18d3
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph query
+ // List Basic SKU public IP addresses
+ Resources
+ | where type =~ "Microsoft.Network/publicIPAddresses"
+ | where sku.name =~ "Basic"
+ | project recommendationId = "5cea1501-6fe4-4ec4-ac8f-f72320eb18d3", name, id, tags, param1 = strcat("sku: ", sku.name)
diff --git a/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-PublicIpAddressesDdosProtection.yaml b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-PublicIpAddressesDdosProtection.yaml
new file mode 100644
index 000000000..018adce44
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-PublicIpAddressesDdosProtection.yaml
@@ -0,0 +1,23 @@
+name: aprl-PublicIpAddressesDdosProtection
+title: Public IP addresses should have DDoS protection enabled
+description: |-
+ DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
+source:
+ type: aprl
+ file: azure-resources/Network/publicIPAddresses/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/publicIPAddresses
+severity: 1
+labels:
+ guid: c4254c66-b8a5-47aa-82f6-e7d7fb418f47
+ area: Security
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph query
+ // Public IP addresses should have DDoS protection enabled
+ resources
+ | where type =~ 'Microsoft.Network/publicIPAddresses'
+ | where properties.ddosSettings.protectionMode !in~ ("Enabled", "VirtualNetworkInherited")
+ | project recommendationId="c4254c66-b8a5-47aa-82f6-e7d7fb418f47", name, id, tags, param1=strcat("Apply either DDoS Network protection or DDoS IP Protrection to the public IP address.")
diff --git a/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-PublicIpAddressesSingleZoneFailure.yaml b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-PublicIpAddressesSingleZoneFailure.yaml
new file mode 100644
index 000000000..dd5de9ed7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-PublicIpAddressesSingleZoneFailure.yaml
@@ -0,0 +1,24 @@
+name: aprl-PublicIpAddressesSingleZoneFailure
+title: Use Standard SKU and Zone-Redundant IPs when applicable
+description: |-
+ Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience.
+source:
+ type: aprl
+ file: azure-resources/Network/publicIPAddresses/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/publicIPAddresses
+severity: 0
+labels:
+ guid: c63b81fb-7afc-894c-a840-91bb8a8dcfaf
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph query
+ // List public IP addresses that are not Zone-Redundant
+ Resources
+ | where type =~ "Microsoft.Network/publicIPAddresses" and sku.tier =~ "Regional"
+ | where isempty(zones) or array_length(zones) <= 1
+ | extend az = case(isempty(zones), "Non-zonal", array_length(zones) <= 1, strcat("Zonal (", strcat_array(zones, ","), ")"), zones)
+ | project recommendationId = "c63b81fb-7afc-894c-a840-91bb8a8dcfaf", name, id, tags, param1 = strcat("sku: ", sku.name), param2 = strcat("availabilityZone: ", az)
diff --git a/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-SecureInternetConnectionsSnatPortExhaustion.yaml b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-SecureInternetConnectionsSnatPortExhaustion.yaml
new file mode 100644
index 000000000..4f85bc8ec
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-publicIPAddresses/aprl-SecureInternetConnectionsSnatPortExhaustion.yaml
@@ -0,0 +1,23 @@
+name: aprl-SecureInternetConnectionsSnatPortExhaustion
+title: Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion
+description: |-
+ Prevent connectivity failures due to SNAT port exhaustion by employing NAT gateway for outbound traffic from virtual networks, ensuring dynamic scaling and secure internet connections.
+source:
+ type: aprl
+ file: azure-resources/Network/publicIPAddresses/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/publicIPAddresses
+severity: 1
+labels:
+ guid: 1adba190-5c4c-e646-8527-dd1b2a6d8b15
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph query
+ // Lists VMs with PIPs
+ resources
+ | where type =~ 'Microsoft.Network/publicIPAddresses'
+ | where tostring(properties.ipConfiguration.id) contains "microsoft.network/networkinterfaces"
+ | project recommendationId="1adba190-5c4c-e646-8527-dd1b2a6d8b15", name, id, tags, param1=strcat("Migrate from instance IP to NAT Gateway")
diff --git a/v2/recos/Services/MicrosoftNetwork-routeTables/aprl-ImproperRoutingChangesRouteTables.yaml b/v2/recos/Services/MicrosoftNetwork-routeTables/aprl-ImproperRoutingChangesRouteTables.yaml
new file mode 100644
index 000000000..787213ddf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-routeTables/aprl-ImproperRoutingChangesRouteTables.yaml
@@ -0,0 +1,39 @@
+name: aprl-ImproperRoutingChangesRouteTables
+title: Monitor changes in Route Tables with Azure Monitor
+description: |-
+ Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside.
+source:
+ type: aprl
+ file: azure-resources/Network/routeTables/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/routeTables
+severity: 0
+labels:
+ guid: 23b2dfc7-7e5d-9443-9f62-980ca621b561
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Route Tables without alerts for modification configured.
+ resources
+ | where type =~ "Microsoft.Network/routeTables"
+ | project name, id, tags, lowerCaseRouteTableId = tolower(id)
+ | join kind = leftouter (
+ resources
+ | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
+ | mv-expand scope = properties.scopes
+ | where scope has "Microsoft.Network/routeTables"
+ | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
+ | where conditionJson has '"Administrative"' and (
+ // Create or Update Route Table
+ (conditionJson has '"Microsoft.Network/routeTables/write"') or
+ // All Administrative operations
+ (conditionJson !has '"Microsoft.Network/routeTables/write"' and conditionJson !has '"Microsoft.Network/routeTables/delete"' and conditionJson !has '"Microsoft.Network/routeTables/join/action"')
+ )
+ | project lowerCaseRouteTableIdOfScope = tolower(scope)
+ )
+ on $left.lowerCaseRouteTableId == $right.lowerCaseRouteTableIdOfScope
+ | where isempty(lowerCaseRouteTableIdOfScope)
+ | project recommendationId = "23b2dfc7-7e5d-9443-9f62-980ca621b561", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"
diff --git a/v2/recos/Services/MicrosoftNetwork-routeTables/aprl-RouteTablesAccidentalChanges.yaml b/v2/recos/Services/MicrosoftNetwork-routeTables/aprl-RouteTablesAccidentalChanges.yaml
new file mode 100644
index 000000000..c7282377d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-routeTables/aprl-RouteTablesAccidentalChanges.yaml
@@ -0,0 +1,18 @@
+name: aprl-RouteTablesAccidentalChanges
+title: Configure locks for Route Tables to avoid accidental changes or deletion
+description: |-
+ As an administrator, you can protect Azure subscriptions, resource groups, or resources from accidental deletions and modifications by setting locks.
+source:
+ type: aprl
+ file: azure-resources/Network/routeTables/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/routeTables
+severity: 2
+labels:
+ guid: 89d1166a-1a20-0f46-acc8-3194387bf127
+ area: Governance
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualHubs/Security/revcl-RouteServerSubnet.yaml b/v2/recos/Services/MicrosoftNetwork-virtualHubs/Security/revcl-RouteServerSubnet.yaml
new file mode 100644
index 000000000..be051384a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualHubs/Security/revcl-RouteServerSubnet.yaml
@@ -0,0 +1,20 @@
+name: revcl-RouteServerSubnet
+title: If using Route Server, use a /27 prefix for the Route Server subnet.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualhubs
+waf: Security
+severity: 2
+labels:
+ guid: 91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1
+queries:
+ arg: resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets
+ | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix
+ | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName ==
+ 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct
+ id, compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualHubs/aprl-AlertRuleBgpStatus.yaml b/v2/recos/Services/MicrosoftNetwork-virtualHubs/aprl-AlertRuleBgpStatus.yaml
new file mode 100644
index 000000000..a08b26a18
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualHubs/aprl-AlertRuleBgpStatus.yaml
@@ -0,0 +1,16 @@
+name: aprl-AlertRuleBgpStatus
+title: Monitor health for v-Hubs
+description: Set up monitoring and alerts for v-Hubs. Create alert rule for ensuring
+ promptly response to changes in BGP status and Data processed by v-Hubs.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualHubs/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualHubs
+severity: 1
+labels:
+ guid: 30ec8a5e-46de-4323-87e9-a7c56b72813b
+ area: Monitoring and Alerting
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Cost/revcl-CentralHubVirtualNetworkNetworkingServices.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Cost/revcl-CentralHubVirtualNetworkNetworkingServices.yaml
new file mode 100644
index 000000000..948c1ac3d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Cost/revcl-CentralHubVirtualNetworkNetworkingServices.yaml
@@ -0,0 +1,17 @@
+name: revcl-CentralHubVirtualNetworkNetworkingServices
+title: Ensure that shared networking services, including ExpressRoute gateways, VPN
+ gateways, and Azure Firewall or partner NVAs in the central-hub virtual network.
+ If necessary, also deploy DNS servers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Cost
+severity: 0
+labels:
+ guid: 7dd61623-a364-4a90-9eca-e48ebd54cd7d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Operations/revcl-AzureMonitorEndState.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Operations/revcl-AzureMonitorEndState.yaml
new file mode 100644
index 000000000..95f4f255b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Operations/revcl-AzureMonitorEndState.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureMonitorEndState
+title: Use Azure Monitor for Networks to monitor the end-to-end state of the networks
+ on Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Operations
+severity: 1
+labels:
+ guid: 4722d929-c1b1-4cd6-81f5-4b29bade39ad
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Performance/revcl-GlobalVirtualNetworkPeeringsNetworkArchitectures.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Performance/revcl-GlobalVirtualNetworkPeeringsNetworkArchitectures.yaml
new file mode 100644
index 000000000..79ae315fb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Performance/revcl-GlobalVirtualNetworkPeeringsNetworkArchitectures.yaml
@@ -0,0 +1,19 @@
+name: revcl-GlobalVirtualNetworkPeeringsNetworkArchitectures
+title: For network architectures with multiple hub-and-spoke topologies across Azure
+ regions, use global virtual network peerings between the hub VNets to connect the
+ regions to each other.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Performance
+severity: 1
+labels:
+ guid: cc881471-607c-41cc-a0e6-14658dd558f9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Performance/revcl-IpAddressSpaceLargeVirtualNetworks.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Performance/revcl-IpAddressSpaceLargeVirtualNetworks.yaml
new file mode 100644
index 000000000..a77541ce2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Performance/revcl-IpAddressSpaceLargeVirtualNetworks.yaml
@@ -0,0 +1,23 @@
+name: revcl-IpAddressSpaceLargeVirtualNetworks
+title: Ensure that IP address space isn't wasted, don't create unnecessarily large
+ virtual networks (for example /16)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Performance
+severity: 0
+labels:
+ guid: 33aad5e8-c68e-41d7-9667-313b4f5664b5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-network-infrastructure/
+queries:
+ arg: resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace
+ = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes)
+ | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1]
+ | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup,
+ addressPrefix, compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-CentralHubVirtualNetworkVnetPeeringLimits.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-CentralHubVirtualNetworkVnetPeeringLimits.yaml
new file mode 100644
index 000000000..503038c54
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-CentralHubVirtualNetworkVnetPeeringLimits.yaml
@@ -0,0 +1,20 @@
+name: revcl-CentralHubVirtualNetworkVnetPeeringLimits
+title: When connecting spoke virtual networks to the central hub virtual network,
+ consider VNet peering limits (500), the maximum number of prefixes that can be advertised
+ via ExpressRoute (1000)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Reliability
+severity: 1
+labels:
+ guid: 0e7c28ec-9366-4572-83b0-f4664b1d944a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits
+queries:
+ arg: resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings
+ | summarize peeringcount = count() by id | extend compliant = (peeringcount <
+ 450) | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-NetworkOutboundTrafficConfigurationDefaultOutboundAccess.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-NetworkOutboundTrafficConfigurationDefaultOutboundAccess.yaml
new file mode 100644
index 000000000..688a1ae44
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-NetworkOutboundTrafficConfigurationDefaultOutboundAccess.yaml
@@ -0,0 +1,18 @@
+name: revcl-NetworkOutboundTrafficConfigurationDefaultOutboundAccess
+title: Assess and review network outbound traffic configuration and strategy before
+ the upcoming breaking change. On September 30, 2025, default outbound access for
+ new deployments will be retired and only explicit access configurations will be
+ allowed
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Reliability
+severity: 0
+labels:
+ guid: b034c01e-110b-463a-b36e-e3346e57f225
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-OverlappingIpAddressRangesDrSites.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-OverlappingIpAddressRangesDrSites.yaml
new file mode 100644
index 000000000..9c670d4cb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-OverlappingIpAddressRangesDrSites.yaml
@@ -0,0 +1,17 @@
+name: revcl-OverlappingIpAddressRangesDrSites
+title: Avoid using overlapping IP address ranges for production and DR sites.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Reliability
+severity: 0
+labels:
+ guid: f348ef25-4c27-4d42-b8bb-ac7571559ab9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-RemoteVirtualNetworkVnetPeerings.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-RemoteVirtualNetworkVnetPeerings.yaml
new file mode 100644
index 000000000..fbc1d2d07
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-RemoteVirtualNetworkVnetPeerings.yaml
@@ -0,0 +1,19 @@
+name: revcl-RemoteVirtualNetworkVnetPeerings
+title: Use the setting 'Allow traffic to remote virtual network' when configuring
+ VNet peerings
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Reliability
+severity: 0
+labels:
+ guid: c76cb5a2-abe2-11ed-afa1-0242ac120002
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering
+queries:
+ arg: resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings
+ | project id, peeringName=properties_virtualNetworkPeerings.name, compliant =
+ (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-RouteTableLimit.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-RouteTableLimit.yaml
new file mode 100644
index 000000000..1ea630a53
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Reliability/revcl-RouteTableLimit.yaml
@@ -0,0 +1,18 @@
+name: revcl-RouteTableLimit
+title: Consider the limit of routes per route table (400).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Reliability
+severity: 1
+labels:
+ guid: 3d457936-e9b7-41eb-bdff-314b26450b12
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits
+queries:
+ arg: resources | where type=='microsoft.network/routetables' | mvexpand properties.routes
+ | summarize routeCount = count() by id | extend compliant = (routeCount < 360)
+ | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-AddressAllocationRangesIpAddresses.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-AddressAllocationRangesIpAddresses.yaml
new file mode 100644
index 000000000..c9718dc14
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-AddressAllocationRangesIpAddresses.yaml
@@ -0,0 +1,24 @@
+name: revcl-AddressAllocationRangesIpAddresses
+title: Use IP addresses from the address allocation ranges for private internets (RFC
+ 1918).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Security
+severity: 2
+labels:
+ guid: 3f630472-2dd6-49c5-a5c2-622f54b69bad
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-network-infrastructure/
+queries:
+ arg: resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace
+ = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes)
+ | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location,
+ resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr
+ matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project
+ id, compliant, cidr
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-DdosRelatedLogsPublicIpAddresses.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-DdosRelatedLogsPublicIpAddresses.yaml
new file mode 100644
index 000000000..e8b2fd22d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-DdosRelatedLogsPublicIpAddresses.yaml
@@ -0,0 +1,18 @@
+name: revcl-DdosRelatedLogsPublicIpAddresses
+title: Add diagnostic settings to save DDoS related logs for all the protected public
+ IP addresses (DDoS IP or Network Protection).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Security
+severity: 0
+labels:
+ guid: b1c82a3f-2320-4dfa-8972-7ae4823c8930
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-IpProtectionPlansPublicIpAddresses.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-IpProtectionPlansPublicIpAddresses.yaml
new file mode 100644
index 000000000..adc55f0be
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-IpProtectionPlansPublicIpAddresses.yaml
@@ -0,0 +1,18 @@
+name: revcl-IpProtectionPlansPublicIpAddresses
+title: Use a DDoS Network or IP protection plans for all Public IP addresses in application
+ landing zones.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Security
+severity: 1
+labels:
+ guid: 143b16c3-1d7a-4a9b-9470-4489a8042d88
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-PublicIpAddressesEndpointsIpProtectionPlans.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-PublicIpAddressesEndpointsIpProtectionPlans.yaml
new file mode 100644
index 000000000..ee7d059e8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-PublicIpAddressesEndpointsIpProtectionPlans.yaml
@@ -0,0 +1,18 @@
+name: revcl-PublicIpAddressesEndpointsIpProtectionPlans
+title: Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses
+ endpoints within the virtual networks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Security
+severity: 0
+labels:
+ guid: 088137f5-e6c4-4cfd-9e50-4547c2447ec6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-SpokeNetworkTopologyNetworkDesign.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-SpokeNetworkTopologyNetworkDesign.yaml
new file mode 100644
index 000000000..0526bdadd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-SpokeNetworkTopologyNetworkDesign.yaml
@@ -0,0 +1,18 @@
+name: revcl-SpokeNetworkTopologyNetworkDesign
+title: Leverage a network design based on the traditional hub-and-spoke network topology
+ for network scenarios that require maximum flexibility.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Security
+severity: 1
+labels:
+ guid: e8bbac75-7155-49ab-a153-e8908ae28c84
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-network-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-VirtualNetworkServiceEndpointsDefault.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-VirtualNetworkServiceEndpointsDefault.yaml
new file mode 100644
index 000000000..ed98fe859
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/Security/revcl-VirtualNetworkServiceEndpointsDefault.yaml
@@ -0,0 +1,22 @@
+name: revcl-VirtualNetworkServiceEndpointsDefault
+title: Don't enable virtual network service endpoints by default on all subnets.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworks
+waf: Security
+severity: 1
+labels:
+ guid: 4704489a-8042-4d88-b79d-17b73b22a5a6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking-features
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn
+queries:
+ arg: resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets
+ = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup,
+ VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant
+ = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints)
+ == 0) | order by compliant asc
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-AzureDdosStandardProtectionPlansApplicationDesignBestPractices.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-AzureDdosStandardProtectionPlansApplicationDesignBestPractices.yaml
new file mode 100644
index 000000000..7ceb46c37
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-AzureDdosStandardProtectionPlansApplicationDesignBestPractices.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureDdosStandardProtectionPlansApplicationDesignBestPractices
+title: Shield public endpoints in Azure VNets with Azure DDoS Standard Protection
+ Plans
+description: |-
+ Azure DDoS Protection offers enhanced mitigation features against DDoS attacks and is auto-tuned to protect specific resources in a virtual network, combined with application design best practices.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworks/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworks
+severity: 0
+labels:
+ guid: 69ea1185-19b7-de40-9da1-9e8493547a5c
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find virtual networks without DDoS Protection
+ resources
+ | where type =~ 'Microsoft.Network/virtualNetworks'
+ | where isnull(properties.enableDdosProtection) or properties.enableDdosProtection contains "false"
+ | project recommendationId = "69ea1185-19b7-de40-9da1-9e8493547a5c", name, id, tags, param1 = strcat("EnableDdosProtection: ", properties.enableDdosProtection)
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-AzureServiceAccessVnetServiceEndpoints.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-AzureServiceAccessVnetServiceEndpoints.yaml
new file mode 100644
index 000000000..f0f2b765d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-AzureServiceAccessVnetServiceEndpoints.yaml
@@ -0,0 +1,30 @@
+name: aprl-AzureServiceAccessVnetServiceEndpoints
+title: When available, use Private Endpoints instead of Service Endpoints for PaaS
+ Services
+description: |-
+ Use VNet service endpoints only if Private Link isn't available and no data movement concerns. This feature restricts Azure service access to specified VNet and subnet, enhancing network security and isolating service traffic.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworks/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworks
+severity: 1
+labels:
+ guid: 24ae3773-cc2c-3649-88de-c9788e25b463
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find Subnets with Service Endpoint enabled for services that offer Private Link
+ resources
+ | where type =~ 'Microsoft.Network/virtualnetworks'
+ | mv-expand subnets = properties.subnets
+ | extend se = array_length(subnets.properties.serviceEndpoints)
+ | where se >= 1
+ | project name, id, tags, subnets, serviceEndpoints=todynamic(subnets.properties.serviceEndpoints)
+ | mv-expand serviceEndpoints
+ | project name, id, tags, subnetName=subnets.name, serviceName=tostring(serviceEndpoints.service)
+ | where serviceName in (parse_json('["Microsoft.CognitiveServices","Microsoft.AzureCosmosDB","Microsoft.DBforMariaDB","Microsoft.DBforMySQL","Microsoft.DBforPostgreSQL","Microsoft.EventHub","Microsoft.KeyVault","Microsoft.ServiceBus","Microsoft.Sql", "Microsoft.Storage","Microsoft.StorageSync","Microsoft.Synapse","Microsoft.Web"]'))
+ | project recommendationId = "24ae3773-cc2c-3649-88de-c9788e25b463", name, id, tags, param1 = strcat("subnet=", subnetName), param2=strcat("serviceName=",serviceName), param3="ServiceEndpoints=true"
diff --git a/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-NetworkSecurityGroupApplicationSecurityGroups.yaml b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-NetworkSecurityGroupApplicationSecurityGroups.yaml
new file mode 100644
index 000000000..2f76d2364
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-virtualNetworks/aprl-NetworkSecurityGroupApplicationSecurityGroups.yaml
@@ -0,0 +1,25 @@
+name: aprl-NetworkSecurityGroupApplicationSecurityGroups
+title: All Subnets should have a Network Security Group associated
+description: |-
+ Network security groups and application security groups allow filtering of inbound and outbound traffic by IP, port, and protocol, adding a security layer at the Subnet level.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworks/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworks
+severity: 2
+labels:
+ guid: f0bf9ae6-25a5-974d-87d5-025abec73539
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find Subnets without NSG associated
+ resources
+ | where type =~ 'Microsoft.Network/virtualnetworks'
+ | mv-expand subnets = properties.subnets
+ | extend sn = string_size(subnets.properties.networkSecurityGroup)
+ | where sn == 0 and subnets.name !in ("GatewaySubnet", "AzureFirewallSubnet", "AzureFirewallManagementSubnet", "RouteServerSubnet")
+ | project recommendationId = "f0bf9ae6-25a5-974d-87d5-025abec73539", name, id, tags, param1 = strcat("SubnetName: ", subnets.name), param2 = "NSG: False"
diff --git a/v2/recos/Services/MicrosoftNetwork-vpnGateways/aprl-PacketDropCountsMonitorGateway.yaml b/v2/recos/Services/MicrosoftNetwork-vpnGateways/aprl-PacketDropCountsMonitorGateway.yaml
new file mode 100644
index 000000000..620d85150
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetwork-vpnGateways/aprl-PacketDropCountsMonitorGateway.yaml
@@ -0,0 +1,19 @@
+name: aprl-PacketDropCountsMonitorGateway
+title: Monitor gateway for Site-to-site v-Hub's VPN gateway
+description: Set up monitoring and alerts for v-Hub's VPN Gateway. Create alert rule
+ for ensuring promptly response to critical events such as packet drop counts, BGP
+ status, Gateway overutilization.
+source:
+ type: aprl
+ file: azure-resources/Network/vpnGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/vpnGateways
+severity: 0
+labels:
+ guid: f0d4f766-ac19-48c4-b228-4601cc038baa
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/MicrosoftNetworkFunction-azureTrafficCollectors/aprl-LogAnalyticsWorkspaceExpressrouteTrafficCollector.yaml b/v2/recos/Services/MicrosoftNetworkFunction-azureTrafficCollectors/aprl-LogAnalyticsWorkspaceExpressrouteTrafficCollector.yaml
new file mode 100644
index 000000000..1231870a9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftNetworkFunction-azureTrafficCollectors/aprl-LogAnalyticsWorkspaceExpressrouteTrafficCollector.yaml
@@ -0,0 +1,19 @@
+name: aprl-LogAnalyticsWorkspaceExpressrouteTrafficCollector
+title: Ensure ExpressRoute Traffic Collector is enabled and configured for Direct
+ or Provider circuits
+description: |-
+ ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct or Service-Provider based circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.
+source:
+ type: aprl
+ file: azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.NetworkFunction/azureTrafficCollectors
+severity: 1
+labels:
+ guid: 1ceea4b5-1d8b-4be0-9bbe-9594557be51a
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftOperationalInsights-workspaces/aprl-HealthStatusAlertRuleLogAnalyticsWorkspace.yaml b/v2/recos/Services/MicrosoftOperationalInsights-workspaces/aprl-HealthStatusAlertRuleLogAnalyticsWorkspace.yaml
new file mode 100644
index 000000000..5cf8b995e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftOperationalInsights-workspaces/aprl-HealthStatusAlertRuleLogAnalyticsWorkspace.yaml
@@ -0,0 +1,18 @@
+name: aprl-HealthStatusAlertRuleLogAnalyticsWorkspace
+title: Create a health status alert rule for your Log Analytics workspace
+description: |-
+ A health status alert will proactively notify you if a workspace becomes unavailable because of a datacenter or regional failure.
+source:
+ type: aprl
+ file: azure-resources/OperationalInsights/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.OperationalInsights/workspaces
+severity: 2
+labels:
+ guid: 4b77191c-cc3c-8c4e-844b-0f56d0927890
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftOperationalInsights-workspaces/aprl-LogAnalyticsDataExportLogAnalyticsWorkspace.yaml b/v2/recos/Services/MicrosoftOperationalInsights-workspaces/aprl-LogAnalyticsDataExportLogAnalyticsWorkspace.yaml
new file mode 100644
index 000000000..8ea8b3b11
--- /dev/null
+++ b/v2/recos/Services/MicrosoftOperationalInsights-workspaces/aprl-LogAnalyticsDataExportLogAnalyticsWorkspace.yaml
@@ -0,0 +1,18 @@
+name: aprl-LogAnalyticsDataExportLogAnalyticsWorkspace
+title: Enable Log Analytics data export to GRS or GZRS
+description: |-
+ Data export in a Log Analytics workspace to an Azure Storage account enhances data protection against regional failures by using geo-redundant (GRS) or geo-zone-redundant storage (GZRS), mainly for compliance and integration with other Azure services and tools.
+source:
+ type: aprl
+ file: azure-resources/OperationalInsights/workspaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.OperationalInsights/workspaces
+severity: 1
+labels:
+ guid: b36fd2ac-dd83-664a-ab48-ff7b8d3b189d
+ area: Governance
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftPowerBI-gateways/Reliability/revcl-PremisesDataGatewayClustersBusinessCriticalData.yaml b/v2/recos/Services/MicrosoftPowerBI-gateways/Reliability/revcl-PremisesDataGatewayClustersBusinessCriticalData.yaml
new file mode 100644
index 000000000..26a6e6dd8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPowerBI-gateways/Reliability/revcl-PremisesDataGatewayClustersBusinessCriticalData.yaml
@@ -0,0 +1,18 @@
+name: revcl-PremisesDataGatewayClustersBusinessCriticalData
+title: Use on-premises data gateway clusters to ensure high availability for business-critical
+ data
+description: Use an on-premises data gateway cluster to avoid single points of failure
+ and to load balance traffic across gateways.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.powerbi/gateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 89f89dc7-b44b-4e3b-8a27-f8b9e91be103
+links:
+- type: docs
+ url: https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AssessmentScores.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AssessmentScores.yaml
new file mode 100644
index 000000000..470f6cffe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AssessmentScores.yaml
@@ -0,0 +1,15 @@
+name: revcl-AssessmentScores
+title: Generate assessment scores
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: b130a888-9579-4e76-a896-e710a7da7be9
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/compliance-manager
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AssestLifecycleBestPractices.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AssestLifecycleBestPractices.yaml
new file mode 100644
index 000000000..76f6d1edb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AssestLifecycleBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-AssestLifecycleBestPractices
+title: Follow Assest lifecycle best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: b3d1325a-a225-4c6f-9e06-85edddea8a4b
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AutomationBestPractices.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AutomationBestPractices.yaml
new file mode 100644
index 000000000..18fef9e14
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-AutomationBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-AutomationBestPractices
+title: Follow automation best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-automation
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BackupStrategyRegularBackups.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BackupStrategyRegularBackups.yaml
new file mode 100644
index 000000000..b77eb1f2f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BackupStrategyRegularBackups.yaml
@@ -0,0 +1,15 @@
+name: revcl-BackupStrategyRegularBackups
+title: Plan a backup strategy and take regular backups
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 0
+labels:
+ guid: 97b15b8a-219a-44ab-bb57-879024d22678
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BestPracticesGovernancePortal.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BestPracticesGovernancePortal.yaml
new file mode 100644
index 000000000..43c88fdc1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BestPracticesGovernancePortal.yaml
@@ -0,0 +1,15 @@
+name: revcl-BestPracticesGovernancePortal
+title: Follow Classification Best Practices in Governance Portal
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: c49d997c-b3d1-4325-aa22-5c6f4e0685ed
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-classification
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BestPracticesRegisteredSources.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BestPracticesRegisteredSources.yaml
new file mode 100644
index 000000000..860dd7dd8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-BestPracticesRegisteredSources.yaml
@@ -0,0 +1,15 @@
+name: revcl-BestPracticesRegisteredSources
+title: Follow Best Practices for Scanning Registered Sources
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 9579e76b-896e-4710-a7da-7be9956d14d3
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-scanning
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-CollectionArchitecturesBestPractices.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-CollectionArchitecturesBestPractices.yaml
new file mode 100644
index 000000000..6d3a56735
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-CollectionArchitecturesBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-CollectionArchitecturesBestPractices
+title: Follow Collection Architectures and best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 896e710a-7da7-4be9-a56d-14d3c49d997c
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-collections
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataCenterLevelOutagePlan.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataCenterLevelOutagePlan.yaml
new file mode 100644
index 000000000..0a174f76b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataCenterLevelOutagePlan.yaml
@@ -0,0 +1,15 @@
+name: revcl-DataCenterLevelOutagePlan
+title: Plan for Data Center level outage
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 0
+labels:
+ guid: ab067acb-49e5-4b96-8332-4ecf8cc13318
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataContentSummaries.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataContentSummaries.yaml
new file mode 100644
index 000000000..dc832ea21
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataContentSummaries.yaml
@@ -0,0 +1,15 @@
+name: revcl-DataContentSummaries
+title: Profiling- get summaries of data content
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 956d14d3-c49d-4997-ab3d-1325aa225c6f
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/compliance-manager-scoring
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataStewardshipCatalogAdoption.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataStewardshipCatalogAdoption.yaml
new file mode 100644
index 000000000..09c444e4f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DataStewardshipCatalogAdoption.yaml
@@ -0,0 +1,15 @@
+name: revcl-DataStewardshipCatalogAdoption
+title: Use Data stewardship and Catalog adoption
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: aa3d3ef7-f317-46c4-a97b-15b8a219a4ab
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/catalog-adoption-insights
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DevopsPolicies.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DevopsPolicies.yaml
new file mode 100644
index 000000000..a353748d6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-DevopsPolicies.yaml
@@ -0,0 +1,15 @@
+name: revcl-DevopsPolicies
+title: Follow DevOps policies
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: b49e5b96-0332-44ec-b8cc-13318da61170
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-policies-devops
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageAzureStoragePlaceData.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageAzureStoragePlaceData.yaml
new file mode 100644
index 000000000..19ad6a3cc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageAzureStoragePlaceData.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageAzureStoragePlaceData
+title: Leverage Azure Storage in-place data sharing with Microsoft Purview
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: d8d9a3ed-c218-4e68-9ab0-67acb49e5b96
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-data-share
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageDataEstateInsights.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageDataEstateInsights.yaml
new file mode 100644
index 000000000..cabd3b09b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageDataEstateInsights.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageDataEstateInsights
+title: Leverage Data Estate Insights
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 03324ecf-8cc1-4331-ada6-1170269f4fb4
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-insights
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageFtaResillencyHandbook-1.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageFtaResillencyHandbook-1.yaml
new file mode 100644
index 000000000..a00f8c4d8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageFtaResillencyHandbook-1.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageFtaResillencyHandbook-1
+title: Leverage FTA Resillency Handbook
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 1fc2fc14-eea6-4e69-b8d9-a3edc218e687
+links:
+- type: docs
+ url: https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageInsightsSensitivityLabels.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageInsightsSensitivityLabels.yaml
new file mode 100644
index 000000000..6baeade77
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageInsightsSensitivityLabels.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageInsightsSensitivityLabels
+title: Leverage Insights for Glossary, Classifications, Sensitivity Labels
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 19bf8d8e-5c58-46b7-b8cd-c15acc075ee9
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/glossary-insights
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageWorkflows.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageWorkflows.yaml
new file mode 100644
index 000000000..4f2ddb541
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-LeverageWorkflows.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageWorkflows
+title: 'Leverage Workflows '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: f3176c4b-97b1-45b8-a219-a4abeb578790
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-workflow
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MicrosoftPurviewDataOwnerAccessPolicies.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MicrosoftPurviewDataOwnerAccessPolicies.yaml
new file mode 100644
index 000000000..e8aaa3580
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MicrosoftPurviewDataOwnerAccessPolicies.yaml
@@ -0,0 +1,15 @@
+name: revcl-MicrosoftPurviewDataOwnerAccessPolicies
+title: Follow Microsoft Purview Data Owner access policies
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MicrosoftPurviewEventHubs.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MicrosoftPurviewEventHubs.yaml
new file mode 100644
index 000000000..6068d3d1f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MicrosoftPurviewEventHubs.yaml
@@ -0,0 +1,16 @@
+name: revcl-MicrosoftPurviewEventHubs
+title: Use Microsoft Purview's Event Hubs to subscribe and create entities to another
+ account
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 6d20b56c-56a9-4581-89bf-8d8e5c586b7d
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/manage-kafka-dotnet
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MigrateGlossaryTermsMigrateRelationships.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MigrateGlossaryTermsMigrateRelationships.yaml
new file mode 100644
index 000000000..5991d6ab7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MigrateGlossaryTermsMigrateRelationships.yaml
@@ -0,0 +1,18 @@
+name: revcl-MigrateGlossaryTermsMigrateRelationships
+title: Practice Failover for BCDR
+description: 1. Create the new account 2. Migrate configuration items 3. Run scans
+ 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate
+ glossary terms 7. Assign classifications to assets 8. Assign contacts to assets
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: da611702-69f4-4fb4-aa3d-3ef7f3176c4b
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MigrationBestPracticesBackup.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MigrationBestPracticesBackup.yaml
new file mode 100644
index 000000000..197fd6c70
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-MigrationBestPracticesBackup.yaml
@@ -0,0 +1,15 @@
+name: revcl-MigrationBestPracticesBackup
+title: Follow Backup and Migration Best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: c218e687-ab06-47ac-a49e-5b9603324ecf
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/disaster-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PerformSensitivityLabellingPurviewDataMap.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PerformSensitivityLabellingPurviewDataMap.yaml
new file mode 100644
index 000000000..73edc07be
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PerformSensitivityLabellingPurviewDataMap.yaml
@@ -0,0 +1,15 @@
+name: revcl-PerformSensitivityLabellingPurviewDataMap
+title: Perform Sensitivity Labelling in the Purview Data Map
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewAccountsArchitecturesDeploymentBestPractices.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewAccountsArchitecturesDeploymentBestPractices.yaml
new file mode 100644
index 000000000..b476d69be
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewAccountsArchitecturesDeploymentBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-PurviewAccountsArchitecturesDeploymentBestPractices
+title: Follow Purview accounts architectures and deployment best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 8cdc15ac-c075-4ee9-a130-a8889579e76b
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/deployment-best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewDataLineageBestPractices.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewDataLineageBestPractices.yaml
new file mode 100644
index 000000000..fc38538fa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewDataLineageBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-PurviewDataLineageBestPractices
+title: Follow Purview Data Lineage Best Practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 5c586b7d-8cdc-415a-ac07-5ee9b130a888
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewGlossaryBestPractices.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewGlossaryBestPractices.yaml
new file mode 100644
index 000000000..6d2fdc206
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewGlossaryBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-PurviewGlossaryBestPractices
+title: Follow Purview Glossary Best Practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 8cc13318-da61-4170-869f-4fb4aa3d3ef7
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-glossary
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewSecurityBestPractices.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewSecurityBestPractices.yaml
new file mode 100644
index 000000000..027b673d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-PurviewSecurityBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-PurviewSecurityBestPractices
+title: Follow Purview Security Best Practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 24d22678-6d20-4b56-a56a-958119bf8d8e
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-best-practices-security
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-SelfServiceAccessPolicies.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-SelfServiceAccessPolicies.yaml
new file mode 100644
index 000000000..f0e3a1d5b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-SelfServiceAccessPolicies.yaml
@@ -0,0 +1,15 @@
+name: revcl-SelfServiceAccessPolicies
+title: Follow Self-service access policies
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 4eea6e69-d8d9-4a3e-bc21-8e687ab067ac
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-self-service-data-access-policy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-UseInventoryOwnership.yaml b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-UseInventoryOwnership.yaml
new file mode 100644
index 000000000..6d64f463f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftPurview-accounts/Reliability/revcl-UseInventoryOwnership.yaml
@@ -0,0 +1,15 @@
+name: revcl-UseInventoryOwnership
+title: Use Inventory and Ownership
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.purview/accounts
+waf: Reliability
+severity: 2
+labels:
+ guid: eb578790-24d2-4267-a6d2-0b56c56a9581
+links:
+- type: docs
+ url: https://learn.microsoft.com/purview/concept-insights
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-BackupInstancesUnderlyingDatasource.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-BackupInstancesUnderlyingDatasource.yaml
new file mode 100644
index 000000000..a76cbc7b9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-BackupInstancesUnderlyingDatasource.yaml
@@ -0,0 +1,15 @@
+name: revcl-BackupInstancesUnderlyingDatasource
+title: check backup instances with the underlying datasource not found
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Cost
+severity: 1
+labels:
+ guid: 45901365-d38e-443f-abcb-d868266abca2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-RecoveryPointsVaultArchive.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-RecoveryPointsVaultArchive.yaml
new file mode 100644
index 000000000..826054d14
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-RecoveryPointsVaultArchive.yaml
@@ -0,0 +1,17 @@
+name: revcl-RecoveryPointsVaultArchive
+title: Move recovery points to vault-archive where applicable (Validate)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Cost
+severity: 1
+labels:
+ guid: 44be3b1a-27f8-4b9e-a1be-1f38df03a822
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work
+- type: docs
+ url: https://azure.microsoft.com/pricing/reservations/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-SiteRecoveryStorageMissionCriticalApplications.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-SiteRecoveryStorageMissionCriticalApplications.yaml
new file mode 100644
index 000000000..3a1f27fa7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-SiteRecoveryStorageMissionCriticalApplications.yaml
@@ -0,0 +1,16 @@
+name: revcl-SiteRecoveryStorageMissionCriticalApplications
+title: Consider a good balance between site recovery storage and backup for non mission
+ critical applications
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Cost
+severity: 1
+labels:
+ guid: 69bad37a-ad53-4cc7-ae1d-76667357c449
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-StandardSsdDisksReplicationThroughput.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-StandardSsdDisksReplicationThroughput.yaml
new file mode 100644
index 000000000..21784ac54
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Cost/revcl-StandardSsdDisksReplicationThroughput.yaml
@@ -0,0 +1,16 @@
+name: revcl-StandardSsdDisksReplicationThroughput
+title: For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput
+ allow it
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Cost
+severity: 1
+labels:
+ guid: c2efc5d7-61d4-41d2-900b-b47a393a040f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/site-recovery/site-recovery-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Operations/revcl-AzureCompatibleRdPartyBackupSolutionAzureNativeBackupCapabilities.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Operations/revcl-AzureCompatibleRdPartyBackupSolutionAzureNativeBackupCapabilities.yaml
new file mode 100644
index 000000000..dc3fe4657
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Operations/revcl-AzureCompatibleRdPartyBackupSolutionAzureNativeBackupCapabilities.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureCompatibleRdPartyBackupSolutionAzureNativeBackupCapabilities
+title: Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup
+ solution.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Operations
+severity: 1
+labels:
+ guid: f625ca44-e569-45f2-823a-ce8cb12308ca
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/backup-center-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-AzureBackupControlledAccess.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-AzureBackupControlledAccess.yaml
new file mode 100644
index 000000000..b964085c5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-AzureBackupControlledAccess.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzureBackupControlledAccess
+title: Implement multi-user authorization for Azure Backup to ensure secure and controlled
+ access to backup resources
+description: Azure Backup's multi-user authorization enables fine-grained control
+ over user access to backup resources, allowing you to restrict privileges and ensure
+ proper authentication and authorization for backup operations.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Reliability
+severity: 2
+labels:
+ guid: 2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/multi-user-authorization-concept
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-AzureImmutableStorageUnauthorizedModifications.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-AzureImmutableStorageUnauthorizedModifications.yaml
new file mode 100644
index 000000000..420fbd79f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-AzureImmutableStorageUnauthorizedModifications.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureImmutableStorageUnauthorizedModifications
+title: Implement Immutable Storage for your vaults to protect against ransomware and
+ prevent unauthorized modifications to backups
+description: Azure Immutable Storage provides an additional layer of security by ensuring
+ that backup data stored in the vault cannot be modified or deleted for a specified
+ retention period. This helps safeguard your backups from ransomware attacks that
+ may attempt to compromise or manipulate your backup data.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Reliability
+severity: 2
+labels:
+ guid: 2cc88147-0607-4c1c-aa0e-614658dd458e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-DifferentBackupTypesAzureBackup.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-DifferentBackupTypesAzureBackup.yaml
new file mode 100644
index 000000000..74d50375b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-DifferentBackupTypesAzureBackup.yaml
@@ -0,0 +1,16 @@
+name: revcl-DifferentBackupTypesAzureBackup
+title: When using Azure Backup, consider the different backup types (GRS, ZRS & LRS)
+ as the default setting is GRS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Reliability
+severity: 1
+labels:
+ guid: eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-redundancy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-PotentialRansomwareEncryptionRansomwareAttacks.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-PotentialRansomwareEncryptionRansomwareAttacks.yaml
new file mode 100644
index 000000000..06ece256a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/Reliability/revcl-PotentialRansomwareEncryptionRansomwareAttacks.yaml
@@ -0,0 +1,18 @@
+name: revcl-PotentialRansomwareEncryptionRansomwareAttacks
+title: Enable Azure Backup enhanced soft delete for improved data protection and recovery
+description: Azure Backup enhanced soft delete provides critical protection against
+ ransomware attacks by retaining deleted backups, enabling recovery from potential
+ ransomware encryption or deletion.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.recoveryservices/vaults
+waf: Reliability
+severity: 1
+labels:
+ guid: b44be3b1-a27f-48b9-b91b-e1038df03a82
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about
+queries: {}
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-AzureRecoveryServicesVaultsAzureMonitorAlerts.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-AzureRecoveryServicesVaultsAzureMonitorAlerts.yaml
new file mode 100644
index 000000000..640beef10
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-AzureRecoveryServicesVaultsAzureMonitorAlerts.yaml
@@ -0,0 +1,27 @@
+name: aprl-AzureRecoveryServicesVaultsAzureMonitorAlerts
+title: Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery
+ Services Vaults
+description: |-
+ Classic alerts for Recovery Services vaults in Azure Backup will be retired on 31 March 2026.
+source:
+ type: aprl
+ file: azure-resources/RecoveryServices/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.RecoveryServices/vaults
+severity: 1
+labels:
+ guid: 2912472d-0198-4bdc-aa90-37f145790edc
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This Resource Graph query will return all Recovery services vault with Classic alerts enabled.
+ resources
+ | where type in~ ('microsoft.recoveryservices/vaults')
+ | extend monitoringSettings = parse_json(properties).monitoringSettings
+ | extend isUsingClassicAlerts = case(isnull(monitoringSettings),'Enabled',monitoringSettings.classicAlertSettings.alertsForCriticalOperations)
+ | extend isUsingJobsAlerts = case(isnull(monitoringSettings), 'Enabled', monitoringSettings.azureMonitorAlertSettings.alertsForAllJobFailures)
+ | where isUsingClassicAlerts == 'Enabled'
+ | project recommendationId = "2912472d-0198-4bdc-aa90-37f145790edc", name, id, tags, param1=strcat("isUsingClassicAlerts: ", isUsingClassicAlerts), param2=strcat("isUsingJobsAlerts: ", isUsingJobsAlerts)
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-RecoveryServicesVaultsSoftDelete.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-RecoveryServicesVaultsSoftDelete.yaml
new file mode 100644
index 000000000..22f55980a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-RecoveryServicesVaultsSoftDelete.yaml
@@ -0,0 +1,24 @@
+name: aprl-RecoveryServicesVaultsSoftDelete
+title: Enable Soft Delete for Recovery Services Vaults in Azure Backup
+description: |-
+ With soft delete, if backup data is deleted, the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss with no cost to you. Soft delete is enabled by default. Disabling this feature isn't recommended.
+source:
+ type: aprl
+ file: azure-resources/RecoveryServices/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.RecoveryServices/vaults
+severity: 1
+labels:
+ guid: 9e39919b-78af-4a0b-b70f-c548dae97c25
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Find all Azure Recovery Services vaults that do not have soft delete enabled
+ resources
+ | where type == "microsoft.recoveryservices/vaults"
+ | mv-expand issoftDelete=properties.securitySettings.softDeleteSettings.softDeleteState
+ | where issoftDelete == 'Disabled'
+ | project recommendationId = "9e39919b-78af-4a0b-b70f-c548dae97c25", name, id, tags, param1=strcat("Soft Delete: ",issoftDelete)
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SecondaryAzurePairedRegionGrsRecoveryServicesVault.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SecondaryAzurePairedRegionGrsRecoveryServicesVault.yaml
new file mode 100644
index 000000000..a33c64da2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SecondaryAzurePairedRegionGrsRecoveryServicesVault.yaml
@@ -0,0 +1,27 @@
+name: aprl-SecondaryAzurePairedRegionGrsRecoveryServicesVault
+title: Enable Cross Region Restore for your GRS Recovery Services Vault
+description: |-
+ Cross Region Restore enables the restoration of Azure VMs in a secondary, Azure paired region, facilitating drills for audit or compliance and allowing recovery of VMs or disks in the event of a primary region disaster. It is an opt-in feature available exclusively for GRS vaults.
+source:
+ type: aprl
+ file: azure-resources/RecoveryServices/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.RecoveryServices/vaults
+severity: 1
+labels:
+ guid: 1549b91f-2ea0-4d4f-ba2a-4596becbe3de
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Displays all recovery services vaults that do not have cross region restore enabled
+ resources
+ | where type =~ "Microsoft.RecoveryServices/vaults" and
+ properties.redundancySettings.standardTierStorageRedundancy =~ "GeoRedundant" and
+ properties.redundancySettings.crossRegionRestore !~ "Enabled"
+ | extend
+ param1 = strcat("CrossRegionRestore: ", properties.redundancySettings.crossRegionRestore),
+ param2 = strcat("StorageReplicationType: ", properties.redundancySettings.standardTierStorageRedundancy)
+ | project recommendationId = "1549b91f-2ea0-4d4f-ba2a-4596becbe3de", name, id, tags, param1, param2
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SiteRecoveryTestFailoverDisasterRecoveryPlan.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SiteRecoveryTestFailoverDisasterRecoveryPlan.yaml
new file mode 100644
index 000000000..edafb17ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SiteRecoveryTestFailoverDisasterRecoveryPlan.yaml
@@ -0,0 +1,24 @@
+name: aprl-SiteRecoveryTestFailoverDisasterRecoveryPlan
+title: Validate VM functionality with a Site Recovery test failover to check performance
+ at target
+description: |-
+ Perform a test failover to validate your BCDR strategy and ensure that your applications are functioning correctly in the target region without impacting your production environment. Test your Disaster Recovery plan periodically without any data loss or downtime, using test failovers.
+source:
+ type: aprl
+ file: azure-resources/RecoveryServices/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.RecoveryServices/vaults
+severity: 0
+labels:
+ guid: 17e877f7-3a89-4205-8a24-0670de54ddcd
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all VMs where replication has been enabled but Test Failover was never performed
+ recoveryservicesresources
+ | where type == "microsoft.recoveryservices/vaults/replicationfabrics/replicationprotectioncontainers/replicationprotecteditems"
+ | where properties.providerSpecificDetails.dataSourceInfo.datasourceType == 'AzureVm' and isnull(properties.lastSuccessfulTestFailoverTime)
+ | project recommendationId="17e877f7-3a89-4205-8a24-0670de54ddcd" , name = properties.providerSpecificDetails.recoveryAzureVMName, id=properties.providerSpecificDetails.dataSourceInfo.resourceId
diff --git a/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SiteRecoveryVmFailoverSettingsVmNetworkSettings.yaml b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SiteRecoveryVmFailoverSettingsVmNetworkSettings.yaml
new file mode 100644
index 000000000..d986995e6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftRecoveryServices-vaults/aprl-SiteRecoveryVmFailoverSettingsVmNetworkSettings.yaml
@@ -0,0 +1,19 @@
+name: aprl-SiteRecoveryVmFailoverSettingsVmNetworkSettings
+title: Ensure static IP addresses in Site Recovery VM failover settings are available
+ in failover subnet
+description: |-
+ Ensure VM failover settings' static IP addresses are available in the failover subnet to maintain consistent IP assignment during failover, with the target VM receiving the same static IP if it's available or the next available IP otherwise. IP adjustments can be made in VM Network settings.
+source:
+ type: aprl
+ file: azure-resources/RecoveryServices/vaults/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.RecoveryServices/vaults
+severity: 0
+labels:
+ guid: e93bb813-b356-48f3-9bdf-a06a0a6ba039
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftResources-resourceGroups/aprl-EnsureResourceGroupResourceLocations.yaml b/v2/recos/Services/MicrosoftResources-resourceGroups/aprl-EnsureResourceGroupResourceLocations.yaml
new file mode 100644
index 000000000..a44a14a24
--- /dev/null
+++ b/v2/recos/Services/MicrosoftResources-resourceGroups/aprl-EnsureResourceGroupResourceLocations.yaml
@@ -0,0 +1,29 @@
+name: aprl-EnsureResourceGroupResourceLocations
+title: Ensure Resource Group and its Resources are located in the same Region
+description: |-
+ Ensure resource locations align with their resource group to manage resources during regional outages. ARM stores resource data, which if in an unavailable region, could halt updates, rendering resources read-only.
+source:
+ type: aprl
+ file: azure-resources/Resources/resourceGroups/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Resources/resourceGroups
+severity: 0
+labels:
+ guid: 98bd7098-49d6-491b-86f1-b143d6b1a0ff
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure Resource Groups that have resources deployed in a region different than the Resource Group region
+ resources
+ | project id, name, tags, resourceGroup, location
+ | where location != "global" // exclude global resources
+ | where resourceGroup != "networkwatcherrg" // exclude networkwatcherrg
+ | where split(id, "/", 3)[0] =~ "resourceGroups" // resource is in a resource group
+ | extend resourceGroupId = strcat_array(array_slice(split(id, "/"),0,4), "/") // create resource group resource id
+ | join (resourcecontainers | project containerid=id, containerlocation=location ) on $left.resourceGroupId == $right.['containerid'] // join to resourcecontainers table
+ | where location != containerlocation
+ | project recommendationId="98bd7098-49d6-491b-86f1-b143d6b1a0ff", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-AzureCognitiveSearchIndexIndexDefinition.yaml b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-AzureCognitiveSearchIndexIndexDefinition.yaml
new file mode 100644
index 000000000..cf00cefe1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-AzureCognitiveSearchIndexIndexDefinition.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureCognitiveSearchIndexIndexDefinition
+title: Backup and Restore an Azure Cognitive Search Index. Use this sample code to
+ back up index definition and snapshot to a series of Json files
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.search/searchservices
+waf: Reliability
+severity: 0
+labels:
+ guid: 7be10278-57c1-4a61-8ee3-895aebfec5aa
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-AzureTrafficManagerRequests.yaml b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-AzureTrafficManagerRequests.yaml
new file mode 100644
index 000000000..6fcead21e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-AzureTrafficManagerRequests.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureTrafficManagerRequests
+title: Use Azure Traffic Manager to coordinate requests
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.search/searchservices
+waf: Reliability
+severity: 1
+labels:
+ guid: 85ee93c9-f53c-4803-be51-e6e4aa37ff4e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-LeverageAvailabilityZonesRead.yaml b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-LeverageAvailabilityZonesRead.yaml
new file mode 100644
index 000000000..97bbfb7ef
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-LeverageAvailabilityZonesRead.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageAvailabilityZonesRead
+title: Leverage Availability Zones by enabling read and/or write replicas
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.search/searchservices
+waf: Reliability
+severity: 0
+labels:
+ guid: 44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-MultipleServicesUseIndexers.yaml b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-MultipleServicesUseIndexers.yaml
new file mode 100644
index 000000000..36b613ec7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-MultipleServicesUseIndexers.yaml
@@ -0,0 +1,17 @@
+name: revcl-MultipleServicesUseIndexers
+title: To synchronize data across multiple services either Use indexers for updating
+ content on multiple services or Use REST APIs for pushing content updates on multiple
+ services
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.search/searchservices
+waf: Reliability
+severity: 1
+labels:
+ guid: 3c964882-aec9-4d44-9f68-4b5f2efbbdb6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-ReadWriteOperationsReplicas.yaml b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-ReadWriteOperationsReplicas.yaml
new file mode 100644
index 000000000..eea7f5b1a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-ReadWriteOperationsReplicas.yaml
@@ -0,0 +1,15 @@
+name: revcl-ReadWriteOperationsReplicas
+title: Enable 3 replicas to have 99.9% availability for read/write operations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.search/searchservices
+waf: Reliability
+severity: 1
+labels:
+ guid: 7d956fd9-788a-4845-9b9f-c0340972d810
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/search/search-reliability#high-availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-RegionalRedudancyAutomatedMethod.yaml b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-RegionalRedudancyAutomatedMethod.yaml
new file mode 100644
index 000000000..c9d201400
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-RegionalRedudancyAutomatedMethod.yaml
@@ -0,0 +1,17 @@
+name: revcl-RegionalRedudancyAutomatedMethod
+title: For regional redudancy, Manually create services in 2 or more regions for Search
+ as it doesn't provide an automated method of replicating search indexes across geographic
+ regions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.search/searchservices
+waf: Reliability
+severity: 1
+labels:
+ guid: cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-ReplicasAvailability.yaml b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-ReplicasAvailability.yaml
new file mode 100644
index 000000000..aa8896e89
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSearch-searchServices/Reliability/revcl-ReplicasAvailability.yaml
@@ -0,0 +1,15 @@
+name: revcl-ReplicasAvailability
+title: Enable 2 replicas to have 99.9% availability for read operations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.search/searchservices
+waf: Reliability
+severity: 0
+labels:
+ guid: 41faa1ed-b7f0-447d-8cba-4a4905e5bb83
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/search/search-reliability#high-availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AServiceBusClientAppServiceBusMessagingNamespace.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AServiceBusClientAppServiceBusMessagingNamespace.yaml
new file mode 100644
index 000000000..dce1e3a11
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AServiceBusClientAppServiceBusMessagingNamespace.yaml
@@ -0,0 +1,23 @@
+name: revcl-AServiceBusClientAppServiceBusMessagingNamespace
+title: When possible, your application should be using a managed identity to authenticate
+ to Azure Service Bus. If not, consider having the storage credential (SAS, service
+ principal credential) in Azure Key Vault or an equivalent service
+description: 'A Service Bus client app running inside an Azure App Service application
+ or in a virtual machine with enabled managed entities for Azure resources support
+ does not need to handle SAS rules and keys, or any other access tokens. The client
+ app only needs the endpoint address of the Service Bus Messaging namespace. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: 786d60f9-6c96-4ad8-a55d-04c2b39c986b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusNamespaceClasslessInterDomainRoutingNotation.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusNamespaceClasslessInterDomainRoutingNotation.yaml
new file mode 100644
index 000000000..50aa567f9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusNamespaceClasslessInterDomainRoutingNotation.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureServiceBusNamespaceClasslessInterDomainRoutingNotation
+title: Consider only allowing access to Azure Service Bus namespace from specific
+ IP addresses or ranges
+description: 'With IP firewall, you can restrict the public endpoint further to only
+ a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing)
+ notation. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusNamespacesTransportLayerSecurity.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusNamespacesTransportLayerSecurity.yaml
new file mode 100644
index 000000000..13668987e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusNamespacesTransportLayerSecurity.yaml
@@ -0,0 +1,22 @@
+name: revcl-AzureServiceBusNamespacesTransportLayerSecurity
+title: 'Enforce a minimum required version of Transport Layer Security (TLS) for requests '
+description: Communication between a client application and an Azure Service Bus namespace
+ is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces
+ permit clients to send and receive data with TLS 1.0 and above. To enforce stricter
+ security measures, you can configure your Service Bus namespace to require that
+ clients send and receive data with a newer version of TLS.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: 5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusPremiumCustomerManagedKeyOption.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusPremiumCustomerManagedKeyOption.yaml
new file mode 100644
index 000000000..262c151ff
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusPremiumCustomerManagedKeyOption.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureServiceBusPremiumCustomerManagedKeyOption
+title: Use customer-managed key option in data at rest encryption when required
+description: 'Azure Service Bus Premium provides encryption of data at rest. If you
+ use your own key, the data is still encrypted using the Microsoft-managed key, but
+ in addition the Microsoft-managed key will be encrypted using the customer-managed
+ key. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 2
+labels:
+ guid: 87af4a79-1f89-439b-ba47-768e14c11567
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusPublicIpAddress.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusPublicIpAddress.yaml
new file mode 100644
index 000000000..3022140ae
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-AzureServiceBusPublicIpAddress.yaml
@@ -0,0 +1,22 @@
+name: revcl-AzureServiceBusPublicIpAddress
+title: Consider using private endpoints to access Azure Service Bus and disable public
+ network access when applicable.
+description: 'Azure Service Bus by default has a public IP address and is Internet-reachable.
+ Private endpoints allow traffic between your virtual network and Azure Service Bus
+ traverses over the Microsoft backbone network. In addition to that, you should disable
+ public endpoints if those are not used. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: 9ae669ca-48e4-4a85-b222-3ece8bb12307
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/private-link-service
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-LeastPrivilegeDataPlaneRbacAzureServiceBus.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-LeastPrivilegeDataPlaneRbacAzureServiceBus.yaml
new file mode 100644
index 000000000..89374e4e2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-LeastPrivilegeDataPlaneRbacAzureServiceBus.yaml
@@ -0,0 +1,20 @@
+name: revcl-LeastPrivilegeDataPlaneRbacAzureServiceBus
+title: Use least privilege data plane RBAC
+description: 'When creating permissions, provide fine-grained control over a client''s
+ access to Azure Service Bus. Permissions in Azure Service Bus can and should be
+ scoped to the individual resource level e.g. queue, topic or subscription. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 0
+labels:
+ guid: f615658d-e558-4f93-9249-b831112dbd7e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-ServiceBusNamespaceAdministrativeRootAccount.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-ServiceBusNamespaceAdministrativeRootAccount.yaml
new file mode 100644
index 000000000..b619b6c14
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-ServiceBusNamespaceAdministrativeRootAccount.yaml
@@ -0,0 +1,22 @@
+name: revcl-ServiceBusNamespaceAdministrativeRootAccount
+title: Avoid using root account when it is not necessary
+description: 'When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey
+ is automatically created for the namespace. This policy has Manage permissions for
+ the entire namespace. It''s recommended that you treat this rule like an administrative
+ root account and don''t use it in your application. Using AAD as an authentication
+ provider with RBAC is recommended. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: 8bcbf59b-ce65-4de8-a03f-97879468d66a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-VariousDataPlaneAccessOperationsAzureServiceBusResourceLogs.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-VariousDataPlaneAccessOperationsAzureServiceBusResourceLogs.yaml
new file mode 100644
index 000000000..13c86e8b9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/Security/revcl-VariousDataPlaneAccessOperationsAzureServiceBusResourceLogs.yaml
@@ -0,0 +1,22 @@
+name: revcl-VariousDataPlaneAccessOperationsAzureServiceBusResourceLogs
+title: Enable logging for security investigation. Use Azure Monitor to trace resource
+ logs and runtime audit logs (currently available only in the premium tier)
+description: Azure Service Bus resource logs include operational logs, virtual network
+ and IP filtering logs. Runtime audit logs capture aggregated diagnostic information
+ for various data plane access operations (such as send or receive messages) in Service
+ Bus.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.servicebus/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: af12e7f9-43f6-4304-922d-929c2b1cd622
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/manage-identity-and-access/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/aprl-ServiceBusNamespacesUseServiceBus-1.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/aprl-ServiceBusNamespacesUseServiceBus-1.yaml
new file mode 100644
index 000000000..d0c20d4c4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/aprl-ServiceBusNamespacesUseServiceBus-1.yaml
@@ -0,0 +1,18 @@
+name: aprl-ServiceBusNamespacesUseServiceBus-1
+title: Enable auto-scale for production workloads on Service Bus namespaces
+description: |-
+ Use Service Bus with auto-scale for high availability. The Premium SKU supports auto-scale, ensuring that the resources are automatically scaled based on the load.
+source:
+ type: aprl
+ file: azure-resources/ServiceBus/namespaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ServiceBus/namespaces
+severity: 0
+labels:
+ guid: d810e3a8-600f-4be1-895b-1a93e61d37fd
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftServiceBus-namespaces/aprl-ServiceBusNamespacesUseServiceBus.yaml b/v2/recos/Services/MicrosoftServiceBus-namespaces/aprl-ServiceBusNamespacesUseServiceBus.yaml
new file mode 100644
index 000000000..f58533911
--- /dev/null
+++ b/v2/recos/Services/MicrosoftServiceBus-namespaces/aprl-ServiceBusNamespacesUseServiceBus.yaml
@@ -0,0 +1,23 @@
+name: aprl-ServiceBusNamespacesUseServiceBus
+title: Enable Availability Zones for Service Bus namespaces
+description: |-
+ Use Service Bus with zone redundancy for high availability. The Premium SKU supports availability zones, ensuring isolation within the same region. It manages 3 copies of the messaging store, kept in sync.
+source:
+ type: aprl
+ file: azure-resources/ServiceBus/namespaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ServiceBus/namespaces
+severity: 0
+labels:
+ guid: 20057905-262c-49fe-a9be-49f423afb359
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns Service Bus namespaces that do not have any availability zones enabled
+ resources
+ | where type =~ 'Microsoft.ServiceBus/namespaces'
+ | where properties.zoneRedundant == 'false'
+ | project recommendationId = "20057905-262c-49fe-a9be-49f423afb359", name, id, tags, param1=strcat("zoneRedundant: ", properties.zoneRedundant), param2=strcat("SKU: ", sku.name), param3=iff(tolower(sku.name) == 'premium', 'Move Service Bus namespace to a region that supports Availability Zones', 'Migrate to Premium SKU in a region that supports Availability Zones')
diff --git a/v2/recos/Services/MicrosoftSignalRService-SignalR/aprl-ZoneRedundancyPremiumTier.yaml b/v2/recos/Services/MicrosoftSignalRService-SignalR/aprl-ZoneRedundancyPremiumTier.yaml
new file mode 100644
index 000000000..99a0ed75c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSignalRService-SignalR/aprl-ZoneRedundancyPremiumTier.yaml
@@ -0,0 +1,24 @@
+name: aprl-ZoneRedundancyPremiumTier
+title: Enable zone redundancy for SignalR
+description: |-
+ Use SignalR with zone redundancy for production to improve uptime. This feature, available in the Premium tier, is activated upon creating or upgrading to Premium. Standard can upgrade to Premium without downtime.
+source:
+ type: aprl
+ file: azure-resources/SignalRService/signalR/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.SignalRService/SignalR
+severity: 0
+labels:
+ guid: 6a8b3db9-5773-413a-a127-4f7032f34bbd
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find SignalR instances that are not configured with the Premium tier
+ resources
+ | where type == "microsoft.signalrservice/signalr"
+ | where sku.tier != "Premium"
+ | project recommendationId = "6a8b3db9-5773-413a-a127-4f7032f34bbd", name, id, tags, param1 = "AvailabilityZones: Single Zone"
+ | order by id asc
diff --git a/v2/recos/Services/MicrosoftSql-servers/Cost/revcl-LearnMicrosoftPolicy.yaml b/v2/recos/Services/MicrosoftSql-servers/Cost/revcl-LearnMicrosoftPolicy.yaml
new file mode 100644
index 000000000..62afb11bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSql-servers/Cost/revcl-LearnMicrosoftPolicy.yaml
@@ -0,0 +1,15 @@
+name: revcl-LearnMicrosoftPolicy
+title: Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.sql/servers
+waf: Cost
+severity: 1
+labels:
+ guid: d7bb012f-7b95-4e06-b158-e2ea3992c2de
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSql-servers/aprl-AzureKeyVaultEncryptedConfigurations.yaml b/v2/recos/Services/MicrosoftSql-servers/aprl-AzureKeyVaultEncryptedConfigurations.yaml
new file mode 100644
index 000000000..34552a39c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSql-servers/aprl-AzureKeyVaultEncryptedConfigurations.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureKeyVaultEncryptedConfigurations
+title: Back Up Your Keys
+description: |-
+ It is highly recommended to use Azure Key Vault (AKV) to store encryption keys related to Always Encrypted configurations, however it is not required. If you are not using AKV, then ensure that your keys are properly backed up and stored in a secure manner.
+source:
+ type: aprl
+ file: azure-resources/Sql/servers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Sql/servers
+severity: 1
+labels:
+ guid: d6ef87aa-574e-584e-a955-3e6bb8b5425b
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftSql-servers/aprl-AzureSqlDatabaseDatabaseLayerConfiguration.yaml b/v2/recos/Services/MicrosoftSql-servers/aprl-AzureSqlDatabaseDatabaseLayerConfiguration.yaml
new file mode 100644
index 000000000..c4fe85226
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSql-servers/aprl-AzureSqlDatabaseDatabaseLayerConfiguration.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureSqlDatabaseDatabaseLayerConfiguration
+title: Implement Retry Logic
+description: |-
+ During transient failures, the application should handle connection retries effectively with Azure SQL Database. No Database layer configuration is needed; instead, the application must be set up for graceful retrying.
+source:
+ type: aprl
+ file: azure-resources/Sql/servers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Sql/servers
+severity: 0
+labels:
+ guid: cbb17a29-64fb-c943-95d0-8df814a37c40
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftSql-servers/aprl-AzureSqlDatabasePremiumTierAzureAvailabilityZones.yaml b/v2/recos/Services/MicrosoftSql-servers/aprl-AzureSqlDatabasePremiumTierAzureAvailabilityZones.yaml
new file mode 100644
index 000000000..eccae6424
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSql-servers/aprl-AzureSqlDatabasePremiumTierAzureAvailabilityZones.yaml
@@ -0,0 +1,26 @@
+name: aprl-AzureSqlDatabasePremiumTierAzureAvailabilityZones
+title: Enable zone redundancy for Azure SQL Database to achieve high availability
+ and resiliency
+description: |-
+ By default, Azure SQL Database premium tier provisions multiple copies within the same region. For geo redundancy, databases can be set as Zone Redundant, distributing copies across Azure Availability Zones to maintain availability during regional outages.
+source:
+ type: aprl
+ file: azure-resources/Sql/servers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Sql/servers
+severity: 1
+labels:
+ guid: c0085c32-84c0-c247-bfa9-e70977cbf108
+ area: High Availability
+links: []
+queries:
+ arg: |+
+ // Azure Resource Graph Query
+ // Finds non-zone redundant SQL databases and lists them
+ Resources
+ | where type =~ 'microsoft.sql/servers/databases'
+ | where tolower(tostring(properties.zoneRedundant))=~'false'
+ |project recommendationId = "c0085c32-84c0-c247-bfa9-e70977cbf108", name, id, tags
+
+...
diff --git a/v2/recos/Services/MicrosoftSql-servers/aprl-GeoReplicatedDatabaseManagementAutoFailoverGroups.yaml b/v2/recos/Services/MicrosoftSql-servers/aprl-GeoReplicatedDatabaseManagementAutoFailoverGroups.yaml
new file mode 100644
index 000000000..c280e375d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSql-servers/aprl-GeoReplicatedDatabaseManagementAutoFailoverGroups.yaml
@@ -0,0 +1,24 @@
+name: aprl-GeoReplicatedDatabaseManagementAutoFailoverGroups
+title: Auto Failover Groups can encompass one or multiple databases, usually used
+ by the same app.
+description: |-
+ Failover Groups facilitate disaster recovery by configuring databases on one logical server to replicate to another region's logical server. This streamlines geo-replicated database management, offering a single endpoint for connection routing to replicated databases if the primary server fails.
+source:
+ type: aprl
+ file: azure-resources/Sql/servers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Sql/servers
+severity: 0
+labels:
+ guid: 943c168a-2ec2-a94c-8015-85732a1b4859
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Provides a list of SQL databases that are not configured to use a failover-group.
+ resources
+ | where type =~'microsoft.sql/servers/databases'
+ | where isnull(properties['failoverGroupId'])
+ | project recommendationId = "943c168a-2ec2-a94c-8015-85732a1b4859", name, id, tags, param1= strcat("databaseId=", properties['databaseId'])
diff --git a/v2/recos/Services/MicrosoftSql-servers/aprl-ReadableSecondaryDatabaseReplicasActiveGeoReplication.yaml b/v2/recos/Services/MicrosoftSql-servers/aprl-ReadableSecondaryDatabaseReplicasActiveGeoReplication.yaml
new file mode 100644
index 000000000..adac6dc22
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSql-servers/aprl-ReadableSecondaryDatabaseReplicasActiveGeoReplication.yaml
@@ -0,0 +1,29 @@
+name: aprl-ReadableSecondaryDatabaseReplicasActiveGeoReplication
+title: Use Active Geo Replication to Create a Readable Secondary in Another Region
+description: |-
+ Active Geo Replication ensures business continuity by utilizing readable secondary database replicas. In case of primary database failure, manually failover to secondary database. Secondaries, up to four, can be in same/different regions, used for read-only access.
+source:
+ type: aprl
+ file: azure-resources/Sql/servers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Sql/servers
+severity: 0
+labels:
+ guid: 74c2491d-048b-0041-a140-935960220e20
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Provides a list of SQL databases that are not part of Geo Replication.
+ resources
+ | where type == "microsoft.sql/servers/databases"
+ | summarize secondaryTypeCount = countif(isnotempty(properties.secondaryType)) by name
+ | where secondaryTypeCount == 0
+ | join kind=inner (
+ Resources
+ | where type == "microsoft.sql/servers/databases"
+ ) on name
+ | extend param1 = "Not part of Geo Replication"
+ | project recommendationId = "74c2491d-048b-0041-a140-935960220e20", name, id, tags, param1
diff --git a/v2/recos/Services/MicrosoftSql-servers/aprl-RelevantDatabaseMetricsAzureSqlDatabase.yaml b/v2/recos/Services/MicrosoftSql-servers/aprl-RelevantDatabaseMetricsAzureSqlDatabase.yaml
new file mode 100644
index 000000000..af217daa9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSql-servers/aprl-RelevantDatabaseMetricsAzureSqlDatabase.yaml
@@ -0,0 +1,33 @@
+name: aprl-RelevantDatabaseMetricsAzureSqlDatabase
+title: Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents
+description: |-
+ Monitoring and alerting are an important part of database operations. When working with Azure SQL Database, make use of Azure Monitor and SQL Insights to ensure that you capture relevant database metrics.
+source:
+ type: aprl
+ file: azure-resources/Sql/servers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Sql/servers
+severity: 0
+labels:
+ guid: 7e7daec9-6a81-3546-a4cc-9aef72fec1f7
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of SQL databases that are not configured for monitoring.
+ resources
+ | where type == "microsoft.insights/metricalerts"
+ | mv-expand properties.scopes
+ | mv-expand properties.criteria.allOf
+ | project databaseid = properties_scopes, monitoredMetric = properties_criteria_allOf.metricName
+ | where databaseid contains 'databases'
+ | summarize monitoredMetrics=make_list(monitoredMetric) by databaseid=tolower(tostring(databaseid))
+ | join kind=fullouter (
+ resources
+ | where type =~ 'microsoft.sql/servers/databases'
+ | project databaseid = tolower(id), name, tags
+ ) on databaseid
+ | where isnull(monitoredMetrics)
+ | project recommendationId = "7e7daec9-6a81-3546-a4cc-9aef72fec1f7", name, id=databaseid1, tags, param1=strcat("MonitoringMetrics=false" )
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-LowerTierCustomizedRule.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-LowerTierCustomizedRule.yaml
new file mode 100644
index 000000000..99f98d40b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-LowerTierCustomizedRule.yaml
@@ -0,0 +1,17 @@
+name: revcl-LowerTierCustomizedRule
+title: 'Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: d1e44a19-659d-4395-afd7-7289b835556d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StandardSsdPremium.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StandardSsdPremium.yaml
new file mode 100644
index 000000000..df22c9226
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StandardSsdPremium.yaml
@@ -0,0 +1,15 @@
+name: revcl-StandardSsdPremium
+title: Consider using standard SSD rather than Premium or Ultra where possible
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: dec4861b-c3bc-410a-b77e-26e4d5a3bec2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StorageAccountsHotTier.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StorageAccountsHotTier.yaml
new file mode 100644
index 000000000..d39cb0b9b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StorageAccountsHotTier.yaml
@@ -0,0 +1,15 @@
+name: revcl-StorageAccountsHotTier
+title: 'Storage accounts: check hot tier and/or GRS necessary'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: d3294798-b118-48b2-a5a4-6ceb544451e1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StorageAccountsTransactionCharges.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StorageAccountsTransactionCharges.yaml
new file mode 100644
index 000000000..40e3d2c66
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-StorageAccountsTransactionCharges.yaml
@@ -0,0 +1,16 @@
+name: revcl-StorageAccountsTransactionCharges
+title: For storage accounts, make sure that the chosen tier is not adding up transaction
+ charges (it might be cheaper to move to the next tier)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: c4e2436b-1336-4db5-9f17-960eee0bdf5c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-TiersLess.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-TiersLess.yaml
new file mode 100644
index 000000000..c6bc599aa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/revcl-TiersLess.yaml
@@ -0,0 +1,15 @@
+name: revcl-TiersLess
+title: Consider archiving tiers for less used data
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 7e31c67d-68cf-46a6-8a11-94956d697dc3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/best-practices/monitoring
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AppropriateLogStorageLocationAzureMonitorLogsWorkspace.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AppropriateLogStorageLocationAzureMonitorLogsWorkspace.yaml
new file mode 100644
index 000000000..e8a06d0f8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AppropriateLogStorageLocationAzureMonitorLogsWorkspace.yaml
@@ -0,0 +1,23 @@
+name: wafsg-AppropriateLogStorageLocationAzureMonitorLogsWorkspace
+title: Reduce the cost of using resource logs by choosing the appropriate log storage
+ location and by managing log-retention periods. If you only plan to query logs occasionally
+ (for example, querying logs for compliance auditing), consider sending resource
+ logs to a storage account instead of sending them to an Azure Monitor Logs workspace.
+ You can use a serverless query solution such as Azure Synapse Analytics to analyze
+ logs. For more information, see Optimize cost for infrequent queries. Use lifecycle
+ management policies to delete or archive logs.
+description: Storing resource logs in a storage account for later analysis can be
+ a cheaper option. Using lifecycle management policies to manage log retention in
+ a storage account prevents large numbers of logs files building up over time, which
+ can lead to unnecessary capacity charges.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 4ee9e348-ad55-46c9-bdbf-e17adcae5fd0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AppropriatePricingPageAppropriateSettings.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AppropriatePricingPageAppropriateSettings.yaml
new file mode 100644
index 000000000..e96fba18b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AppropriatePricingPageAppropriateSettings.yaml
@@ -0,0 +1,20 @@
+name: wafsg-AppropriatePricingPageAppropriateSettings
+title: 'Understand the price of each meter: Make sure to use the appropriate pricing
+ page and apply the appropriate settings in that page. For more information, see
+ Finding the unit price for each meter. Consider the number of operations associated
+ with each price. For example, the price associated with write and read operations
+ applies to 10,000 operations. To determine the price of an individual operation,
+ divide the listed price by 10,000.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: e53d71d3-879f-4a64-b425-e30f007e7221
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AzurePricingCalculatorAzureFilesPricing.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AzurePricingCalculatorAzureFilesPricing.yaml
new file mode 100644
index 000000000..062671d58
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AzurePricingCalculatorAzureFilesPricing.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzurePricingCalculatorAzureFilesPricing
+title: 'Estimate the cost of capacity and operations: You can use the Azure pricing
+ calculator to model the costs associated with data storage, ingress, and egress.
+ Compare the cost associated with various regions, account types, and redundancy
+ configurations. For more information, see Azure Files pricing.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: c1f59c13-a5f1-4969-a1f4-a3180d9f7a30
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AzurePricingCalculatorVariousRegions.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AzurePricingCalculatorVariousRegions.yaml
new file mode 100644
index 000000000..442c5c375
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-AzurePricingCalculatorVariousRegions.yaml
@@ -0,0 +1,21 @@
+name: wafsg-AzurePricingCalculatorVariousRegions
+title: 'Estimate the cost of capacity and operations: You can model the costs associated
+ with data storage, ingress, and egress by using the Azure pricing calculator. Use
+ fields to compare the cost associated with various regions, account types, namespace
+ types, and redundancy configurations. For certain scenarios, you can use sample
+ calculations and worksheets available in Microsoft documentation. For example, you
+ can estimate the cost of archiving data or estimate the cost of using the AzCopy
+ command to transfer blobs.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 4d17df43-4382-430a-9463-13abf73774d0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-BillingModelCommitmentBasedModel.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-BillingModelCommitmentBasedModel.yaml
new file mode 100644
index 000000000..fcec694c7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-BillingModelCommitmentBasedModel.yaml
@@ -0,0 +1,18 @@
+name: wafsg-BillingModelCommitmentBasedModel
+title: 'Choose a billing model for capacity: Evaluate whether using a commitment-based
+ model is more cost-efficient than using a consumption-based model. If you''re unsure
+ about how much capacity you need, you can start with a consumption-based model,
+ monitor the capacity metrics, and then evaluate later.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 5bf631db-5818-4a48-9bb2-12383fb22c27
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CoolerAccessTiersWarmerAccessTiers.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CoolerAccessTiersWarmerAccessTiers.yaml
new file mode 100644
index 000000000..dd30c7640
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CoolerAccessTiersWarmerAccessTiers.yaml
@@ -0,0 +1,18 @@
+name: wafsg-CoolerAccessTiersWarmerAccessTiers
+title: 'Have a plan for managing the data lifecycle: Optimize transaction and capacity
+ costs by taking advantage of access tiers and lifecycle management. Data used less
+ often should be placed in cooler access tiers while data that''s accessed often
+ should be placed in warmer access tiers.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: d48626ce-bf57-4b9a-92b4-58d2904aca16
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostAnalysisPaneAzurePortal-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostAnalysisPaneAzurePortal-1.yaml
new file mode 100644
index 000000000..f7e3d608d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostAnalysisPaneAzurePortal-1.yaml
@@ -0,0 +1,18 @@
+name: wafsg-CostAnalysisPaneAzurePortal-1
+title: 'Monitor costs: Ensure costs stay within budgets, compare costs against forecasts,
+ and see where overspending occurs. You can use the cost analysis pane in the Azure
+ portal to monitor costs. You can also export cost data to a storage account, and
+ use Excel or Power BI to analyze that data.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 5473960a-7ac3-44a0-8d01-695132b782cd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostAnalysisPaneAzurePortal.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostAnalysisPaneAzurePortal.yaml
new file mode 100644
index 000000000..075ca223f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostAnalysisPaneAzurePortal.yaml
@@ -0,0 +1,18 @@
+name: wafsg-CostAnalysisPaneAzurePortal
+title: 'Monitor costs: Ensure costs stay within budgets, compare costs against forecasts,
+ and see where overspending occurs. You can use the cost analysis pane in the Azure
+ portal to monitor costs. You also can export cost data to a storage account and
+ analyze that data by using Excel or Power BI.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 18f1f2f6-de79-405d-b7a1-65fb571c0493
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostEffectiveAccessTierTotalOverallCost.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostEffectiveAccessTierTotalOverallCost.yaml
new file mode 100644
index 000000000..4880b411c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostEffectiveAccessTierTotalOverallCost.yaml
@@ -0,0 +1,26 @@
+name: wafsg-CostEffectiveAccessTierTotalOverallCost
+title: 'After you migrate your workload, if you use standard file shares, carefully
+ choose the most cost effective access tier for your file share: hot, cool, or transaction
+ optimized. After you operate for a few days or weeks with regular usage, you can
+ insert your transaction counts in the pricing calculator to figure out which tier
+ best suits your workload. Most customers should choose cool even if they actively
+ use the share. But you should examine each share and compare the balance of storage
+ capacity to transactions to determine your tier. If transaction costs make up a
+ significant percentage of your bill, the savings from using the cool access tier
+ often offsets this cost and minimizes the total overall cost. We recommend that
+ you move standard file shares between access tiers only when necessary to optimize
+ for changes in your workload pattern. Each move incurs transactions. For more information,
+ see Switching between standard tiers.'
+description: Select the appropriate access tier for standard file shares to considerably
+ reduce your costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 9dd18ccf-33eb-4da0-9710-7b3d64290faa
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostEffectiveDefaultAccessTierDefaultAccessTierSetting.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostEffectiveDefaultAccessTierDefaultAccessTierSetting.yaml
new file mode 100644
index 000000000..e7a432054
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-CostEffectiveDefaultAccessTierDefaultAccessTierSetting.yaml
@@ -0,0 +1,21 @@
+name: wafsg-CostEffectiveDefaultAccessTierDefaultAccessTierSetting
+title: 'Choose the most cost-effective default access tier: Unless a tier is specified
+ with each blob upload, blobs infer their access tier from the default access tier
+ setting. A change to the default access tier setting of a storage account applies
+ to all blobs in the account for which an access tier hasn''t been explicitly set.
+ This cost could be significant if you''ve collected a large number of blobs. For
+ more information about how a tier change affects each existing blob, see Changing
+ a blob''s access tier.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: d78ebd83-3708-43dc-a146-c87c0bc845cc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-DefaultAccessTierRedundancyLevel.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-DefaultAccessTierRedundancyLevel.yaml
new file mode 100644
index 000000000..7614b6225
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-DefaultAccessTierRedundancyLevel.yaml
@@ -0,0 +1,18 @@
+name: wafsg-DefaultAccessTierRedundancyLevel
+title: 'Choose an account type, a redundancy level, and a default access tier: You
+ must select a value for each of these settings when you create a storage account.
+ All the values affect transaction charges and capacity charges. All these settings
+ except for the account type can be changed after the account is created.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 96e18bc5-92d9-4184-990e-0916f7c116fa
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-DefaultAccessTierSettingLifecycleManagementPolicies.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-DefaultAccessTierSettingLifecycleManagementPolicies.yaml
new file mode 100644
index 000000000..f8acd49b3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-DefaultAccessTierSettingLifecycleManagementPolicies.yaml
@@ -0,0 +1,23 @@
+name: wafsg-DefaultAccessTierSettingLifecycleManagementPolicies
+title: 'Upload data directly to the most cost-efficient access tier: For example,
+ if the default access tier setting of your account is hot, but you''re uploading
+ files for archiving purposes, specify a cooler tier as the archive or a cold tier
+ as part of your upload operation. After uploading blobs, use lifecycle management
+ policies to move blobs to the most cost-efficient tiers based on usage metrics such
+ as the last accessed time. Choosing the most optimal tier up front can reduce costs.
+ If you change the tier of a block blob that you already uploaded, then you pay the
+ cost of writing to the initial tier when you first upload the blob, and then pay
+ the cost of writing to the desired tier.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: d8225b92-cc37-400e-9e24-660b9f4c1a28
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-EmergencyDataRestorationSituationsStandardPriorityRehydration.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-EmergencyDataRestorationSituationsStandardPriorityRehydration.yaml
new file mode 100644
index 000000000..128fe59bc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-EmergencyDataRestorationSituationsStandardPriorityRehydration.yaml
@@ -0,0 +1,17 @@
+name: wafsg-EmergencyDataRestorationSituationsStandardPriorityRehydration
+title: Use standard-priority rehydration when rehydrating blobs from archive storage.
+ Use high-priority rehydration only for emergency data restoration situations. For
+ more information, see Rehydrate an archived blob to an online tier
+description: High-priority rehydration from the archive tier can lead to higher-than-normal
+ bills.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: ab60898d-c5ae-4087-95ce-5b55ed006972
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-EncryptionScopesUnnecessaryCharges.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-EncryptionScopesUnnecessaryCharges.yaml
new file mode 100644
index 000000000..58272b556
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-EncryptionScopesUnnecessaryCharges.yaml
@@ -0,0 +1,14 @@
+name: wafsg-EncryptionScopesUnnecessaryCharges
+title: Disable any encryption scopes that aren't needed to avoid unnecessary charges.
+description: Encryptions scopes incur a per month charge.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: a97cd83a-ed73-43df-bf01-11853e14f665
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-FastDataTransferSpeedsAzureStandardHddStorage.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-FastDataTransferSpeedsAzureStandardHddStorage.yaml
new file mode 100644
index 000000000..9989c5656
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-FastDataTransferSpeedsAzureStandardHddStorage.yaml
@@ -0,0 +1,21 @@
+name: wafsg-FastDataTransferSpeedsAzureStandardHddStorage
+title: 'Decide whether your workload requires the performance of premium file shares
+ (Azure Premium SSD) or if Azure Standard HDD storage is sufficient: Determine your
+ storage account type and billing model based on the type of storage that you need.
+ If you require large amounts of input/output operations per second (IOPS), extremely
+ fast data transfer speeds, or very low latency, then you should choose premium Azure
+ file shares. NFS Azure file shares are only available on the premium tier. NFS and
+ SMB file shares are the same price on the premium tier.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 54bceac0-695d-4d3a-9e50-91fdb4c9f51a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-HigherDataTransferCostsFewerLargeFiles.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-HigherDataTransferCostsFewerLargeFiles.yaml
new file mode 100644
index 000000000..0dedcbc7d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-HigherDataTransferCostsFewerLargeFiles.yaml
@@ -0,0 +1,16 @@
+name: wafsg-HigherDataTransferCostsFewerLargeFiles
+title: Pack small files into larger files before moving them to cooler tiers. You
+ can use file formats such as TAR or ZIP.
+description: Cooler tiers have higher data transfer costs. By having fewer large files,
+ you can reduce the number of operations required to transfer data.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 1e8c6cb4-abe1-4ba1-899f-5ddc0d700517
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-LifecycleManagementPolicyOldBlobVersions.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-LifecycleManagementPolicyOldBlobVersions.yaml
new file mode 100644
index 000000000..497bafb28
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-LifecycleManagementPolicyOldBlobVersions.yaml
@@ -0,0 +1,17 @@
+name: wafsg-LifecycleManagementPolicyOldBlobVersions
+title: If you enable versioning, use a lifecycle management policy to automatically
+ delete old blob versions.
+description: Every write operation to a blob creates a new version. This increases
+ capacity costs. You can keep costs in check by removing versions that you no longer
+ need.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 72af3409-f6b8-43b7-b254-31990577bb73
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MetadataStorageChargesAzureFilesReservations.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MetadataStorageChargesAzureFilesReservations.yaml
new file mode 100644
index 000000000..00c3c0c52
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MetadataStorageChargesAzureFilesReservations.yaml
@@ -0,0 +1,19 @@
+name: wafsg-MetadataStorageChargesAzureFilesReservations
+title: Use Azure Files reservations, also referred to as reserved instances, to precommit
+ to storage usage and get a discount. Use reservations for production workloads or
+ dev/test workloads with consistent footprints. For more information, see Optimize
+ costs with storage reservations. Reservations don't include transaction, bandwidth,
+ data transfer, and metadata storage charges.
+description: Three-year reservations can provide a discount up to 36% on the total
+ cost of file storage. Reservations don't affect performance.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: f455ac95-f1e3-4a9a-9fab-044e7faeff2f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MinimumRecommendedRetentionPeriodPremiumFileShares.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MinimumRecommendedRetentionPeriodPremiumFileShares.yaml
new file mode 100644
index 000000000..7c4e80839
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MinimumRecommendedRetentionPeriodPremiumFileShares.yaml
@@ -0,0 +1,22 @@
+name: wafsg-MinimumRecommendedRetentionPeriodPremiumFileShares
+title: Set retention periods for the soft-delete feature, especially when you first
+ start using it. Consider starting with a short retention period to better understand
+ how the feature affects your bill. The minimum recommended retention period is seven
+ days. When you soft delete standard and premium file shares, they're billed as used
+ capacity rather than provisioned capacity. And premium file shares are billed at
+ the snapshot rate while in the soft-delete state. Standard file shares are billed
+ at the regular rate while in the soft-delete state.
+description: Set a retention period so that soft-deleted files don't pile up and increase
+ the cost of capacity. After the configured retention period, permanently deleted
+ data doesn't incur cost.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: bb6048c7-29fd-4388-aa22-de89fdbb39ea
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MinimumRecommendedRetentionPeriodShortRetentionPeriod.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MinimumRecommendedRetentionPeriodShortRetentionPeriod.yaml
new file mode 100644
index 000000000..fa03c51b4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-MinimumRecommendedRetentionPeriodShortRetentionPeriod.yaml
@@ -0,0 +1,21 @@
+name: wafsg-MinimumRecommendedRetentionPeriodShortRetentionPeriod
+title: If you enable soft delete, then place blobs that are frequently overwritten
+ into an account that doesn't have soft delete enabled. Set retention periods. Consider
+ starting with a short retention period to better understand how the feature affects
+ your bill. The minimum recommended retention period is seven days.
+description: Every time a blob is overwritten, a new snapshot is created. The cause
+ of increased capacity charges might be difficult to access because the creation
+ of these snapshots doesn't appear in logs. To reduce capacity charges, store frequently
+ overwritten data in a separate storage account with soft delete disabled. A retention
+ period keeps soft-deleted blobs from piling up and adding to the cost of capacity.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: edc3f7bc-6b6c-41a8-8f11-1485781fdf58
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-NumerousLogFilesCostEffectiveAccessTiers.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-NumerousLogFilesCostEffectiveAccessTiers.yaml
new file mode 100644
index 000000000..ace014afe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-NumerousLogFilesCostEffectiveAccessTiers.yaml
@@ -0,0 +1,22 @@
+name: wafsg-NumerousLogFilesCostEffectiveAccessTiers
+title: 'Monitor usage: Continuously monitor usage patterns and detect unused or underutilized
+ accounts and containers. Use Storage insights to identity accounts with no or low
+ use. Enable blob inventory reports, and use tools such as Azure Databricks or Azure
+ Synapse Analytics and Power BI to analyze cost data. Watch out for unexpected increases
+ in capacity, which might indicate that you''re collecting numerous log files, blob
+ versions, or soft-deleted blobs. Develop a strategy for expiring or transitioning
+ objects to more cost-effective access tiers.Have a plan for expiring objects or
+ moving objects to more affordable access tiers.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: d48bcd05-e5af-4500-b04e-e35dce0f17f9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-OtherCostAspectsAzureFileSync.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-OtherCostAspectsAzureFileSync.yaml
new file mode 100644
index 000000000..abf551e1a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-OtherCostAspectsAzureFileSync.yaml
@@ -0,0 +1,19 @@
+name: wafsg-OtherCostAspectsAzureFileSync
+title: 'Decide which value-added services you need: Azure Files supports integrations
+ with value-added services such as Backup, Azure File Sync, and Defender for Storage.
+ These solutions have their own licensing and product costs but are often considered
+ part of the total cost of ownership for file storage. Consider other cost aspects
+ if you use Azure File Sync.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 318fe019-cffa-4ca1-aa56-e00d1df86fe2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-PremiumFileSharesIoPerformanceCharacteristics.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-PremiumFileSharesIoPerformanceCharacteristics.yaml
new file mode 100644
index 000000000..72a3e812f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-PremiumFileSharesIoPerformanceCharacteristics.yaml
@@ -0,0 +1,19 @@
+name: wafsg-PremiumFileSharesIoPerformanceCharacteristics
+title: If you use premium shares, ensure that you provision more than enough capacity
+ and performance for your workload but not so much that you incur unnecessary costs.
+ We recommend overprovisioning by two to three times. You can dynamically scale premium
+ file shares up or down depending on your storage and input/output (IO) performance
+ characteristics.
+description: Overprovision premium file shares by a reasonable amount to help maintain
+ performance and account for future growth and performance requirements.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 11b05f06-7a9a-4f25-9816-f41f893897b4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-ResourceGroupsGovernancePolicies.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-ResourceGroupsGovernancePolicies.yaml
new file mode 100644
index 000000000..13f1c0fbf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-ResourceGroupsGovernancePolicies.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ResourceGroupsGovernancePolicies
+title: 'Create guardrails: Create budgets based on subscriptions and resource groups.
+ Use governance policies to restrict resource types, configurations, and locations.
+ Additionally, use RBAC to block actions that can lead to overspending.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: f0c38fed-fc9f-458d-aab7-9b03b8a0dfea
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-RoleBasedAccessControlResourceGroups.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-RoleBasedAccessControlResourceGroups.yaml
new file mode 100644
index 000000000..a83390332
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-RoleBasedAccessControlResourceGroups.yaml
@@ -0,0 +1,18 @@
+name: wafsg-RoleBasedAccessControlResourceGroups
+title: 'Create guardrails: Create budgets based on subscriptions and resource groups.
+ Use governance policies to restrict resource types, configurations, and locations.
+ Additionally, use role-based access control (RBAC) to block actions that can lead
+ to overspending.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: a5675d94-de9f-44b1-8b21-f8032cdf3f3d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SftpSupportSftpEndpoint.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SftpSupportSftpEndpoint.yaml
new file mode 100644
index 000000000..c7fdecf17
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SftpSupportSftpEndpoint.yaml
@@ -0,0 +1,16 @@
+name: wafsg-SftpSupportSftpEndpoint
+title: Enable SFTP support only when it's used to transfer data.
+description: Enabling the SFTP endpoint incurs an hourly cost. By thoughtfully disabling
+ SFTP support, and then enabling it as needed, you can avoid passive charges from
+ accruing in your account.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: dd86bdc7-a08c-4624-9028-e0e80335a9ba
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SoftDeleteAdditionalTransaction.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SoftDeleteAdditionalTransaction.yaml
new file mode 100644
index 000000000..867a8cbce
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SoftDeleteAdditionalTransaction.yaml
@@ -0,0 +1,18 @@
+name: wafsg-SoftDeleteAdditionalTransaction
+title: 'Decide which features you need: Some features such as versioning and blob
+ soft delete incur additional transaction and capacity costs as well as other charges.
+ Make sure to review the pricing and billing sections in articles that describe those
+ capabilities when you choose which capabilities to add to your account.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: ccbe2ffd-7bea-41ce-93fa-a9facc5bc5d0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SshFileTransferProtocolChangeFeedSupport.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SshFileTransferProtocolChangeFeedSupport.yaml
new file mode 100644
index 000000000..bff22a7eb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-SshFileTransferProtocolChangeFeedSupport.yaml
@@ -0,0 +1,20 @@
+name: wafsg-SshFileTransferProtocolChangeFeedSupport
+title: 'Identify the meters that are used to calculate your bill: Meters are used
+ to track the amount of data stored in the account (data capacity) and the number
+ and type of operations that are performed to write and read data. There are also
+ meters associated with the use of optional features such as blob index tags, blob
+ inventory, change feed support, encryption scopes, and SSH File Transfer Protocol
+ (SFTP) support. For more information, see How you''re charged for Blob Storage.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 322c5ad8-8c4a-4aa9-acd7-6f34a3e47c9c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardAzureFileSharesPremiumFileShares.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardAzureFileSharesPremiumFileShares.yaml
new file mode 100644
index 000000000..16b6a52b8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardAzureFileSharesPremiumFileShares.yaml
@@ -0,0 +1,19 @@
+name: wafsg-StandardAzureFileSharesPremiumFileShares
+title: When you migrate to standard Azure file shares, we recommend that you start
+ in the transaction-optimized tier during the initial migration. Transaction usage
+ during migration isn't typically indicative of normal transaction usage. This consideration
+ doesn't apply for premium file shares because the provisioned billing model doesn't
+ charge for transactions.
+description: Migrating to Azure Files is a temporary, transaction-heavy workload.
+ Optimize the price for high-transaction workloads to help reduce migration costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 72b9477f-3c39-4633-a052-90b1203f9be5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardAzureFileSharesPremiumShares.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardAzureFileSharesPremiumShares.yaml
new file mode 100644
index 000000000..a5b093de6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardAzureFileSharesPremiumShares.yaml
@@ -0,0 +1,22 @@
+name: wafsg-StandardAzureFileSharesPremiumShares
+title: 'Understand how your bill is calculated: Standard Azure file shares provide
+ a pay-as-you-go model. Premium shares use a provisioned model in which you specify
+ and pay for a certain amount of capacity, IOPS, and throughput up front. In the
+ pay-as-you-go model, meters track the amount of data that''s stored in the account,
+ or the capacity, and the number and type of transactions based on your usage of
+ that data. The pay-as-you-go model can be cost efficient because you pay only for
+ what you use. With the pay-as-you-go model, you don''t need to overprovision or
+ deprovision storage based on performance requirements or demand fluctuations.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 6a667592-f9c4-45ba-81c8-bb4841aa8781
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardSmbAzureFileSharesSameStandardStorageHardware.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardSmbAzureFileSharesSameStandardStorageHardware.yaml
new file mode 100644
index 000000000..76adf7e82
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardSmbAzureFileSharesSameStandardStorageHardware.yaml
@@ -0,0 +1,20 @@
+name: wafsg-StandardSmbAzureFileSharesSameStandardStorageHardware
+title: 'Choose the most cost-effective access tier: Standard SMB Azure file shares
+ offer three access tiers: transaction optimized, hot, and cool. All three tiers
+ are stored on the same standard storage hardware. The main difference for these
+ three tiers is their data at rest storage prices, which are lower in cooler tiers,
+ and the transaction prices, which are higher in cooler tiers. For more information,
+ see Differences in standard tiers.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: f3dd18d1-9937-413e-99a6-6abbe25b574c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardSmbFileSharesStandardFileShares.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardSmbFileSharesStandardFileShares.yaml
new file mode 100644
index 000000000..975abbfbf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StandardSmbFileSharesStandardFileShares.yaml
@@ -0,0 +1,21 @@
+name: wafsg-StandardSmbFileSharesStandardFileShares
+title: 'Create a storage account for your file share, and choose a redundancy level:
+ Choose either a standard (GPv2) or premium (FileStorage) account. The redundancy
+ level that you choose affects cost. The more redundancy, the higher the cost. Locally
+ redundant storage (LRS) is the most affordable. GRS is only available for standard
+ SMB file shares. Standard file shares only show transaction information at the storage
+ account level, so we recommend that you deploy only one file share in each storage
+ account to ensure full billing visibility.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 220f8243-dcba-41cd-95c1-70b8b0cc3bd2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StorageCapacityChargesSeparateStorageAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StorageCapacityChargesSeparateStorageAccount.yaml
new file mode 100644
index 000000000..91f63cab0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-StorageCapacityChargesSeparateStorageAccount.yaml
@@ -0,0 +1,17 @@
+name: wafsg-StorageCapacityChargesSeparateStorageAccount
+title: If you enable versioning, then place blobs that are frequently overwritten
+ into an account that doesn't have versioning enabled.
+description: Every time a blob is overwritten, a new version is added which leads
+ to increased storage capacity charges. To reduce capacity charges, store frequently
+ overwritten data in a separate storage account with versioning disabled.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: 4fb53237-e44f-4292-a7a5-f8e79d55fc4e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-TotalAzureFilesBillAzureFileSync.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-TotalAzureFilesBillAzureFileSync.yaml
new file mode 100644
index 000000000..93b21fd42
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-TotalAzureFilesBillAzureFileSync.yaml
@@ -0,0 +1,20 @@
+name: wafsg-TotalAzureFilesBillAzureFileSync
+title: Monitor snapshot usage. Snapshots incur charges, but they're billed based on
+ the differential storage usage of each snapshot. You pay only for the difference
+ in each snapshot. For more information, see Snapshots. Azure File Sync takes share-level
+ and file-level snapshots as part of regular usage, which can increase your total
+ Azure Files bill.
+description: Differential snapshots ensure that you're not billed multiple times for
+ storing the same data. However, you should still monitor snapshot usage to help
+ reduce your Azure Files bill.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: f3715e13-e5c7-4830-b1a0-4319523efab1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-UnderusedStorageAccountsCostEffectiveAccessTiers.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-UnderusedStorageAccountsCostEffectiveAccessTiers.yaml
new file mode 100644
index 000000000..27dde3468
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Cost/wafsg-UnderusedStorageAccountsCostEffectiveAccessTiers.yaml
@@ -0,0 +1,19 @@
+name: wafsg-UnderusedStorageAccountsCostEffectiveAccessTiers
+title: 'Monitor usage: Continuously monitor usage patterns to detect unused or underused
+ storage accounts and file shares. Check for unexpected increases in capacity, which
+ might indicate that you''re collecting numerous log files or soft-deleted files.
+ Develop a strategy for deleting files or moving files to more cost-effective access
+ tiers.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Cost
+severity: 1
+labels:
+ guid: a294f2dd-cd4f-42f7-80d8-798759c799e4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards-1.yaml
new file mode 100644
index 000000000..820aa516d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards-1.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards-1
+title: 'Monitor the health of your storage account: Create Storage insights dashboards
+ to monitor availability, performance, and resiliency metrics. Set up alerts to identify
+ and address problems in your system before your customers notice them. Use diagnostic
+ settings to route resource logs to an Azure Monitor Logs workspace. Then you can
+ query logs to investigate alerts more deeply.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: b860ac4e-04bd-4fca-bbe3-b6d4659a3a62
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards.yaml
new file mode 100644
index 000000000..76fd7d52b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureMonitorLogsWorkspaceStorageInsightsDashboards
+title: 'Monitor the health of your storage account: Create Storage insights dashboards
+ to monitor availability, performance, and resilience metrics. Set up alerts to identify
+ and address problems in your system before your customers notice them. Use diagnostic
+ settings to route resource logs to an Azure Monitor Logs workspace. Then you can
+ query logs to investigate alerts more deeply.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 16a0b5cc-d1a3-430b-a8d1-141a721f4e76
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses-1.yaml
new file mode 100644
index 000000000..8decc7548
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses-1.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses-1
+title: Use infrastructure as code (IaC) to define the details of your storage accounts
+ in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.
+description: You can use your existing DevOps processes to deploy new storage accounts,
+ and use Azure Policy to enforce their configuration.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 6a7d5ccf-3cbf-468c-84cb-d5bdee7c7f3d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses.yaml
new file mode 100644
index 000000000..3bf7b6bff
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureResourceManagerTemplatesExistingDevopsProcesses
+title: Use infrastructure as code (IaC) to define the details of your storage accounts
+ in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.
+description: You can use your existing DevOps processes to deploy new storage accounts,
+ and use Azure Policy to enforce their configuration.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 1c680237-1240-4015-b028-1e1525ac1a41
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-BlobInventoryReportsCostEfficientAccessTiers.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-BlobInventoryReportsCostEfficientAccessTiers.yaml
new file mode 100644
index 000000000..7979a93e8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-BlobInventoryReportsCostEfficientAccessTiers.yaml
@@ -0,0 +1,19 @@
+name: wafsg-BlobInventoryReportsCostEfficientAccessTiers
+title: 'Set up policies that delete blobs or move them to cost-efficient access tiers:
+ Create a lifecycle management policy with an initial set of conditions. Policy runs
+ automatically delete or set the access tier of blobs based on the conditions you
+ define. Periodically analyze container use by using Monitor metrics and blob inventory
+ reports so that you can refine conditions to optimize cost efficiency.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 508126c2-2c18-4411-a803-1d9c7ee07e7a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-EmergencyRecoveryPlansDataProtectionFeatures-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-EmergencyRecoveryPlansDataProtectionFeatures-1.yaml
new file mode 100644
index 000000000..ba2bd2956
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-EmergencyRecoveryPlansDataProtectionFeatures-1.yaml
@@ -0,0 +1,17 @@
+name: wafsg-EmergencyRecoveryPlansDataProtectionFeatures-1
+title: 'Create maintenance and emergency recovery plans: Consider data protection
+ features, backup and restore operations, and failover procedures. Prepare for potential
+ data loss and data inconsistencies and the time and cost of failing over.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 7de2699b-2c67-4b05-90a4-45d6c9d6693a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-EmergencyRecoveryPlansDataProtectionFeatures.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-EmergencyRecoveryPlansDataProtectionFeatures.yaml
new file mode 100644
index 000000000..d03bc3204
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-EmergencyRecoveryPlansDataProtectionFeatures.yaml
@@ -0,0 +1,17 @@
+name: wafsg-EmergencyRecoveryPlansDataProtectionFeatures
+title: 'Create maintenance and emergency recovery plans: Consider data protection
+ features, backup and restore operations, and failover procedures. Prepare for potential
+ data loss and data inconsistencies and the time and cost of failing over.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 2f429983-43fe-4e9a-a0f7-ec3328270b5c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-FileSharesUseMonitor.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-FileSharesUseMonitor.yaml
new file mode 100644
index 000000000..23efe32d5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-FileSharesUseMonitor.yaml
@@ -0,0 +1,16 @@
+name: wafsg-FileSharesUseMonitor
+title: Use Monitor to analyze metrics, such as availability, latency, and usage, and
+ to create alerts.
+description: Monitor provides a view of availability, performance, and resiliency
+ for your file shares.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 9e6f3601-b1cc-47e4-9f7e-715ec473b941
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StandardFileSharesDifferentAccessTier.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StandardFileSharesDifferentAccessTier.yaml
new file mode 100644
index 000000000..22bb708bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StandardFileSharesDifferentAccessTier.yaml
@@ -0,0 +1,19 @@
+name: wafsg-StandardFileSharesDifferentAccessTier
+title: 'Periodically review file share activity: Share activity can change over time.
+ Move standard file shares to cooler access tiers, or you can provision or deprovision
+ capacity for premium shares. When you move standard file shares to a different access
+ tier, you incur a transaction charge. Move standard file shares only when needed
+ to reduce your monthly bill.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: b7ee3665-5f27-4d59-89d1-ab99c6dba955
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageAccountContentsAzureSynapseAnalytics.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageAccountContentsAzureSynapseAnalytics.yaml
new file mode 100644
index 000000000..9af5c71fe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageAccountContentsAzureSynapseAnalytics.yaml
@@ -0,0 +1,20 @@
+name: wafsg-StorageAccountContentsAzureSynapseAnalytics
+title: 'Enable blob inventory reports: Enable blob inventory reports to review the
+ retention, legal hold, or encryption status of your storage account contents. You
+ can also use blob inventory reports to understand the total data size, age, tier
+ distribution, or other attributes of your data. Use tools such as Azure Databricks
+ or Azure Synapse Analytics and Power BI to better visualize inventory data and to
+ create reports for stakeholders.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: c9e1bce3-8d36-44f7-a91a-e7d35e67297c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageInsightsUnifiedView-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageInsightsUnifiedView-1.yaml
new file mode 100644
index 000000000..ddda1189e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageInsightsUnifiedView-1.yaml
@@ -0,0 +1,18 @@
+name: wafsg-StorageInsightsUnifiedView-1
+title: Use Storage insights to track the health and performance of your storage accounts.
+ Storage insights provides a unified view of the failures, performance, availability,
+ and capacity for all your storage accounts.
+description: You can track the health and operation of each of your accounts. Easily
+ create dashboards and reports that stakeholders can use to track the health of your
+ storage accounts.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 5fff0543-7133-4501-bd87-ea55392c6a7e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageInsightsUnifiedView.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageInsightsUnifiedView.yaml
new file mode 100644
index 000000000..4cbd82e1d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Operations/wafsg-StorageInsightsUnifiedView.yaml
@@ -0,0 +1,18 @@
+name: wafsg-StorageInsightsUnifiedView
+title: Use Storage insights to track the health and performance of your storage accounts.
+ Storage insights provides a unified view of the failures, performance, availability,
+ and capacity for all your storage accounts.
+description: You can track the health and operation of each of your accounts. Easily
+ create dashboards and reports that stakeholders can use to track the health of your
+ storage accounts.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Operations
+severity: 1
+labels:
+ guid: 15f258d9-8353-49ff-9eca-441c96e911be
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-AzureFileSyncAzureFiles.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-AzureFileSyncAzureFiles.yaml
new file mode 100644
index 000000000..e20732f44
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-AzureFileSyncAzureFiles.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureFileSyncAzureFiles
+title: 'Plan for scale: Understand the scalability and performance targets for storage
+ accounts, Azure Files, and Azure File Sync.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 606bb21e-2197-4b38-89bd-3cf48e053a7d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-AzureFilesPremiumServiceNconnectClientSideMountOption.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-AzureFilesPremiumServiceNconnectClientSideMountOption.yaml
new file mode 100644
index 000000000..7e665b212
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-AzureFilesPremiumServiceNconnectClientSideMountOption.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFilesPremiumServiceNconnectClientSideMountOption
+title: Use the nconnect client-side mount option with NFS Azure file shares on Linux
+ clients. Nconnect enables you to use more TCP connections between the client and
+ the Azure Files premium service for NFSv4.1.
+description: Increase performance at scale, and reduce the total cost of ownership
+ for NFS file shares.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 830493d9-b872-469b-8248-88a098ae834f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BestPossibleClientExperienceStandardStorageAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BestPossibleClientExperienceStandardStorageAccounts.yaml
new file mode 100644
index 000000000..74d75d0c1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BestPossibleClientExperienceStandardStorageAccounts.yaml
@@ -0,0 +1,18 @@
+name: wafsg-BestPossibleClientExperienceStandardStorageAccounts
+title: Make sure your file share or storage account isn't being throttled, which can
+ result in high latency, low throughput, or low IOPS. Requests are throttled when
+ the IOPS, ingress, or egress limits are reached. For standard storage accounts,
+ throttling occurs at the account level. For premium file shares, throttling usually
+ occurs at the share level.
+description: Avoid throttling to provide the best possible client experience.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 1ba7c827-9dea-42c2-ae8f-6a8399bedf94
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BlobRestOperationsBlobStorage.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BlobRestOperationsBlobStorage.yaml
new file mode 100644
index 000000000..d85f5d402
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BlobRestOperationsBlobStorage.yaml
@@ -0,0 +1,20 @@
+name: wafsg-BlobRestOperationsBlobStorage
+title: 'Optimize the performance of custom code: Consider using Storage SDKs instead
+ of creating your own wrappers for blob REST operations. Azure SDKs are optimized
+ for performance and provide mechanisms to fine-tune performance. Before creating
+ an application, review the performance and scalability checklist for Blob Storage.
+ Consider using query acceleration to filter out unwanted data during the storage
+ request and keep clients from needlessly transferring data across the network.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: faea0cea-49d5-462b-bece-94cca446b10a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BlockSizePerformanceEnhancements.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BlockSizePerformanceEnhancements.yaml
new file mode 100644
index 000000000..5f7a8d2a7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-BlockSizePerformanceEnhancements.yaml
@@ -0,0 +1,16 @@
+name: wafsg-BlockSizePerformanceEnhancements
+title: When uploading blobs or blocks, use a blob or block size that's greater than
+ 256 KiB.
+description: Blob or block sizes above 256 KiB takes advantage of performance enhancements
+ in the platform made specifically for larger blobs and block sizes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 22fb7fa5-e280-4a6a-8ae4-53fcd802c196
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-ContentDeliveryNetworkDefaultNetworkConfigurations.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-ContentDeliveryNetworkDefaultNetworkConfigurations.yaml
new file mode 100644
index 000000000..8b13cc3d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-ContentDeliveryNetworkDefaultNetworkConfigurations.yaml
@@ -0,0 +1,20 @@
+name: wafsg-ContentDeliveryNetworkDefaultNetworkConfigurations
+title: 'Reduce travel distance between the client and server: Place data in regions
+ nearest to connecting clients (ideally in the same region). Optimize for clients
+ in regions far away by using object replication or a content delivery network. Default
+ network configurations provide the best performance. Modify network settings only
+ to improve security. In general, network settings don''t decrease travel distance
+ and don''t improve performance.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 4732ffbc-7fe6-4e88-9178-932e7fbeddf5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-DataPlaneOperationsMonitorStorageInsights.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-DataPlaneOperationsMonitorStorageInsights.yaml
new file mode 100644
index 000000000..722400ef9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-DataPlaneOperationsMonitorStorageInsights.yaml
@@ -0,0 +1,20 @@
+name: wafsg-DataPlaneOperationsMonitorStorageInsights
+title: 'Collect performance data: Monitor your storage account to identify performance
+ bottlenecks that occur from throttling. For more information, see Monitoring your
+ storage service with Monitor Storage insights. Use both metrics and logs. Metrics
+ provide numbers such as throttling errors. Logs describe activity. If you see throttling
+ metrics, you can use logs to identity which clients are receiving throttling errors.
+ For more information, see Auditing data plane operations.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 557fe672-1057-4798-acbb-bb377abcb704
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-HashCharacterSequenceVirtualDirectoryName.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-HashCharacterSequenceVirtualDirectoryName.yaml
new file mode 100644
index 000000000..67bae95b7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-HashCharacterSequenceVirtualDirectoryName.yaml
@@ -0,0 +1,19 @@
+name: wafsg-HashCharacterSequenceVirtualDirectoryName
+title: Add a hash character sequence (such as three digits) as early as possible in
+ the partition key of a blob. The partition key is the account name, container name,
+ virtual directory name, and blob name. If you plan to use timestamps in names, then
+ consider adding a seconds value to the beginning of that stamp. For more information,
+ see Partitioning.
+description: Using a hash code or seconds value nearest the beginning of a partition
+ key reduces the time required to list query and read blobs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 5111fdd2-bb7e-46bf-9c14-371d1371c935
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-HashTagPrefixesBlobPartitionKey.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-HashTagPrefixesBlobPartitionKey.yaml
new file mode 100644
index 000000000..79c1b3446
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-HashTagPrefixesBlobPartitionKey.yaml
@@ -0,0 +1,18 @@
+name: wafsg-HashTagPrefixesBlobPartitionKey
+title: 'Choose an efficient naming scheme: Decrease the latency of listing, list,
+ query, and read operations by using hash tag prefixes nearest the beginning of the
+ blob partition key (account, container, virtual directory, or blob name). This scheme
+ benefits mostly accounts that have a flat namespace.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: e79e1149-9aa1-4064-8c07-52e390f99d9e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MicrosoftGlobalEdgeNetworkAzureFrontDoor.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MicrosoftGlobalEdgeNetworkAzureFrontDoor.yaml
new file mode 100644
index 000000000..89b992d18
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MicrosoftGlobalEdgeNetworkAzureFrontDoor.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MicrosoftGlobalEdgeNetworkAzureFrontDoor
+title: For broad consumption by web clients (streaming video, audio, or static website
+ content), consider using a content delivery network through Azure Front Door.
+description: Content is delivered to clients faster because it uses the Microsoft
+ global edge network with hundreds of global and local points of presence around
+ the world.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: b14ffaa1-4873-48ce-be43-05203e7e2562
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MobileDeviceAppsPremisesEnterpriseServices.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MobileDeviceAppsPremisesEnterpriseServices.yaml
new file mode 100644
index 000000000..abaa37a67
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MobileDeviceAppsPremisesEnterpriseServices.yaml
@@ -0,0 +1,24 @@
+name: wafsg-MobileDeviceAppsPremisesEnterpriseServices
+title: Provision storage accounts in the same region where dependent resources are
+ placed. For applications that aren't hosted on Azure, such as mobile device apps
+ or on-premises enterprise services, locate the storage account in a region nearer
+ to those clients. For more information, see Azure geographies.If clients from a
+ different region don't require the same data, then create a separate account in
+ each region.If clients from a different region require only some data, consider
+ using an object-replication policy to asynchronously copy relevant objects to a
+ storage account in the other region.
+description: Reducing the physical distance between the storage account and VMs, services,
+ and on-premises clients can improve performance and reduce network latency. Reducing
+ the physical distance also reduces cost for applications hosted in Azure because
+ bandwidth usage within a single region is free.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 876895f8-8298-4cda-9569-2fb95405511a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MostSmbFileShareWorkloadsOptimalStorageAccountType.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MostSmbFileShareWorkloadsOptimalStorageAccountType.yaml
new file mode 100644
index 000000000..b72464388
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-MostSmbFileShareWorkloadsOptimalStorageAccountType.yaml
@@ -0,0 +1,19 @@
+name: wafsg-MostSmbFileShareWorkloadsOptimalStorageAccountType
+title: 'Choose the optimal storage account type: If your workload requires large amounts
+ of IOPS, extremely fast data transfer speeds, or very low latency, then you should
+ choose premium (FileStorage) storage accounts. You can use a standard general-purpose
+ v2 account for most SMB file share workloads. The primary tradeoff between the two
+ storage account types is cost versus performance.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 6014ae08-0163-41c5-84ea-1467ad0d98ee
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceDataWorkloadPerformance.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceDataWorkloadPerformance.yaml
new file mode 100644
index 000000000..0d2c07175
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceDataWorkloadPerformance.yaml
@@ -0,0 +1,18 @@
+name: wafsg-PerformanceDataWorkloadPerformance
+title: 'Collect performance data: Monitor workload performance, including latency,
+ availability, and usage metrics. Analyze logs to diagnose problems such as timeouts
+ and throttling. Create alerts to notify you if a file share is being throttled,
+ about to be throttled, or experiencing high latency.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: b67e8471-7d96-4b52-83d2-622c83758327
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceOptimizationGuidanceDataTransferTool.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceOptimizationGuidanceDataTransferTool.yaml
new file mode 100644
index 000000000..7bdcb5a6d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceOptimizationGuidanceDataTransferTool.yaml
@@ -0,0 +1,19 @@
+name: wafsg-PerformanceOptimizationGuidanceDataTransferTool
+title: 'Optimize the performance of data clients: Choose a data transfer tool that''s
+ most appropriate for the data size, transfer frequency, and bandwidth of your workloads.
+ Some tools such as AzCopy are optimized for performance and require little intervention.
+ Consider the factors that influence latency, and fine-tune performance by reviewing
+ the performance optimization guidance that''s published with each tool.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 2c5c76ee-3c54-4063-9deb-6e02b3b046e6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceScaleLimitsAzureFilesService.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceScaleLimitsAzureFilesService.yaml
new file mode 100644
index 000000000..1be6609ad
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PerformanceScaleLimitsAzureFilesService.yaml
@@ -0,0 +1,22 @@
+name: wafsg-PerformanceScaleLimitsAzureFilesService
+title: 'Create storage accounts in the same regions as connecting clients to reduce
+ latency: The farther you are from the Azure Files service, the greater the latency
+ and the more difficult to achieve performance scale limits. This consideration is
+ especially true when you access Azure Files from on-premises environments. If possible,
+ ensure that your storage account and your clients are co-located in the same Azure
+ region. Optimize for on-premises clients by minimizing network latency or by using
+ an ExpressRoute connection to extend on-premises networks into the Microsoft cloud
+ over a private connection.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 056cff2c-647d-41c8-82b0-f3ce60d82973
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PremiumBlockBlobStorageAccountsOptimalStorageAccountType.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PremiumBlockBlobStorageAccountsOptimalStorageAccountType.yaml
new file mode 100644
index 000000000..bc26da9a1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PremiumBlockBlobStorageAccountsOptimalStorageAccountType.yaml
@@ -0,0 +1,18 @@
+name: wafsg-PremiumBlockBlobStorageAccountsOptimalStorageAccountType
+title: 'Choose the optimal storage account type: If your workload requires high transaction
+ rates, smaller objects, and a consistently low transaction latency, then consider
+ using premium block blob storage accounts. A standard general-purpose v2 account
+ is most appropriate in most cases.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 414185fb-3518-4ff6-a275-a48689d44e4d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PremiumSmbFileSharesSmbAzureFileShare.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PremiumSmbFileSharesSmbAzureFileShare.yaml
new file mode 100644
index 000000000..314964bff
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-PremiumSmbFileSharesSmbAzureFileShare.yaml
@@ -0,0 +1,19 @@
+name: wafsg-PremiumSmbFileSharesSmbAzureFileShare
+title: Enable SMB Multichannel for premium SMB file shares. SMB Multichannel allows
+ an SMB 3.1.1 client to establish multiple network connections to an SMB Azure file
+ share. SMB Multichannel only works when the feature is enabled on both client-side
+ (your client) and service-side (Azure). On Windows clients, SMB Multichannel is
+ enabled by default, but you need to enable it on your storage account.
+description: Increase throughput and IOPS while reducing the total cost of ownership.
+ Performance benefits increase with the number of files that distribute load.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 877da8a6-ccba-4655-a550-a1d0b01c13fc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-SameStorageAccountUpperPerformanceLimits.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-SameStorageAccountUpperPerformanceLimits.yaml
new file mode 100644
index 000000000..e58304d9f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-SameStorageAccountUpperPerformanceLimits.yaml
@@ -0,0 +1,22 @@
+name: wafsg-SameStorageAccountUpperPerformanceLimits
+title: 'Understand your application and usage patterns to achieve predictable performance:
+ Determine latency sensitivity, IOPS and throughput requirements, workload duration
+ and frequency, and workload parallelization. Use Azure Files for multi-threaded
+ applications to help you achieve the upper performance limits of a service. If most
+ of your requests are metadata-centric, such as createfile, openfile, closefile,
+ queryinfo, or querydirectory, the requests create poor latency that''s higher than
+ the read and write operations. If you have this problem, consider separating the
+ file share into multiple file shares within the same storage account.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: de7e1635-911b-43e8-a887-95b8e13778d1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-StorageAccountsScaleTargets.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-StorageAccountsScaleTargets.yaml
new file mode 100644
index 000000000..23e0a7d4c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-StorageAccountsScaleTargets.yaml
@@ -0,0 +1,15 @@
+name: wafsg-StorageAccountsScaleTargets
+title: 'Plan for scale: Understand the scale targets for storage accounts.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: aaf8acc7-9e41-4997-8da4-cc82b102db09
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-UnderlyingDiskConfigurationAzureFileSync.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-UnderlyingDiskConfigurationAzureFileSync.yaml
new file mode 100644
index 000000000..1a63e786c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Performance/wafsg-UnderlyingDiskConfigurationAzureFileSync.yaml
@@ -0,0 +1,20 @@
+name: wafsg-UnderlyingDiskConfigurationAzureFileSync
+title: 'Optimize for hybrid deployments: If you use Azure File Sync, sync performance
+ depends on many factors: your Windows Server and the underlying disk configuration,
+ network bandwidth between the server and the Azure storage, file size, total dataset
+ size, and the activity on the dataset. To measure the performance of a solution
+ that''s based on Azure File Sync, determine the number of objects, such as files
+ and directories, that you process per second.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Performance
+severity: 1
+labels:
+ guid: 06194a9a-646b-40f8-81df-2cffae089d7b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-AppropriateDataRedundancyOptionAzureStorage.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-AppropriateDataRedundancyOptionAzureStorage.yaml
new file mode 100644
index 000000000..7f640174e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-AppropriateDataRedundancyOptionAzureStorage.yaml
@@ -0,0 +1,21 @@
+name: revcl-AppropriateDataRedundancyOptionAzureStorage
+title: Choose the most appropriate data redundancy option for Azure Storage based
+ on your requirements
+description: Use Zone-redundant Storage (ZRS) in the primary region for scenarios
+ that require high availability and for restricting replication to a particular country
+ or region. For protection against regional disasters, use Geo-zone-redundant Storage
+ (GZRS), which combines ZRS in the primary region with geo-replication to a secondary
+ region?.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 48c7c891-dcb1-4f7d-9769-ae568ba38d4a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-redundancy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-BlobSoftDeleteIndividualBlob.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-BlobSoftDeleteIndividualBlob.yaml
new file mode 100644
index 000000000..c3f1f8e94
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-BlobSoftDeleteIndividualBlob.yaml
@@ -0,0 +1,18 @@
+name: revcl-BlobSoftDeleteIndividualBlob
+title: Enable soft delete for blobs
+description: Blob soft delete protects an individual blob and its versions, snapshots,
+ and metadata from accidental deletes or overwrites by maintaining the deleted data
+ in the system for a specified period of time.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 9ada4666-7e13-4c10-96b9-153d89f89dc7
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-CustomerManagedFailoverOperation.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-CustomerManagedFailoverOperation.yaml
new file mode 100644
index 000000000..321c37816
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-CustomerManagedFailoverOperation.yaml
@@ -0,0 +1,15 @@
+name: revcl-CustomerManagedFailoverOperation
+title: 'For write operation after failover, use customer-Managed Failover '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 2fa56c56-ad48-4408-be72-734c486ba280
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-DeleteLockMaliciousDeletion.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-DeleteLockMaliciousDeletion.yaml
new file mode 100644
index 000000000..4af9f9ab4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-DeleteLockMaliciousDeletion.yaml
@@ -0,0 +1,18 @@
+name: revcl-DeleteLockMaliciousDeletion
+title: Apply a Delete lock to prevent accidental or malicious deletion of storage
+ accounts
+description: Assigning a Delete lock to your storage account helps protect the availability
+ of your data, minimizing the risk of disruptions to your business operations.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 2
+labels:
+ guid: 85e2213d-bd7b-4b01-8f7b-95e06e158e3e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/lock-account-resource
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-LeverageGrsGzrsStorage.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-LeverageGrsGzrsStorage.yaml
new file mode 100644
index 000000000..7c89da0de
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-LeverageGrsGzrsStorage.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageGrsGzrsStorage
+title: Leverage GRS, ZRS or GZRS storage for the highest availability
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 0
+labels:
+ guid: e05bbe20-9d49-4fda-9777-8424d116785c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-redundancy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-MicrosoftManagedFailoverDetails.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-MicrosoftManagedFailoverDetails.yaml
new file mode 100644
index 000000000..2ebfed9e2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-MicrosoftManagedFailoverDetails.yaml
@@ -0,0 +1,15 @@
+name: revcl-MicrosoftManagedFailoverDetails
+title: Understand Microsoft-Managed Failover details
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: dc0590cf-65de-48e1-909c-cbd579266bcc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-SoftDelete.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-SoftDelete.yaml
new file mode 100644
index 000000000..221d12a11
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-SoftDelete.yaml
@@ -0,0 +1,15 @@
+name: revcl-SoftDelete
+title: Enable Soft Delete
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: a274faa1-abfe-49d5-9d04-c3c4919cb1b3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-StorageAccountContainersSoftDelete.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-StorageAccountContainersSoftDelete.yaml
new file mode 100644
index 000000000..1f07675c2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-StorageAccountContainersSoftDelete.yaml
@@ -0,0 +1,17 @@
+name: revcl-StorageAccountContainersSoftDelete
+title: Enable soft delete for Storage Account Containers
+description: Container soft delete protects your data from being accidentally deleted
+ by maintaining the deleted data in the system for a specified period of time.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 2
+labels:
+ guid: a3992c2d-e6e2-4065-a3a7-6af4a691e893
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-StoragevAccountTypePerformance.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-StoragevAccountTypePerformance.yaml
new file mode 100644
index 000000000..4478166f7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/revcl-StoragevAccountTypePerformance.yaml
@@ -0,0 +1,15 @@
+name: revcl-StoragevAccountTypePerformance
+title: Leverage a storagev2 account type for better performance and reliability
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 0
+labels:
+ guid: cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureContentDeliveryNetworkFrontDoorEndpoints.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureContentDeliveryNetworkFrontDoorEndpoints.yaml
new file mode 100644
index 000000000..caec884ed
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureContentDeliveryNetworkFrontDoorEndpoints.yaml
@@ -0,0 +1,21 @@
+name: wafsg-AzureContentDeliveryNetworkFrontDoorEndpoints
+title: 'Use failure mode analysis: Minimize points of failure by considering internal
+ dependencies such as the availability of virtual networks, Azure Key Vault, or Azure
+ Content Delivery Network or Azure Front Door endpoints. Failures can occur if credentials
+ required by workloads to access Blob Storage go missing from Key Vault, or if workloads
+ use an endpoint based on a content delivery network that''s removed. In these cases,
+ workloads might need to use an alternative endpoint to connect. For general information
+ about failure mode analysis, see Recommendations for performing failure mode analysis.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 42f14a23-b4d3-47a8-a0d1-5f9987aab27b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems-1.yaml
new file mode 100644
index 000000000..50825d401
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems-1.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems-1
+title: 'Monitor potential availability problems: Subscribe to the Azure Service Health
+ dashboard to monitor potential availability problems. Use storage metrics and diagnostic
+ logs in Azure Monitor to investigate alerts.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 58746f78-dba5-4a3a-b4a5-bdbcb9a00a28
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems.yaml
new file mode 100644
index 000000000..139022d52
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureServiceHealthDashboardPotentialAvailabilityProblems
+title: 'Monitor potential availability problems: Subscribe to the Azure Service Health
+ dashboard to monitor potential availability problems. Use storage metrics in Azure
+ Monitor and diagnostic logs to investigate alerts.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 778ba0b4-9f48-4fd5-a788-949f2f2ea331
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-DataProtectionFeaturesPotentialDataLoss-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-DataProtectionFeaturesPotentialDataLoss-1.yaml
new file mode 100644
index 000000000..9e4e845cc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-DataProtectionFeaturesPotentialDataLoss-1.yaml
@@ -0,0 +1,18 @@
+name: wafsg-DataProtectionFeaturesPotentialDataLoss-1
+title: 'Create a recovery plan: Consider data protection features, backup and restore
+ operations, or failover procedures. Prepare for potential data loss and data inconsistencies
+ and the time and cost of failing over. For more information, see Recommendations
+ for designing a disaster recovery strategy.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 02300e9f-94e9-4cbd-b3ca-5c6cf17f2833
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-DataProtectionFeaturesPotentialDataLoss.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-DataProtectionFeaturesPotentialDataLoss.yaml
new file mode 100644
index 000000000..0e0e3b360
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-DataProtectionFeaturesPotentialDataLoss.yaml
@@ -0,0 +1,18 @@
+name: wafsg-DataProtectionFeaturesPotentialDataLoss
+title: 'Create a recovery plan: Consider data protection features, backup and restore
+ operations, or failover procedures. Prepare for potential data loss and data inconsistencies
+ and the time and cost of failing over. For more information, see Recommendations
+ for designing a disaster recovery strategy.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: d93ddbcf-8760-4b99-8fdc-4f31268e76f7
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-FailureModeAnalysisAzureServiceLevelAgreements-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-FailureModeAnalysisAzureServiceLevelAgreements-1.yaml
new file mode 100644
index 000000000..bee1a0f90
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-FailureModeAnalysisAzureServiceLevelAgreements-1.yaml
@@ -0,0 +1,20 @@
+name: wafsg-FailureModeAnalysisAzureServiceLevelAgreements-1
+title: 'Define reliability and recovery targets: Review the Azure service-level agreements
+ (SLAs). Derive the service-level objective (SLO) for the storage account. For example,
+ the redundancy configuration that you chose might affect the SLO. Consider the effect
+ of a regional outage, the potential for data loss, and the time required to restore
+ access after an outage. Also consider the availability of internal dependencies
+ that you identified as part of your failure mode analysis.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 76ae68b8-d5dd-44a0-a0e0-9abec3695316
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-FailureModeAnalysisAzureServiceLevelAgreements.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-FailureModeAnalysisAzureServiceLevelAgreements.yaml
new file mode 100644
index 000000000..51f216a54
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-FailureModeAnalysisAzureServiceLevelAgreements.yaml
@@ -0,0 +1,20 @@
+name: wafsg-FailureModeAnalysisAzureServiceLevelAgreements
+title: 'Define reliability and recovery targets: Review the Azure service-level agreements
+ (SLAs). Derive the service-level objective (SLO) for the storage account. For example,
+ the SLO might be affected by the redundancy configuration that you chose. Consider
+ the effect of a regional outage, the potential for data loss, and the time required
+ to restore access after an outage. Also consider the availability of any internal
+ dependencies that you identified as part of your failure mode analysis.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: ce838d0f-8069-420d-9adb-5c508c091e3f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-GzrsConfigurationOptionsDifferentAvailabilityZones.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-GzrsConfigurationOptionsDifferentAvailabilityZones.yaml
new file mode 100644
index 000000000..83d2848be
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-GzrsConfigurationOptionsDifferentAvailabilityZones.yaml
@@ -0,0 +1,18 @@
+name: wafsg-GzrsConfigurationOptionsDifferentAvailabilityZones
+title: Configure your account for redundancy. For maximum availability and durability,
+ configure your account by using zone-redundant storage (ZRS) or GZRS.
+description: Redundancy protects your data against unexpected failures. The ZRS and
+ GZRS configuration options replicate across different availability zones and enable
+ applications to continue reading data during an outage. For more information, see
+ Durability and availability by outage scenario and Durability and availability parameters.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 0a6a14f8-c014-4339-a444-45013d989209
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LastSynchronizationTimePropertyGzrsConfigurations-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LastSynchronizationTimePropertyGzrsConfigurations-1.yaml
new file mode 100644
index 000000000..41e012f9f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LastSynchronizationTimePropertyGzrsConfigurations-1.yaml
@@ -0,0 +1,20 @@
+name: wafsg-LastSynchronizationTimePropertyGzrsConfigurations-1
+title: Before you initiate a failover or failback, check the value of the last synchronization
+ time property to evaluate the potential for data loss. This recommendation applies
+ only to GRS and GZRS configurations.
+description: This property helps you estimate how much data you might lose if you
+ initiate an account failover. All data and metadata that's written before the last
+ synchronization time is available on the secondary region, but you might lose data
+ and metadata that's written after the last synchronization time because it's not
+ written to the secondary region.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: f436bbde-bfd0-4be2-85a6-c13f0d79cee1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LastSynchronizationTimePropertyGzrsConfigurations.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LastSynchronizationTimePropertyGzrsConfigurations.yaml
new file mode 100644
index 000000000..2d499b702
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LastSynchronizationTimePropertyGzrsConfigurations.yaml
@@ -0,0 +1,20 @@
+name: wafsg-LastSynchronizationTimePropertyGzrsConfigurations
+title: Before initiating a failover or failback, evaluate the potential for data loss
+ by checking the value of the last synchronization time property. This recommendation
+ applies only to GRS and GZRS configurations.
+description: This property helps you estimate how much data you might lose by initiating
+ an account failover. All data and metadata written before the last synchronization
+ time is available on the secondary region, but data and metadata written after the
+ last synchronization time might be lost because it's not written to the secondary
+ region.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: af07c8fb-ba63-41e5-b924-3bc6759ad671
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LimitedAzureRegionsPremiumSmbShares.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LimitedAzureRegionsPremiumSmbShares.yaml
new file mode 100644
index 000000000..4749177c5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-LimitedAzureRegionsPremiumSmbShares.yaml
@@ -0,0 +1,24 @@
+name: wafsg-LimitedAzureRegionsPremiumSmbShares
+title: "Configure your storage account for redundancy. For maximum availability and\
+ \ durability, configure your account with\u202Fzone-redundant storage (ZRS), GRS,\
+ \ or\u202FGZRS. Limited Azure regions support ZRS for standard and premium file\
+ \ shares. Only standard SMB accounts support GRS and GZRS. Premium SMB shares and\
+ \ NFS shares don't support GRS and GZRS. Azure Files doesn't support read-access\
+ \ geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).\
+ \ If you configure a storage account to use RA-GRS or RA-GZRS, the file shares are\
+ \ configured and billed as GRS or GZRS."
+description: Redundancy protects your data against unexpected failures. The ZRS and
+ GZRS configuration options replicate across various availability zones and enable
+ applications to continue reading data during an outage. For more information, see
+ Durability and availability by outage scenario and Durability and availability parameters.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 57930240-9165-4fe1-a7ea-24bc09930158
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MaximumDurabilityAvailabilityZones-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MaximumDurabilityAvailabilityZones-1.yaml
new file mode 100644
index 000000000..fbc57a6f6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MaximumDurabilityAvailabilityZones-1.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MaximumDurabilityAvailabilityZones-1
+title: 'Configure data redundancy: For maximum durability, choose a configuration
+ that copies data across availability zones or global regions. For maximum availability,
+ choose a configuration that allows clients to read data from the secondary region
+ during an outage of the primary region.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 0363e36d-5971-4e00-8bc6-7e0fd7e00889
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MaximumDurabilityAvailabilityZones.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MaximumDurabilityAvailabilityZones.yaml
new file mode 100644
index 000000000..ec6457454
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MaximumDurabilityAvailabilityZones.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MaximumDurabilityAvailabilityZones
+title: 'Configure data redundancy: For maximum durability, choose a configuration
+ that copies data across availability zones or global regions. For maximum availability,
+ choose a configuration that allows clients to read data from the secondary region
+ during an outage of the primary region.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 8930145f-653c-4630-8090-7ddfb1522a30
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MissingContentDeliveryNetworkAzureContentDeliveryNetwork.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MissingContentDeliveryNetworkAzureContentDeliveryNetwork.yaml
new file mode 100644
index 000000000..b9f54f650
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-MissingContentDeliveryNetworkAzureContentDeliveryNetwork.yaml
@@ -0,0 +1,22 @@
+name: wafsg-MissingContentDeliveryNetworkAzureContentDeliveryNetwork
+title: 'Use failure mode analysis: Minimize points of failure by considering internal
+ dependencies such as the availability of virtual networks, Azure Key Vault, or Azure
+ Content Delivery Network or Azure Front Door endpoints. Failures can occur if you
+ need credentials to access Azure Files, and the credentials go missing from Key
+ Vault. Or you might have a failure if your workloads use an endpoint that''s based
+ on a missing content delivery network. In these cases, you might need to configure
+ your workloads to connect to an alternative endpoint. For general information about
+ failure mode analysis, see Recommendations for performing failure mode analysis.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 49da89d4-35df-4837-884f-ffa0dc248d0b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-PremisesSmbFileSharesFileShareLevel.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-PremisesSmbFileSharesFileShareLevel.yaml
new file mode 100644
index 000000000..337f57b90
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-PremisesSmbFileSharesFileShareLevel.yaml
@@ -0,0 +1,26 @@
+name: wafsg-PremisesSmbFileSharesFileShareLevel
+title: "As a part of your backup and recovery strategy, enable\u202Fsoft delete\u202F\
+ and\u202Fuse snapshots for point-in-time restore. You can use Azure Backup to back\
+ \ up your SMB file shares. You can also use Azure File Sync to back up on-premises\
+ \ SMB file shares to an Azure file share. Azure Backup also allows you to do a\
+ \ vaulted backup (preview) of Azure Files to protect your data from ransomware attacks\
+ \ or source data loss due to a malicious actor or rogue admin. By using vaulted\
+ \ backup, Azure Backup copies and stores data in the Recovery Services vault. This\
+ \ creates an offsite copy of data that you can retain for up to 99 years. Azure\
+ \ Backup creates and manages the recovery points as per the schedule and retention\
+ \ defined in the backup policy. Learn more."
+description: Soft delete works on a file share level to protect Azure file shares
+ against accidental deletion. Point-in-time restore protects against accidental deletion
+ or corruption because you can restore file shares to an earlier state. For more
+ information, see Data protection overview.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 0bcee250-521d-467f-94d6-ddeeb20844af
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-RecoveryTargetsFeatures-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-RecoveryTargetsFeatures-1.yaml
new file mode 100644
index 000000000..f97951f21
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-RecoveryTargetsFeatures-1.yaml
@@ -0,0 +1,16 @@
+name: wafsg-RecoveryTargetsFeatures-1
+title: 'Explore features to help you meet your recovery targets: Make files restorable
+ so that you can recover corrupted, edited, or deleted files.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: a5aa4909-7ee1-421e-a4c6-fa465f9bbdb5
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-RecoveryTargetsFeatures.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-RecoveryTargetsFeatures.yaml
new file mode 100644
index 000000000..045fce7cc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-RecoveryTargetsFeatures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-RecoveryTargetsFeatures
+title: 'Explore features to help you meet your recovery targets: Make blobs restorable
+ so that they can be recovered if they''re corrupted, edited, or deleted by mistake.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: ff928466-de8a-496a-b5ba-aa8c358e3e09
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-SecondaryRegionPrimaryRegion-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-SecondaryRegionPrimaryRegion-1.yaml
new file mode 100644
index 000000000..c9197e4c9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-SecondaryRegionPrimaryRegion-1.yaml
@@ -0,0 +1,19 @@
+name: wafsg-SecondaryRegionPrimaryRegion-1
+title: 'Design applications: Design your applications to seamlessly shift so that
+ they read data from a secondary region if the primary region is unavailable. This
+ design consideration only applies to geo-redundant storage (GRS) and geo-zone-redundant
+ storage (GZRS) configurations. Design your applications to properly handle outages,
+ which reduces downtime for customers.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 6104ed5f-a4ee-4d87-82dd-1f7bafd7c468
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-SecondaryRegionPrimaryRegion.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-SecondaryRegionPrimaryRegion.yaml
new file mode 100644
index 000000000..a5cd9971b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-SecondaryRegionPrimaryRegion.yaml
@@ -0,0 +1,19 @@
+name: wafsg-SecondaryRegionPrimaryRegion
+title: 'Design applications: Design applications to seamlessly shift to reading data
+ from the secondary region if the primary region becomes unavailable for any reason.
+ This only applies to geo-redundant storage (GRS) and geo-zone-redundant storage
+ (GZRS) configurations. Designing applications to handle outages reduces downtime
+ for end users.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: b819c0de-783e-4b18-8232-416710492029
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-TimeRestoreOptionsDataProtectionOverview.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-TimeRestoreOptionsDataProtectionOverview.yaml
new file mode 100644
index 000000000..260c0f326
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Reliability/wafsg-TimeRestoreOptionsDataProtectionOverview.yaml
@@ -0,0 +1,19 @@
+name: wafsg-TimeRestoreOptionsDataProtectionOverview
+title: As a part of your backup and recovery strategy, enable the container soft delete,
+ blob soft delete, versioning, and point-in-time restore options.
+description: The soft delete option enables a storage account to recover deleted containers
+ and blobs. The versioning option automatically tracks changes made to blobs. This
+ option lets you restore a blob to a previous state.The point-in-time restore option
+ protects against accidental blob deletion or corruption and lets you restore block
+ blob data to an earlier state. For more information, see Data protection overview.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 349d483b-5d14-4335-954a-4f8cbecfd7df
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ASasExpirationPolicySasExpirationPolicies.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ASasExpirationPolicySasExpirationPolicies.yaml
new file mode 100644
index 000000000..84e94979b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ASasExpirationPolicySasExpirationPolicies.yaml
@@ -0,0 +1,19 @@
+name: revcl-ASasExpirationPolicySasExpirationPolicies
+title: Consider configuring an SAS expiration policy
+description: A SAS expiration policy specifies a recommended interval over which the
+ SAS is valid. SAS expiration policies apply to a service SAS or an account SAS.
+ When a user generates service SAS or an account SAS with a validity interval that
+ is larger than the recommended interval, they'll see a warning.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 352beee0-79b5-488d-bfc4-972cd3cd21bf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/sas-expiration-policy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AccidentalDeleteOperationSoftDelete.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AccidentalDeleteOperationSoftDelete.yaml
new file mode 100644
index 000000000..9a2139e33
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AccidentalDeleteOperationSoftDelete.yaml
@@ -0,0 +1,17 @@
+name: revcl-AccidentalDeleteOperationSoftDelete
+title: Enable 'soft delete' for containers
+description: Soft delete for containers enables you to recover a container after it
+ has been deleted, for example recover from an accidental delete operation.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 43a58a9c-2289-4c3d-9b57-d0c655462f2a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AdHocSasServiceSasNearTermExpirationTimes.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AdHocSasServiceSasNearTermExpirationTimes.yaml
new file mode 100644
index 000000000..881407699
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AdHocSasServiceSasNearTermExpirationTimes.yaml
@@ -0,0 +1,20 @@
+name: revcl-AdHocSasServiceSasNearTermExpirationTimes
+title: Strive for short validity periods for ad-hoc SAS
+description: Use near-term expiration times on an ad hoc SAS service SAS or account
+ SAS. In this way, even if a SAS is compromised, it's valid only for a short time.
+ This practice is especially important if you cannot reference a stored access policy.
+ Near-term expiration times also limit the amount of data that can be written to
+ a blob by limiting the time available to upload to it.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 27138b82-1102-4cac-9eae-01e6e842e52f
+links:
+- type: docs
+ url: https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AzureActiveDirectoryAzureAdTokens.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AzureActiveDirectoryAzureAdTokens.yaml
new file mode 100644
index 000000000..5eb7967be
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AzureActiveDirectoryAzureAdTokens.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureActiveDirectoryAzureAdTokens
+title: Use Azure Active Directory (Azure AD) tokens for blob access
+description: AAD tokens should be favored over shared access signatures, wherever
+ possible
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/authorize-data-access
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AzureActiveDirectoryUserDelegationSas.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AzureActiveDirectoryUserDelegationSas.yaml
new file mode 100644
index 000000000..da0405ae1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-AzureActiveDirectoryUserDelegationSas.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureActiveDirectoryUserDelegationSas
+title: When using SAS, prefer 'user delegation SAS' over storage-account-key based
+ SAS.
+description: 'A user delegation SAS is secured with Azure Active Directory (Azure
+ AD) credentials and also by the permissions specified for the SAS. A user delegation
+ SAS is analogous to a service SAS in terms of its scope and function, but offers
+ security benefits over the service SAS. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 55461e1a-3e34-453a-9c86-39648b652d6c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ClassicDeploymentModelArmDeploymentModel.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ClassicDeploymentModelArmDeploymentModel.yaml
new file mode 100644
index 000000000..df0be32bf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ClassicDeploymentModelArmDeploymentModel.yaml
@@ -0,0 +1,18 @@
+name: revcl-ClassicDeploymentModelArmDeploymentModel
+title: Ensure older storage accounts are not using 'classic deployment model'
+description: Newly created storage accounts are created using the ARM deployment model,
+ so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage
+ accounts with classic deployment model in a subscription
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 30e37c3e-2971-41b2-963c-eee079b598de
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ClientSideEncryption.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ClientSideEncryption.yaml
new file mode 100644
index 000000000..4a95392df
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ClientSideEncryption.yaml
@@ -0,0 +1,15 @@
+name: revcl-ClientSideEncryption
+title: Determine which/if client-side encryption should be used.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: e842e52f-4721-4d92-ac1b-1cd521e54a29
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ContainerSoftDeleteStorageAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ContainerSoftDeleteStorageAccount.yaml
new file mode 100644
index 000000000..2d8ca4469
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ContainerSoftDeleteStorageAccount.yaml
@@ -0,0 +1,16 @@
+name: revcl-ContainerSoftDeleteStorageAccount
+title: Enable container soft delete for the storage account to recover a deleted container
+ and its contents.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 159aac9f-863f-4f48-82cf-00c28fa97a0e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ControlPlaneOperationsActivityLogData.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ControlPlaneOperationsActivityLogData.yaml
new file mode 100644
index 000000000..7388f3470
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ControlPlaneOperationsActivityLogData.yaml
@@ -0,0 +1,19 @@
+name: revcl-ControlPlaneOperationsActivityLogData
+title: Consider using Azure Monitor to audit control plane operations on the storage
+ account
+description: Use Activity Log data to identify 'when', 'who', 'what' and 'how' the
+ security of your storage account is being viewed or changed (i.e. storage account
+ keys, access policies, etc.).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: d7999a64-6f43-489a-af42-c78e78c06a73
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-CrossOriginResourceSharingBroadCorsPolicies.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-CrossOriginResourceSharingBroadCorsPolicies.yaml
new file mode 100644
index 000000000..95ba5d94a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-CrossOriginResourceSharingBroadCorsPolicies.yaml
@@ -0,0 +1,18 @@
+name: revcl-CrossOriginResourceSharingBroadCorsPolicies
+title: Avoid overly broad CORS policies
+description: Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature
+ that enables web apps from a different domain to loosen the same-origin policy.
+ When enabling CORS, keep the CorsRules to the least privilege.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: cef39812-bd46-43cb-aac8-ac199ebb91a3
+links:
+- type: docs
+ url: https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-CustomDomainsStorageAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-CustomDomainsStorageAccount.yaml
new file mode 100644
index 000000000..56a8332a5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-CustomDomainsStorageAccount.yaml
@@ -0,0 +1,19 @@
+name: revcl-CustomDomainsStorageAccount
+title: When enforcing HTTPS (disabling HTTP), check that you do not use custom domains
+ (CNAME) for the storage account.
+description: When configuring a custom domain (hostname) on a storage account, check
+ whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your
+ storage account.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 79b588de-fc49-472c-b3cd-21bf77036e5e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-KeyExpirationPolicyStorageAccountKeys.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-KeyExpirationPolicyStorageAccountKeys.yaml
new file mode 100644
index 000000000..0c71fc7b1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-KeyExpirationPolicyStorageAccountKeys.yaml
@@ -0,0 +1,18 @@
+name: revcl-KeyExpirationPolicyStorageAccountKeys
+title: When using storage account keys, consider enabling a 'key expiration policy'
+description: A key expiration policy enables you to set a reminder for the rotation
+ of the account access keys. The reminder is displayed if the specified interval
+ has elapsed and the keys have not yet been rotated.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: a22a4956-e7a8-4dc4-a20e-27c3e29711b1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeastPrivilegeSecurityPrincipal.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeastPrivilegeSecurityPrincipal.yaml
new file mode 100644
index 000000000..786b883ad
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeastPrivilegeSecurityPrincipal.yaml
@@ -0,0 +1,17 @@
+name: revcl-LeastPrivilegeSecurityPrincipal
+title: Least privilege in IaM permissions
+description: When assigning a role to a user, group, or application, grant that security
+ principal only those permissions that are necessary for them to perform their tasks.
+ Limiting access to resources helps prevent both unintentional and malicious misuse
+ of your data.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: a4b1410d-4395-48a8-a228-9b3d6b57cfc6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeverageMicrosoftDefenderStorageAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeverageMicrosoftDefenderStorageAccounts.yaml
new file mode 100644
index 000000000..ec5dac2d9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeverageMicrosoftDefenderStorageAccounts.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageMicrosoftDefenderStorageAccounts
+title: Enable Microsoft Defender for all of your storage accounts
+description: Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeverageResourceGraphExplorerPublicBlobAccess.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeverageResourceGraphExplorerPublicBlobAccess.yaml
new file mode 100644
index 000000000..069dc9e8e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LeverageResourceGraphExplorerPublicBlobAccess.yaml
@@ -0,0 +1,19 @@
+name: revcl-LeverageResourceGraphExplorerPublicBlobAccess
+title: 'Consider whether public blob access is needed, or whether it can be disabled
+ for certain storage accounts. '
+description: Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts'
+ | where properties['allowBlobPublicAccess'] == true) to find storage accounts which
+ allow anonymous blob access.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 659ae558-b937-4d49-a5e1-112dbd7ba012
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LittleAuditCapabilitiesUserDelegationSas.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LittleAuditCapabilitiesUserDelegationSas.yaml
new file mode 100644
index 000000000..38f70d18a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-LittleAuditCapabilitiesUserDelegationSas.yaml
@@ -0,0 +1,21 @@
+name: revcl-LittleAuditCapabilitiesUserDelegationSas
+title: Consider disabling storage account keys, so that only AAD access (and user
+ delegation SAS) is supported.
+description: 'Storage account keys (''shared keys'') have very little audit capabilities.
+ While it can be monitored on who/when fetched a copy of the keys, once the keys
+ are in the hands of multiple people, it is impossible to attribute usage to a specific
+ user. Solely relying on AAD authentication makes it easier to tie storage access
+ to a user. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 15f51296-5398-4e6d-bd22-7dd142b06c21
+links:
+- type: docs
+ url: https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-MicrosoftCloudSecurityBenchmarkAzureSecurityBaseline.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-MicrosoftCloudSecurityBenchmarkAzureSecurityBaseline.yaml
new file mode 100644
index 000000000..f2c3f3dac
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-MicrosoftCloudSecurityBenchmarkAzureSecurityBaseline.yaml
@@ -0,0 +1,17 @@
+name: revcl-MicrosoftCloudSecurityBenchmarkAzureSecurityBaseline
+title: Consider the 'Azure security baseline for storage'
+description: Apply guidance from the Microsoft cloud security benchmark related to
+ Storage
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: d237de14-3b16-4c21-b7aa-9b64604489a8
+links:
+- type: docs
+ url: https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-NarrowScopeSingleResource.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-NarrowScopeSingleResource.yaml
new file mode 100644
index 000000000..dfcd4fbb5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-NarrowScopeSingleResource.yaml
@@ -0,0 +1,17 @@
+name: revcl-NarrowScopeSingleResource
+title: Apply a narrow scope to a SAS
+description: When creating a SAS, be as specific and restrictive as possible. Prefer
+ a SAS for a single resource and operation over a SAS which gives much broader access.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 4721d928-c1b1-4cd5-81e5-4a29a9de399c
+links:
+- type: docs
+ url: https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PlatformEncryption.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PlatformEncryption.yaml
new file mode 100644
index 000000000..380df6a1c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PlatformEncryption.yaml
@@ -0,0 +1,15 @@
+name: revcl-PlatformEncryption
+title: Determine which/if platform encryption should be used.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 8dd457e9-2713-48b8-8110-2cac6eae01e6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PricingModelLargeContents.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PricingModelLargeContents.yaml
new file mode 100644
index 000000000..b993ddab2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PricingModelLargeContents.yaml
@@ -0,0 +1,16 @@
+name: revcl-PricingModelLargeContents
+title: 'Consider checking uploaded data, after clients used a SAS to upload a file. '
+description: A SAS cannot constrain how much data a client uploads; given the pricing
+ model of amount of storage over time, it might make sense to validate whether clients
+ uploaded maliciously large contents.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 2
+labels:
+ guid: 348b263e-6dd6-4051-8a36-498f6dbad38e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PublicIpAddressAzureComputeResources.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PublicIpAddressAzureComputeResources.yaml
new file mode 100644
index 000000000..9b80d30df
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-PublicIpAddressAzureComputeResources.yaml
@@ -0,0 +1,18 @@
+name: revcl-PublicIpAddressAzureComputeResources
+title: Consider using private endpoints for Azure Storage
+description: Azure Storage by default has a public IP address and is Internet-reachable.
+ Private endpoints allow to securely expose Azure Storage only to those Azure Compute
+ resources that need access, thus eliminating exposure to the public Internet
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-private-endpoints
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ResourceLocksStorageAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ResourceLocksStorageAccounts.yaml
new file mode 100644
index 000000000..fd0f04016
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ResourceLocksStorageAccounts.yaml
@@ -0,0 +1,17 @@
+name: revcl-ResourceLocksStorageAccounts
+title: Enable resource locks on storage accounts
+description: Prevents accidental deletion of a storage account, by forcing the user
+ to first remove the deletion lock, prior to deletion
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 5398e6de-d227-4dd1-92b0-6c21d7999a64
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/lock-account-resource
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SecureTransferStorageAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SecureTransferStorageAccounts.yaml
new file mode 100644
index 000000000..8747c6c5a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SecureTransferStorageAccounts.yaml
@@ -0,0 +1,15 @@
+name: revcl-SecureTransferStorageAccounts
+title: Secure transfer to storage accounts should be enabled
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: b03ed428-4617-4067-a787-85468b9ccf3f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SftpEndpointAcls.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SftpEndpointAcls.yaml
new file mode 100644
index 000000000..361f5165e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SftpEndpointAcls.yaml
@@ -0,0 +1,15 @@
+name: revcl-SftpEndpointAcls
+title: 'SFTP: The SFTP endpoint does not support POSIX-like ACLs.'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 9f89dc7b-33be-42a1-a27f-7b9e91be1f38
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SharedAccessSignatureSasTokens.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SharedAccessSignatureSasTokens.yaml
new file mode 100644
index 000000000..d5362cd37
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SharedAccessSignatureSasTokens.yaml
@@ -0,0 +1,17 @@
+name: revcl-SharedAccessSignatureSasTokens
+title: Limit shared access signature (SAS) tokens to HTTPS connections only
+description: Requiring HTTPS when a client uses a SAS token to access blob data helps
+ to minimize the risk of credential loss.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 6b4bed3d-5035-447c-8347-dc56028a71ff
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-sas-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteBlobContainers.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteBlobContainers.yaml
new file mode 100644
index 000000000..ea8f91b4e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteBlobContainers.yaml
@@ -0,0 +1,18 @@
+name: revcl-SoftDeleteBlobContainers
+title: Disable 'soft delete' for blobs
+description: 'Consider selectively disabling ''soft delete'' for certain blob containers,
+ for example if the application must ensure that deleted information is immediately
+ deleted, e.g. for confidentiality, privacy or compliance reasons. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 3f1d5e87-2e52-4e36-81cc-58b4a4b1510e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteComplianceReasons.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteComplianceReasons.yaml
new file mode 100644
index 000000000..e16e13a19
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteComplianceReasons.yaml
@@ -0,0 +1,18 @@
+name: revcl-SoftDeleteComplianceReasons
+title: Disable 'soft delete' for containers
+description: 'Consider selectively disabling ''soft delete'' for certain blob containers,
+ for example if the application must ensure that deleted information is immediately
+ deleted, e.g. for confidentiality, privacy or compliance reasons. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 3e3453a3-c863-4964-ab65-2d6c15f51296
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteSoftDeleteMechanism.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteSoftDeleteMechanism.yaml
new file mode 100644
index 000000000..0565ff941
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SoftDeleteSoftDeleteMechanism.yaml
@@ -0,0 +1,16 @@
+name: revcl-SoftDeleteSoftDeleteMechanism
+title: Enable 'soft delete' for blobs
+description: The soft-delete mechanism allows to recover accidentally deleted blobs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 503547c1-447e-4c66-828a-7100f1ce16dd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SourceCodeRepositoryStorageAccountKeys.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SourceCodeRepositoryStorageAccountKeys.yaml
new file mode 100644
index 000000000..458b97a1d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SourceCodeRepositoryStorageAccountKeys.yaml
@@ -0,0 +1,16 @@
+name: revcl-SourceCodeRepositoryStorageAccountKeys
+title: Consider configuring your application's source code repository to detect checked-in
+ connection strings and storage account keys.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 028a71ff-e1ce-415d-b3f0-d5e772d41e36
+links:
+- type: docs
+ url: https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SpecificClientIpAddressClientIpAddresses.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SpecificClientIpAddressClientIpAddresses.yaml
new file mode 100644
index 000000000..6374b5bd2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-SpecificClientIpAddressClientIpAddresses.yaml
@@ -0,0 +1,17 @@
+name: revcl-SpecificClientIpAddressClientIpAddresses
+title: Consider scoping SAS to a specific client IP address, wherever possible
+description: 'A SAS can include parameters on which client IP addresses or address
+ ranges are authorized to request a resource using the SAS. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: fd7b28dc-9355-4562-82bf-e4564b0d834a
+links:
+- type: docs
+ url: https://learn.microsoft.com/rest/api/storageservices/create-account-sas
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-StorageAccountKeyAzureStorage.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-StorageAccountKeyAzureStorage.yaml
new file mode 100644
index 000000000..b39e1ba57
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-StorageAccountKeyAzureStorage.yaml
@@ -0,0 +1,20 @@
+name: revcl-StorageAccountKeyAzureStorage
+title: Consider storing connection strings in Azure KeyVault (in scenarios where managed
+ identities are not possible)
+description: Ideally, your application should be using a managed identity to authenticate
+ to Azure Storage. If that is not possible, consider having the storage credential
+ (connection string, storage account key, SAS, service principal credential) in Azure
+ KeyVault or an equivalent service.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 11cc57b4-a4b1-4410-b439-58a8c2289b3d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-StorageAccountKeysStoredAccessPolicies.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-StorageAccountKeysStoredAccessPolicies.yaml
new file mode 100644
index 000000000..157c8c41c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-StorageAccountKeysStoredAccessPolicies.yaml
@@ -0,0 +1,17 @@
+name: revcl-StorageAccountKeysStoredAccessPolicies
+title: Consider linking SAS to a stored access policy
+description: 'Stored access policies give you the option to revoke permissions for
+ a service SAS without having to regenerate the storage account keys. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 77036e5e-6b4b-4ed3-b503-547c1347dc56
+links:
+- type: docs
+ url: https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ThreadModelPlatformManagedKey.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ThreadModelPlatformManagedKey.yaml
new file mode 100644
index 000000000..0c6e7dc53
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-ThreadModelPlatformManagedKey.yaml
@@ -0,0 +1,22 @@
+name: revcl-ThreadModelPlatformManagedKey
+title: Determine how data at rest should be encrypted. Understand the thread model
+ for data.
+description: Data at rest is always encrypted server-side, and in addition might be
+ encrypted client-side as well. Server-side encryption might happen using a platform-managed
+ key (default) or customer-managed key. Client-side encryption might happen by either
+ having the client supply an encryption/decryption key on a per-blob basis to Azure
+ storage, or by completely handling encryption on the client-side. thus not relying
+ on Azure Storage at all for confidentiality guarantees.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 3d90cae2-cc88-4137-86f7-c0cbafe61464
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-service-encryption
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-TimeBasedRetentionPoliciesLegalHold.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-TimeBasedRetentionPoliciesLegalHold.yaml
new file mode 100644
index 000000000..e67473435
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-TimeBasedRetentionPoliciesLegalHold.yaml
@@ -0,0 +1,20 @@
+name: revcl-TimeBasedRetentionPoliciesLegalHold
+title: Consider immutable blobs
+description: Consider 'legal hold' or 'time-based retention' policies for blobs, so
+ that is is impossible to delete the blob, the container, or the storage account.
+ Please note that 'impossible' actually means 'impossible'; once a storage account
+ contains an immutable blob, the only way to 'get rid' of that storage account is
+ by cancelling the Azure subscription.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: 6f4389a8-f42c-478e-98c0-6a73a22a4956
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-UnprotectedHttpAccessStorageAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-UnprotectedHttpAccessStorageAccount.yaml
new file mode 100644
index 000000000..3be488469
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-UnprotectedHttpAccessStorageAccount.yaml
@@ -0,0 +1,18 @@
+name: revcl-UnprotectedHttpAccessStorageAccount
+title: Require HTTPS, i.e. disable port 80 on the storage account
+description: 'Consider disabling unprotected HTTP/80 access to the storage account,
+ so that all data transfers are encrypted, integrity protected, and the server is
+ authenticated. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: e7a8dc4a-20e2-47c3-b297-11b1352beee0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-UsualRbacControlsLocalUserAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-UsualRbacControlsLocalUserAccount.yaml
new file mode 100644
index 000000000..65c4d6ad3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/revcl-UsualRbacControlsLocalUserAccount.yaml
@@ -0,0 +1,20 @@
+name: revcl-UsualRbacControlsLocalUserAccount
+title: 'SFTP: Limit the amount of ''local users'' for SFTP access, and audit whether
+ access is needed over time.'
+description: When accessing blob storage via SFTP using a 'local user account', the
+ 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive
+ than SFTP access. Unfortunately, as of early 2023, local users are the only form
+ of identity management that is currently supported for the SFTP endpoint
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 0
+labels:
+ guid: ad53cc7c-e1d7-4aaa-a357-1449ab8053d8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccessControlListsSecurityRequirements.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccessControlListsSecurityRequirements.yaml
new file mode 100644
index 000000000..e1c08af9c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccessControlListsSecurityRequirements.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AccessControlListsSecurityRequirements
+title: 'Understand your organization''s security requirements: NFS Azure file shares
+ only support Linux clients that use the NFSv4.1 protocol, with support for most
+ features from the 4.1 protocol specification. Some security features, such as Kerberos
+ authentication, access control lists (ACLs), and encryption in transit, aren''t
+ supported.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: a07d96be-b231-444c-8b2e-3123950de82f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccessSignatureTokensSensitiveInformation.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccessSignatureTokensSensitiveInformation.yaml
new file mode 100644
index 000000000..764f45e33
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccessSignatureTokensSensitiveInformation.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AccessSignatureTokensSensitiveInformation
+title: 'Protect sensitive information: Protect sensitive information such as account
+ keys and shared access signature tokens. While these forms of authorization are
+ generally not recommended, you should make sure to rotate, expire, and store them
+ securely.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 48fe0f97-d78a-4907-b588-0b6d53172ff2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccountKeyKeyVault.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccountKeyKeyVault.yaml
new file mode 100644
index 000000000..465f1c509
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccountKeyKeyVault.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AccountKeyKeyVault
+title: We recommend that you don't use an account key. If you must use account keys,
+ then store them in Key Vault, and make sure that you regenerate them periodically.
+description: Key Vault lets you retrieve keys at runtime, instead of saving them by
+ using your application. Key Vault also makes it easy to rotate your keys without
+ interruption to your applications. Rotating the account keys periodically reduces
+ the risk of exposing your data to malicious attacks.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: fa8fe7b9-8118-4913-adbe-be4420b62cfd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccountNetworkControlsStorageAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccountNetworkControlsStorageAccount.yaml
new file mode 100644
index 000000000..ee378660c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AccountNetworkControlsStorageAccount.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AccountNetworkControlsStorageAccount
+title: 'Use network controls to restrict ingress and egress traffic: Disable all public
+ traffic to the storage account. Use account network controls to grant the minimal
+ level of access required by users and applications. For more information, see How
+ to approach network security for your storage account.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 345a1c5e-8ca7-41e1-9acc-702b9684df71
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AesKerberosTicketEncryptionSmbAzureFileShares.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AesKerberosTicketEncryptionSmbAzureFileShares.yaml
new file mode 100644
index 000000000..a436625cc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AesKerberosTicketEncryptionSmbAzureFileShares.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AesKerberosTicketEncryptionSmbAzureFileShares
+title: When possible, use identity-based authentication with AES-256 Kerberos ticket
+ encryption to authorize access to SMB Azure file shares.
+description: Use identity-based authentication to decrease the possibility of an attacker
+ using a storage account key to access file shares.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: b8abb5ae-bde5-40bc-b8d4-8518c9dd23c2
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AnonymousReadAccessAnonymousAccessSetting.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AnonymousReadAccessAnonymousAccessSetting.yaml
new file mode 100644
index 000000000..c9ec8b153
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AnonymousReadAccessAnonymousAccessSetting.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AnonymousReadAccessAnonymousAccessSetting
+title: Disable anonymous read access to containers and blob.
+description: When anonymous access is allowed for a storage account, a user that has
+ the appropriate permissions can modify a container's anonymous access setting to
+ enable anonymous access to the data in that container.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: a2c5082f-3260-46ef-a44f-cab9c74fd16f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureExpressrouteConnectionTcpPort.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureExpressrouteConnectionTcpPort.yaml
new file mode 100644
index 000000000..e9c3e2baf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureExpressrouteConnectionTcpPort.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureExpressrouteConnectionTcpPort
+title: Open TCP port 445 outbound or set up a VPN gateway or Azure ExpressRoute connection
+ for clients outside of Azure to access the file share.
+description: SMB 3.x is an internet-safe protocol, but you might not have the ability
+ to change organizational or ISP policies. You can use a VPN gateway or an ExpressRoute
+ connection as an alternative option.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: bfd07ef0-3cde-4965-bb68-0e382d5704c3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureFileSharesTransactionHeavyFileShares.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureFileSharesTransactionHeavyFileShares.yaml
new file mode 100644
index 000000000..cca329d8d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureFileSharesTransactionHeavyFileShares.yaml
@@ -0,0 +1,21 @@
+name: wafsg-AzureFileSharesTransactionHeavyFileShares
+title: 'Detect threats: Enable Microsoft Defender for Storage to detect potentially
+ harmful attempts to access or exploit your Azure file shares over SMB or FileREST
+ protocols. Subscription administrators get email alerts with details of suspicious
+ activity and recommendations about how to investigate and remediate threats. Defender
+ for Storage doesn''t support antivirus capabilities for Azure file shares. If you
+ use Defender for Storage, transaction-heavy file shares incur significant costs,
+ so consider opting out of Defender for Storage for specific storage accounts.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 776e5617-ee35-4172-b15b-848e3d5c7c7b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureFilesInsecureProtocol.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureFilesInsecureProtocol.yaml
new file mode 100644
index 000000000..517b4625b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureFilesInsecureProtocol.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureFilesInsecureProtocol
+title: If you open port 445, be sure to disable SMBv1 on Windows and Linux clients.
+ Azure Files doesn't support SMB 1, but you should still disable it on your clients.
+description: SMB 1 is an outdated, inefficient, and insecure protocol. Disable it
+ on clients to improve your security posture.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: ff7ac920-b3a0-4fbd-8434-69b5f5d52d89
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureResourceManagerLockDataLoss.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureResourceManagerLockDataLoss.yaml
new file mode 100644
index 000000000..b6b9b68ba
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureResourceManagerLockDataLoss.yaml
@@ -0,0 +1,14 @@
+name: wafsg-AzureResourceManagerLockDataLoss
+title: Apply an Azure Resource Manager lock on the storage account.
+description: Locking an account prevents it from being deleted and causing data loss.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 3195423b-0513-45e2-951b-87f9c5d534b0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureResourceManagerLockMaliciousDeletion.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureResourceManagerLockMaliciousDeletion.yaml
new file mode 100644
index 000000000..c9da81122
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureResourceManagerLockMaliciousDeletion.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureResourceManagerLockMaliciousDeletion
+title: Apply an Azure Resource Manager lock on the storage account.
+description: Lock the account to prevent accidental or malicious deletion of the storage
+ account, which can cause data loss.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 5efa7ffa-1cc0-4a74-bd15-c809185ccb58
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureRoleBasedAccessControlMicrosoftEntraId.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureRoleBasedAccessControlMicrosoftEntraId.yaml
new file mode 100644
index 000000000..83a341a31
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureRoleBasedAccessControlMicrosoftEntraId.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureRoleBasedAccessControlMicrosoftEntraId
+title: Authorize access by using Azure role-based access control (RBAC).
+description: With RBAC, there are no passwords or keys that can be compromised. The
+ security principal (user, group, managed identity, or service principal) is authenticated
+ by Microsoft Entra ID to return an OAuth 2.0 token. The token is used to authorize
+ a request against the Blob Storage service.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 02be562a-9a28-4e56-94a3-a3671dd382fc
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureStorageEncryptionStorageAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureStorageEncryptionStorageAccount.yaml
new file mode 100644
index 000000000..9e40e66ad
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-AzureStorageEncryptionStorageAccount.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureStorageEncryptionStorageAccount
+title: Consider using your own encryption key to protect the data in your storage
+ account. For more information, see Customer-managed keys for Azure Storage encryption.
+description: Customer-managed keys provide greater flexibility and control. For example,
+ you can store encryption keys in Key Vault and automatically rotate them.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: fd88f923-7d9f-4071-9152-15ee808cc9ed
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MicrosoftDefenderSubscriptionAdministrators.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MicrosoftDefenderSubscriptionAdministrators.yaml
new file mode 100644
index 000000000..c305b09ec
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MicrosoftDefenderSubscriptionAdministrators.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MicrosoftDefenderSubscriptionAdministrators
+title: 'Detect threats: Enable Microsoft Defender for Storage to detect threats. Security
+ alerts are triggered when anomalies in activity occur. The alerts notify subscription
+ administrators via email with details of suspicious activity and recommendations
+ on how to investigate and remediate threats.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: d0d49387-46dd-4aad-b467-19ecd0142c05
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MicrosoftEntraIdSuperiorSecurity.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MicrosoftEntraIdSuperiorSecurity.yaml
new file mode 100644
index 000000000..0a7d77eb8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MicrosoftEntraIdSuperiorSecurity.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MicrosoftEntraIdSuperiorSecurity
+title: 'Authorize access without using passwords or keys: Microsoft Entra ID provides
+ superior security and ease of use compared to shared keys and shared access signatures.
+ Grant security principals only those permissions that are necessary for them to
+ do their tasks.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 0936d029-8a6b-4eae-a739-863462bbecf4
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MinimumRequiredLevelNetworkControls.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MinimumRequiredLevelNetworkControls.yaml
new file mode 100644
index 000000000..f187daf44
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-MinimumRequiredLevelNetworkControls.yaml
@@ -0,0 +1,20 @@
+name: wafsg-MinimumRequiredLevelNetworkControls
+title: 'Consider using network controls to restrict ingress and egress traffic: You
+ might be comfortable exposing your storage account to the public internet under
+ certain conditions, like if you use identity-based authentication to grant access
+ to file shares. But we recommend that you use network controls to grant the minimum
+ required level of access to users and applications. For more information, see How
+ to approach network security for your storage account.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: e450fd68-ca8c-4380-96f4-812a146c50a3
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ModernCryptographicAlgorithmsStorageAccount-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ModernCryptographicAlgorithmsStorageAccount-1.yaml
new file mode 100644
index 000000000..c24a1dff5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ModernCryptographicAlgorithmsStorageAccount-1.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ModernCryptographicAlgorithmsStorageAccount-1
+title: Configure your storage account so that TLS 1.2 is the minimum version for clients
+ to send and receive data.
+description: TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support
+ modern cryptographic algorithms and cipher suites.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: e780c530-cf9a-42d2-8ccc-b32e44ab73cd
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ModernCryptographicAlgorithmsStorageAccount.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ModernCryptographicAlgorithmsStorageAccount.yaml
new file mode 100644
index 000000000..5041f07de
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ModernCryptographicAlgorithmsStorageAccount.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ModernCryptographicAlgorithmsStorageAccount
+title: Configure your storage account so clients can send and receive data by using
+ the minimum version of TLS 1.2.
+description: TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support
+ modern cryptographic algorithms and cipher suites.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 42a36eba-778e-437d-9750-4002823c8835
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NfsAzureFileSharePort.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NfsAzureFileSharePort.yaml
new file mode 100644
index 000000000..40987ef2c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NfsAzureFileSharePort.yaml
@@ -0,0 +1,15 @@
+name: wafsg-NfsAzureFileSharePort
+title: You must open port 2049 on the clients that you want to mount your NFS share
+ to.
+description: Open port 2049 to let clients communicate with the NFS Azure file share.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 45ae6fe2-da4c-4e41-9d2c-d9237a619ec6
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NfsAzureFileSharesNetworkLevelSecurity.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NfsAzureFileSharesNetworkLevelSecurity.yaml
new file mode 100644
index 000000000..c6c2ed0a9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NfsAzureFileSharesNetworkLevelSecurity.yaml
@@ -0,0 +1,19 @@
+name: wafsg-NfsAzureFileSharesNetworkLevelSecurity
+title: 'Use network-level security and controls to restrict ingress and egress traffic:
+ Identity-based authentication isn''t available for NFS Azure file shares, so you
+ must use network-level security and controls to grant the minimum required level
+ of access to users and applications. For more information, see How to approach network
+ security for your storage account.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: b3a2f115-8ee1-401e-a939-f4406b43b460
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NonSecureHttpConnectionsTransportLayerSecurity.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NonSecureHttpConnectionsTransportLayerSecurity.yaml
new file mode 100644
index 000000000..17d2379f1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-NonSecureHttpConnectionsTransportLayerSecurity.yaml
@@ -0,0 +1,18 @@
+name: wafsg-NonSecureHttpConnectionsTransportLayerSecurity
+title: 'Reduce the attack surface: Preventing anonymous access, account key access,
+ or access over non-secure (HTTP) connections can reduce the attack surface. Require
+ clients to send and receive data by using the latest version of the Transport Layer
+ Security (TLS) protocol.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: ceb9eb53-c2e4-4f28-b6e0-d42414ab3439
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-OtherBusinessPurposesCriticalObjects.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-OtherBusinessPurposesCriticalObjects.yaml
new file mode 100644
index 000000000..d49e0d504
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-OtherBusinessPurposesCriticalObjects.yaml
@@ -0,0 +1,18 @@
+name: wafsg-OtherBusinessPurposesCriticalObjects
+title: 'Protect critical objects: Apply immutability policies to protect critical
+ objects. Policies protect blobs that are stored for legal, compliance, or other
+ business purposes from being modified or deleted. Configure holds for set time periods
+ or until restrictions are lifted by an administrator.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 96a5a2e1-d8de-4297-b395-168cbd02467b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-RequireSecureTransferSettingStandardDataProcessingRates.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-RequireSecureTransferSettingStandardDataProcessingRates.yaml
new file mode 100644
index 000000000..81f7b56c6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-RequireSecureTransferSettingStandardDataProcessingRates.yaml
@@ -0,0 +1,23 @@
+name: wafsg-RequireSecureTransferSettingStandardDataProcessingRates
+title: NFS Azure file shares are only accessible through restricted networks. So you
+ must create a private endpoint for your storage account or restrict public endpoint
+ access to selected virtual networks and IP addresses. We recommend that you create
+ a private endpoint. You must configure network-level security for NFS shares because
+ Azure Files doesn't support encryption in transit with the NFS protocol. You need
+ to disable the Require secure transfer setting on the storage account to use NFS
+ Azure file shares. Standard data processing rates apply for private endpoints. If
+ you don't require a static IP address for your file share and want to avoid the
+ cost of private endpoints, you can restrict public endpoint access instead.
+description: Network traffic travels over the Microsoft backbone network instead of
+ the public internet, which eliminates risk exposure from the public internet.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 8959f137-e162-4b86-a14f-6e96c9fd5494
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ResourceManagerLockMaliciousDeletion.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ResourceManagerLockMaliciousDeletion.yaml
new file mode 100644
index 000000000..89e5e8313
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-ResourceManagerLockMaliciousDeletion.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ResourceManagerLockMaliciousDeletion
+title: Apply a Resource Manager lock on the storage account.
+description: Lock the account to prevent accidental or malicious deletion of the storage
+ account, which might cause data loss.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 0148ed98-3b9a-4b7f-81c2-8b550f56f793
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecureChannelEncryptionSmbProtocolVersion.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecureChannelEncryptionSmbProtocolVersion.yaml
new file mode 100644
index 000000000..abeabc716
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecureChannelEncryptionSmbProtocolVersion.yaml
@@ -0,0 +1,22 @@
+name: wafsg-SecureChannelEncryptionSmbProtocolVersion
+title: Use only the most recent supported SMB protocol version (currently 3.1.1.),
+ and use only AES-256-GCM for SMB channel encryption. Azure Files exposes settings
+ that you can use to toggle the SMB protocol and make it more compatible or more
+ secure, depending on your organization's requirements. By default, all SMB versions
+ are allowed. However, SMB 2.1 is disallowed if you enable Require secure transfer
+ because SMB 2.1 doesn't support encryption of data in transit. If you restrict these
+ settings to a high level of security, some clients might not be able to connect
+ to the file share.
+description: SMB 3.1.1, released with Windows 10, contains important security and
+ performance updates. AES-256-GCM offers more secure channel encryption.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 59fe4bee-d21b-4f74-880f-eb22da54ee6e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecureTransferStorageAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecureTransferStorageAccounts.yaml
new file mode 100644
index 000000000..3053f46aa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecureTransferStorageAccounts.yaml
@@ -0,0 +1,17 @@
+name: wafsg-SecureTransferStorageAccounts
+title: 'Enable the secure transfer required option: Enabling this setting for all
+ your storage accounts ensures that all requests made against the storage account
+ must take place over secure connections. Any requests made over HTTP fail.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: b174e3db-c952-4b33-a72e-874f60a0f671
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineAzureStorage-1.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineAzureStorage-1.yaml
new file mode 100644
index 000000000..31f8ea543
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineAzureStorage-1.yaml
@@ -0,0 +1,16 @@
+name: wafsg-SecurityBaselineAzureStorage-1
+title: 'Review the security baseline for Azure Storage: To get started, review the
+ security baseline for Storage.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 486329dd-f6a9-4714-bab2-0c7da68e2473
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineAzureStorage.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineAzureStorage.yaml
new file mode 100644
index 000000000..bb05b5ad6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineAzureStorage.yaml
@@ -0,0 +1,16 @@
+name: wafsg-SecurityBaselineAzureStorage
+title: 'Review the security baseline for Azure Storage: To get started, first review
+ the security baseline for Storage.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-blob-storage.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: a7cd3662-4984-4a5a-8ed7-95c707f19c25
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineStorage.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineStorage.yaml
new file mode 100644
index 000000000..22ed0b6bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SecurityBaselineStorage.yaml
@@ -0,0 +1,16 @@
+name: wafsg-SecurityBaselineStorage
+title: 'Review the security baseline for Storage: To get started, review the security
+ baseline for Storage.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: c5f40aec-9c2c-4c16-8ae9-f9fdd4733804
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SharedAccessSignatureTokenAccessSignatureBestPractices.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SharedAccessSignatureTokenAccessSignatureBestPractices.yaml
new file mode 100644
index 000000000..56169c1aa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SharedAccessSignatureTokenAccessSignatureBestPractices.yaml
@@ -0,0 +1,18 @@
+name: wafsg-SharedAccessSignatureTokenAccessSignatureBestPractices
+title: We recommend that you don't use shared access signature tokens. Evaluate whether
+ you need shared access signature tokens to secure access to Blob Storage resources.
+ If you must create one, then review this list of shared access signature best practices
+ before you create and distribute it.
+description: Best practices can help you prevent a shared access signature token from
+ being leaked and quickly recover if a leak does occur.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 74296778-eb6c-4ef3-b2db-f64839ca4140
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SharedKeyAuthorizationAccessSignatureTokens.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SharedKeyAuthorizationAccessSignatureTokens.yaml
new file mode 100644
index 000000000..c57369469
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SharedKeyAuthorizationAccessSignatureTokens.yaml
@@ -0,0 +1,17 @@
+name: wafsg-SharedKeyAuthorizationAccessSignatureTokens
+title: Disallow shared key authorization. This disables not only account key access
+ but also service and account shared access signature tokens because they're based
+ on account keys.
+description: Only secured requests that are authorized with Microsoft Entra ID are
+ permitted.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: c1c19545-ae06-45b2-9770-1bc64e63c70b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SmbFileSharesMostCases.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SmbFileSharesMostCases.yaml
new file mode 100644
index 000000000..fd900bf2c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SmbFileSharesMostCases.yaml
@@ -0,0 +1,19 @@
+name: wafsg-SmbFileSharesMostCases
+title: In most cases, you should enable the Secure transfer required option on all
+ your storage accounts to enable encryption in transit for SMB file shares. Don't
+ enable this option if you need to allow very old clients to access the share. If
+ you disable secure transfer, be sure to use network controls to restrict traffic.
+description: This setting ensures that all requests that are made against the storage
+ account take place over secure connections (HTTPS). Any requests made over HTTP
+ will fail.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: b9cbb598-dcaa-431a-bae0-f8a7909f577b
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SpecificVirtualNetworksFirewallRules.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SpecificVirtualNetworksFirewallRules.yaml
new file mode 100644
index 000000000..90d7f2f16
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SpecificVirtualNetworksFirewallRules.yaml
@@ -0,0 +1,16 @@
+name: wafsg-SpecificVirtualNetworksFirewallRules
+title: Enable firewall rules that limit access to specific virtual networks. Start
+ with zero access, and then methodically and incrementally provide the least amount
+ of access required for clients and services.
+description: Minimize the risk of creating openings for attackers.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: bbbb3c40-4a58-4602-87cd-5bb36d95381d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SpecificVirtualNetworksPublicEndpoints.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SpecificVirtualNetworksPublicEndpoints.yaml
new file mode 100644
index 000000000..f4e9f8292
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-SpecificVirtualNetworksPublicEndpoints.yaml
@@ -0,0 +1,19 @@
+name: wafsg-SpecificVirtualNetworksPublicEndpoints
+title: Disable traffic to the public endpoints of your storage account. Create private
+ endpoints for clients that run in Azure. Enable the public endpoint only if clients
+ and services external to Azure require direct access to your storage account. Enable
+ firewall rules that limit access to specific virtual networks.
+description: Start with zero access and then incrementally authorize the lowest levels
+ of access required for clients and services to minimize the risk of creating unnecessary
+ openings for attackers.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 4c73ba4b-1d06-42f6-afcb-2dc1d4b8885a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StandardDataProcessingRatesSpecificVirtualNetworks.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StandardDataProcessingRatesSpecificVirtualNetworks.yaml
new file mode 100644
index 000000000..63fe30167
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StandardDataProcessingRatesSpecificVirtualNetworks.yaml
@@ -0,0 +1,23 @@
+name: wafsg-StandardDataProcessingRatesSpecificVirtualNetworks
+title: Consider disabling public network access to your storage account. Enable public
+ network access only if SMB clients and services that are external to Azure require
+ access to your storage account. If you disable public network access,create a private
+ endpoint for your storage account. Standard data processing rates for private endpoints
+ apply. A private endpoint doesn't block connections to the public endpoint. You
+ should still disable public network access as previously described. If you don't
+ require a static IP address for your file share and want to avoid the cost of private
+ endpoints, you can instead restrict public endpoint access to specific virtual networks
+ and IP addresses.
+description: Network traffic travels over the Microsoft backbone network instead of
+ the public internet, which eliminates risk exposure from the public internet.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 27f96d86-72a7-4c44-8cdd-146d39feefaf
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeyAccessSmbSecuritySettings.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeyAccessSmbSecuritySettings.yaml
new file mode 100644
index 000000000..a5d696953
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeyAccessSmbSecuritySettings.yaml
@@ -0,0 +1,21 @@
+name: wafsg-StorageAccountKeyAccessSmbSecuritySettings
+title: If you use storage account keys, store them in Key Vault, and make sure to
+ regenerate them periodically. You can completely disallow storage account key access
+ to the file share by removing NTLMv2 from the share's SMB security settings. But
+ you generally shouldn't remove NTLMv2 from the share's SMB security settings because
+ administrators still need to use the account key for some tasks.
+description: Use Key Vault to retrieve keys at runtime instead of saving them with
+ your application. Key Vault also makes it easy to rotate your keys without interruption
+ to your applications. Periodically rotate the account keys to reduce the risk of
+ exposing your data to malicious attacks.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: c034b5bc-eaca-4ba4-b9c7-3d427108584d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeyAccessStorageAccountLevel.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeyAccessStorageAccountLevel.yaml
new file mode 100644
index 000000000..feb52f0c7
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeyAccessStorageAccountLevel.yaml
@@ -0,0 +1,18 @@
+name: wafsg-StorageAccountKeyAccessStorageAccountLevel
+title: Consider disallowing storage account key access at the storage account level.
+ You don't need this access to mount NFS file shares. But keep in mind that full
+ administrative control of a file share, including the ability to take ownership
+ of a file, requires use of a storage account key.
+description: Disallow the use of storage account keys to make your storage account
+ more secure.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: f7b42a8a-fb21-4101-a256-8bbab4e1bd25
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeysFullAdministrativeControl.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeysFullAdministrativeControl.yaml
new file mode 100644
index 000000000..8004d90b0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeysFullAdministrativeControl.yaml
@@ -0,0 +1,19 @@
+name: wafsg-StorageAccountKeysFullAdministrativeControl
+title: 'Minimize the use of storage account keys: Identity-based authentication provides
+ superior security compared to using a storage account key. But you must use a storage
+ account key to get full administrative control of a file share, including the ability
+ to take ownership of a file. Grant security principals only the necessary permissions
+ that they need to perform their tasks.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 88413b43-c031-4930-acbf-fc1d33b7d930
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeysSensitiveInformation.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeysSensitiveInformation.yaml
new file mode 100644
index 000000000..1692da0e5
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-StorageAccountKeysSensitiveInformation.yaml
@@ -0,0 +1,17 @@
+name: wafsg-StorageAccountKeysSensitiveInformation
+title: 'Protect sensitive information: Protect sensitive information, such as storage
+ account keys and passwords. We don''t recommend that you use these forms of authorization,
+ but if you do, you should make sure to rotate, expire, and store them securely.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 5542bb7f-c507-480d-8881-93f7a2854e63
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-TransportLayerSecurityTlsProtocolAttackSurface.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-TransportLayerSecurityTlsProtocolAttackSurface.yaml
new file mode 100644
index 000000000..b292b79d1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/Security/wafsg-TransportLayerSecurityTlsProtocolAttackSurface.yaml
@@ -0,0 +1,18 @@
+name: wafsg-TransportLayerSecurityTlsProtocolAttackSurface
+title: 'Reduce the attack surface: Use encryption in transit and prevent access over
+ non-secure (HTTP) connections to reduce the attack surface. Require clients to send
+ and receive data by using the latest version of the Transport Layer Security (TLS)
+ protocol.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-files.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.storage/storageaccounts
+waf: Security
+severity: 1
+labels:
+ guid: 57e9b6de-1640-41de-93c5-8306d37660ff
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-AzureStorageAccountsBlobOperationLatency.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-AzureStorageAccountsBlobOperationLatency.yaml
new file mode 100644
index 000000000..7db928b5a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-AzureStorageAccountsBlobOperationLatency.yaml
@@ -0,0 +1,19 @@
+name: aprl-AzureStorageAccountsBlobOperationLatency
+title: Enable versioning for accidental modification and keep the number of versions
+ below 1000
+description: |-
+ Consider enabling versioning for Azure Storage Accounts to recover from accidental modifications or deletions and manage blob operation latency. Microsoft advises maintaining fewer than 1000 versions per blob to optimize performance. Lifecycle management can help delete old versions automatically.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 2
+labels:
+ guid: 8ebda7c0-e0e1-ed45-af59-2d7ea9a1c05d
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-BlobStorageAccountsCriticalApplications.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-BlobStorageAccountsCriticalApplications.yaml
new file mode 100644
index 000000000..ae176790e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-BlobStorageAccountsCriticalApplications.yaml
@@ -0,0 +1,18 @@
+name: aprl-BlobStorageAccountsCriticalApplications
+title: Monitor all blob storage accounts
+description: |-
+ For critical applications and business processes relying on Azure, monitoring and alerts are crucial. Resource logs are only stored after creating a diagnostic setting to route logs to specified locations, requiring selection of log categories to collect.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 2
+labels:
+ guid: 96cb8331-6b06-8242-8ce8-4e2f665dc679
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-LeverageAzurePrivateLinkServiceGranularAccessControl.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-LeverageAzurePrivateLinkServiceGranularAccessControl.yaml
new file mode 100644
index 000000000..f4d795609
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-LeverageAzurePrivateLinkServiceGranularAccessControl.yaml
@@ -0,0 +1,25 @@
+name: aprl-LeverageAzurePrivateLinkServiceGranularAccessControl
+title: Enable Azure Private Link service for storage accounts
+description: |-
+ Leverage Azure Private Link Service for secure access to Azure Storage and services via Private Endpoint in your VNet. Eliminate the need for public IPs, ensuring data privacy. Enjoy granular access control for enhanced security.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 1
+labels:
+ guid: dc55be60-6f8c-461e-a9d5-a3c7686ed94e
+ area: Security
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // This resource graph query will return all storage accounts that does not have a Private Endpoint Connection or where a private endpoint exists but public access is enabled
+ resources
+ | where type =~ "Microsoft.Storage/StorageAccounts"
+ | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ("Succeeded") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled')
+ | extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint'))
+ | extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled')))
+ | project recommendationId = "dc55be60-6f8c-461e-a9d5-a3c7686ed94e", name, id, tags, param1, param2
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-NewAzureResourceManagerResourcesClassicStorageAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-NewAzureResourceManagerResourcesClassicStorageAccounts.yaml
new file mode 100644
index 000000000..6fbac98dd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-NewAzureResourceManagerResourcesClassicStorageAccounts.yaml
@@ -0,0 +1,22 @@
+name: aprl-NewAzureResourceManagerResourcesClassicStorageAccounts
+title: Classic Storage Accounts must be migrated to new Azure Resource Manager resources
+description: |-
+ Classic storage accounts will be fully retired on August 31, 2024. If you have classic storage accounts, start planning your migration now.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 0
+labels:
+ guid: 63ad027e-611c-294b-acc5-8e3234db9a40
+ area: Service Upgrade and Retirement
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Azure classic Storage Account
+ resources
+ | where type =~ 'microsoft.classicstorage/storageaccounts'
+ | project recommendationId = '63ad027e-611c-294b-acc5-8e3234db9a40', name, id, tags, param1=type
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-PremiumPerformanceBlockBlobStorageFastStorageResponseTimes.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-PremiumPerformanceBlockBlobStorageFastStorageResponseTimes.yaml
new file mode 100644
index 000000000..2f4ce42ef
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-PremiumPerformanceBlockBlobStorageFastStorageResponseTimes.yaml
@@ -0,0 +1,18 @@
+name: aprl-PremiumPerformanceBlockBlobStorageFastStorageResponseTimes
+title: Use premium performance block blob storage for high performance workloads
+description: |-
+ Use premium performance block blob storage instead of standard performance storage for workloads that require fast storage response times and/or high transaction rates.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 1
+labels:
+ guid: 5587ef77-7a05-a74d-9c6e-449547a12f27
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-SoftDeleteOptionDataIntegrityMeasures.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-SoftDeleteOptionDataIntegrityMeasures.yaml
new file mode 100644
index 000000000..bae0ff45e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-SoftDeleteOptionDataIntegrityMeasures.yaml
@@ -0,0 +1,18 @@
+name: aprl-SoftDeleteOptionDataIntegrityMeasures
+title: Enable Soft Delete to protect your data
+description: |-
+ The soft delete option enables data recovery if mistakenly deleted, while the Lock feature prevents the accidental deletion of the storage account itself, ensuring additional security and data integrity measures.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 1
+labels:
+ guid: 03263c57-c869-3841-9e0a-3dbb9ef3e28d
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StandardGeneralPurposeVAccountsGpvAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StandardGeneralPurposeVAccountsGpvAccounts.yaml
new file mode 100644
index 000000000..d38cb3257
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StandardGeneralPurposeVAccountsGpvAccounts.yaml
@@ -0,0 +1,18 @@
+name: aprl-StandardGeneralPurposeVAccountsGpvAccounts
+title: Enable point-in-time restore for GPv2 accounts to safeguard against data loss
+description: |-
+ Consider enabling point-in-time restore for standard general purpose v2 accounts with flat namespace to protect against accidental deletion or corruption by restoring block blob data to an earlier state.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 2
+labels:
+ guid: 1b965cb9-7629-214e-b682-6bf6e450a100
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StandardGeneralPurposeVGeneralPurposeVAccounts.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StandardGeneralPurposeVGeneralPurposeVAccounts.yaml
new file mode 100644
index 000000000..2a6354786
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StandardGeneralPurposeVGeneralPurposeVAccounts.yaml
@@ -0,0 +1,26 @@
+name: aprl-StandardGeneralPurposeVGeneralPurposeVAccounts
+title: Consider upgrading legacy storage accounts to v2 storage accounts
+description: |-
+ General-purpose v2 accounts are recommended for most storage scenarios offering the latest features or the lowest per-gigabyte pricing. Legacy accounts like Standard general-purpose v1 and Blob Storage aren't advised by Microsoft but may fit specific scenarios.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 2
+labels:
+ guid: 2ad78dec-5a4d-4a30-8fd1-8584335ad781
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Azure Storage Accounts, that upgradeable to General purpose v2.
+ Resources
+ | where type =~ "Microsoft.Storage/storageAccounts" and kind in~ ("Storage", "BlobStorage")
+ | extend
+ param1 = strcat("AccountKind: ", case(kind =~ "Storage", "Storage (general purpose v1)", kind =~ "BlobStorage", "BlobStorage", kind)),
+ param2 = strcat("Performance: ", sku.tier),
+ param3 = strcat("Replication: ", sku.name)
+ | project recommendationId = "2ad78dec-5a4d-4a30-8fd1-8584335ad781", name, id, tags, param1, param2, param3
diff --git a/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StorageAccountsDurabilityTargets.yaml b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StorageAccountsDurabilityTargets.yaml
new file mode 100644
index 000000000..6de75812d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftStorage-storageAccounts/aprl-StorageAccountsDurabilityTargets.yaml
@@ -0,0 +1,23 @@
+name: aprl-StorageAccountsDurabilityTargets
+title: Ensure that storage accounts are zone or region redundant
+description: |-
+ Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.
+source:
+ type: aprl
+ file: azure-resources/Storage/storageAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Storage/storageAccounts
+severity: 0
+labels:
+ guid: e6c7e1cc-2f47-264d-aa50-1da421314472
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This query will return all storage accounts that are not using Zone or Region replication
+ Resources
+ | where type =~ "Microsoft.Storage/storageAccounts"
+ | where sku.name in~ ("Standard_LRS", "Premium_LRS")
+ | project recommendationId = "e6c7e1cc-2f47-264d-aa50-1da421314472", name, id, tags, param1 = strcat("sku: ", sku.name)
diff --git a/v2/recos/Services/MicrosoftSubscription-Subscriptions/aprl-ACitrixManagedAzureSubscriptionCitrixVdaServers.yaml b/v2/recos/Services/MicrosoftSubscription-Subscriptions/aprl-ACitrixManagedAzureSubscriptionCitrixVdaServers.yaml
new file mode 100644
index 000000000..2b7f45df9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSubscription-Subscriptions/aprl-ACitrixManagedAzureSubscriptionCitrixVdaServers.yaml
@@ -0,0 +1,28 @@
+name: aprl-ACitrixManagedAzureSubscriptionCitrixVdaServers
+title: Do not create more than 2000 Citrix VDA servers per subscription
+description: |-
+ A Citrix Managed Azure subscription supports VMs with VDA for app/desktop delivery, excluding other machines like Cloud Connectors. When close to the limit, signaled by a dashboard notification, and with sufficient licenses, request another subscription. Can't exceed the given limits for catalogs.
+source:
+ type: aprl
+ file: azure-resources/Subscription/subscriptions/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Subscription/Subscriptions
+severity: 0
+labels:
+ guid: c041d596-6c97-4c5f-b4b3-9cd37628f2e2
+ area: Governance
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Count VM instances with a tag that contains "Citrix VDA" and create output if that count is >2000 for each subscription.
+ // The Citrix published limit is 2500. This query runs an 80% check.
+
+ resources
+ | where type == 'microsoft.compute/virtualmachines'
+ | where tags contains 'Citrix VDA'
+ | summarize VMs=count() by subscriptionId
+ | where VMs > 2000
+ | join (resourcecontainers| where type =='microsoft.resources/subscriptions' | project subname=name, subscriptionId) on subscriptionId
+ | project recommendationId='c041d596-6c97-4c5f-b4b3-9cd37628f2e2', name= subname, id = subscriptionId, param1='Too many instances.', param2= VMs
diff --git a/v2/recos/Services/MicrosoftSubscription-Subscriptions/aprl-TenantRootManagementGroupManagementGroups.yaml b/v2/recos/Services/MicrosoftSubscription-Subscriptions/aprl-TenantRootManagementGroupManagementGroups.yaml
new file mode 100644
index 000000000..45d3b8e03
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSubscription-Subscriptions/aprl-TenantRootManagementGroupManagementGroups.yaml
@@ -0,0 +1,24 @@
+name: aprl-TenantRootManagementGroupManagementGroups
+title: Subscriptions should not be placed under the Tenant Root Management Group
+description: |-
+ The root management group in Azure is designed for organizational hierarchy, allowing for all management groups and subscriptions to fold into it.
+source:
+ type: aprl
+ file: azure-resources/Subscription/subscriptions/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Subscription/Subscriptions
+severity: 1
+labels:
+ guid: 5ada5ffa-7149-4e49-9fbf-e67be7c2594c
+ area: Governance
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure Subscriptions that are placed under the Tenant Root Management Group
+ resourcecontainers
+ | where type == 'microsoft.resources/subscriptions'
+ | extend mgParentSize = array_length(properties.managementGroupAncestorsChain)
+ | where mgParentSize == 1
+ | project recommendationId="5ada5ffa-7149-4e49-9fbf-e67be7c2594c", name, id, tags
diff --git a/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-AdditionalDataAnalysisCostData.yaml b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-AdditionalDataAnalysisCostData.yaml
new file mode 100644
index 000000000..72e62091e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-AdditionalDataAnalysisCostData.yaml
@@ -0,0 +1,15 @@
+name: revcl-AdditionalDataAnalysisCostData
+title: Export cost data to a storage account for additional data analysis.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.synapse/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 35e33789-7e31-4c67-b68c-f6a62a119495
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/availability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-AzureSynapseCommitUnitsAzureSynapseAnalyticsCosts.yaml b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-AzureSynapseCommitUnitsAzureSynapseAnalyticsCosts.yaml
new file mode 100644
index 000000000..75fd2d4bb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-AzureSynapseCommitUnitsAzureSynapseAnalyticsCosts.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureSynapseCommitUnitsAzureSynapseAnalyticsCosts
+title: Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase
+ plan to save on your Azure Synapse Analytics costs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.synapse/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-DedicatedSqlPoolCosts.yaml b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-DedicatedSqlPoolCosts.yaml
new file mode 100644
index 000000000..9bd189caf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-DedicatedSqlPoolCosts.yaml
@@ -0,0 +1,16 @@
+name: revcl-DedicatedSqlPoolCosts
+title: Control costs for a dedicated SQL pool by pausing the resource when it is not
+ in use.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.synapse/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 6d697dc3-a2ed-427b-8d18-6f1a1252bddd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-MultipleApacheSparkPoolDefinitionsVariousSizes.yaml b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-MultipleApacheSparkPoolDefinitionsVariousSizes.yaml
new file mode 100644
index 000000000..1f6bce937
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-MultipleApacheSparkPoolDefinitionsVariousSizes.yaml
@@ -0,0 +1,15 @@
+name: revcl-MultipleApacheSparkPoolDefinitionsVariousSizes
+title: Create multiple Apache Spark pool definitions of various sizes.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.synapse/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: d5a3bec2-c4e2-4436-a133-6db55f17960e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-ServerlessApacheSparkAutomaticPauseFeatureTimeoutValue.yaml b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-ServerlessApacheSparkAutomaticPauseFeatureTimeoutValue.yaml
new file mode 100644
index 000000000..2d83614eb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-ServerlessApacheSparkAutomaticPauseFeatureTimeoutValue.yaml
@@ -0,0 +1,16 @@
+name: revcl-ServerlessApacheSparkAutomaticPauseFeatureTimeoutValue
+title: Enable the serverless Apache Spark automatic pause feature and set your timeout
+ value accordingly.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.synapse/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: e68a487c-dec4-4861-ac3b-c10ae77e26e4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-SpendingAnomaliesOverspendingRisks.yaml b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-SpendingAnomaliesOverspendingRisks.yaml
new file mode 100644
index 000000000..7d9b031c1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftSynapse-workspaces/Cost/revcl-SpendingAnomaliesOverspendingRisks.yaml
@@ -0,0 +1,16 @@
+name: revcl-SpendingAnomaliesOverspendingRisks
+title: Create budgets to manage costs and create alerts that automatically notify
+ stakeholders of spending anomalies and overspending risks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.synapse/workspaces
+waf: Cost
+severity: 1
+labels:
+ guid: 54387e5c-ed12-46cd-832a-f5b2fc6998a5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/availability-zones-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftVirtualMachineImages-imageTemplates/aprl-GenerationVirtualMachineSourceImageImageTemplates.yaml b/v2/recos/Services/MicrosoftVirtualMachineImages-imageTemplates/aprl-GenerationVirtualMachineSourceImageImageTemplates.yaml
new file mode 100644
index 000000000..c4058ecf6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftVirtualMachineImages-imageTemplates/aprl-GenerationVirtualMachineSourceImageImageTemplates.yaml
@@ -0,0 +1,18 @@
+name: aprl-GenerationVirtualMachineSourceImageImageTemplates
+title: Use Generation 2 virtual machine source image
+description: |-
+ When building Image Templates, use sources for gen 2 VMs. Gen 2 offers more memory, supports >2TB disks, uses UEFI for faster boot/installation, has Intel SGX, and virtualized persistent memory (vPMEM), unlike gen 1's BIOS-based architecture.
+source:
+ type: aprl
+ file: azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.VirtualMachineImages/imageTemplates
+severity: 2
+labels:
+ guid: 19b6df57-f6b5-3e4f-843a-273daa087cb0
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftVirtualMachineImages-imageTemplates/aprl-TheAzureImageBuilderServiceContinuousVirtualMachineDeployment.yaml b/v2/recos/Services/MicrosoftVirtualMachineImages-imageTemplates/aprl-TheAzureImageBuilderServiceContinuousVirtualMachineDeployment.yaml
new file mode 100644
index 000000000..24a8a0490
--- /dev/null
+++ b/v2/recos/Services/MicrosoftVirtualMachineImages-imageTemplates/aprl-TheAzureImageBuilderServiceContinuousVirtualMachineDeployment.yaml
@@ -0,0 +1,24 @@
+name: aprl-TheAzureImageBuilderServiceContinuousVirtualMachineDeployment
+title: Replicate your Image Templates to a secondary region
+description: |-
+ The Azure Image Builder service, used for deploying Image Templates, lacks availability zones support. By replicating Image Templates to a secondary, preferably paired, region, quick recovery from a region failure is enabled, ensuring continuous virtual machine deployment from these templates.
+source:
+ type: aprl
+ file: azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.VirtualMachineImages/imageTemplates
+severity: 2
+labels:
+ guid: 21fb841b-ba70-1f4e-a460-1f72fb41aa51
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // List all Image Templates that are not replicated to another region
+ resources
+ | where type =~ "microsoft.virtualmachineimages/imagetemplates"
+ | mv-expand distribution=properties.distribute
+ | where array_length(parse_json(distribution).replicationRegions) == 1
+ | project recommendationId = "21fb841b-ba70-1f4e-a460-1f72fb41aa51", name, id, param1=strcat("replicationRegions:",parse_json(distribution).replicationRegions)
diff --git a/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-AzureAppServiceInstancesServiceDisruptions.yaml b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-AzureAppServiceInstancesServiceDisruptions.yaml
new file mode 100644
index 000000000..196c4d0d6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-AzureAppServiceInstancesServiceDisruptions.yaml
@@ -0,0 +1,30 @@
+name: aprl-AzureAppServiceInstancesServiceDisruptions
+title: Avoid scaling up or down
+description: |-
+ Avoid frequent scaling up/down of Azure App Service instances to prevent service disruptions. Choose the right tier and size for the workload and scale out for traffic changes, as scaling adjustments can trigger application restarts.
+source:
+ type: aprl
+ file: azure-resources/Web/serverFarms/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/serverFarms
+severity: 1
+labels:
+ guid: 07243659-4643-d44c-a1c6-07ac21635072
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure App Service Plans and the number of changes that was made to the pricing tier, if the count is higher that 3 it means you need to avoid scaling up and down that often
+
+ resourcechanges
+ | extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),
+ changeType = tostring(properties.changeType), correlationId = properties.changeAttributes.correlationId,
+ changedProperties = properties.changes, changeCount = properties.changeAttributes.changesCount
+ | where changeTime > ago(14d)
+ | join kind=inner (resources | project resources_Name = name, resources_Type = type, resources_Subscription= subscriptionId, resources_ResourceGroup= resourceGroup, id) on $left.targetResourceId == $right.id
+ | where resources_Type contains "microsoft.web/serverfarms"
+ | where changedProperties['sku.name'].propertyChangeType == 'Update' or changedProperties['sku.tier'].propertyChangeType == 'Update'
+ | summarize count() by targetResourceId, resources_Name ,tostring(changedProperties['sku.name'].previousValue), tostring(changedProperties['sku.tier'].newValue)
+ | project recommendationId="07243659-4643-d44c-a1c6-07ac21635072", name=resources_Name, id=targetResourceId, tags="", param1=['changedProperties_sku.name_previousValue'], param2=['changedProperties_sku.tier_newValue'], param3=count_
diff --git a/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-AzureAppServiceServiceRequests.yaml b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-AzureAppServiceServiceRequests.yaml
new file mode 100644
index 000000000..de7a7d9c4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-AzureAppServiceServiceRequests.yaml
@@ -0,0 +1,19 @@
+name: aprl-AzureAppServiceServiceRequests
+title: Enable Autoscale/Automatic scaling to ensure adequate resources are available
+ to service requests
+description: |-
+ Enabling Autoscale/Automatic Scaling for your Azure App Service ensures sufficient resources for incoming requests. Autoscaling is rule-based, whereas Automatic Scaling, a newer feature, automatically adjusts resources based on HTTP traffic.
+source:
+ type: aprl
+ file: azure-resources/Web/serverFarms/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/serverFarms
+severity: 1
+labels:
+ guid: 6320abf6-f917-1843-b2ae-4779c35985ae
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-MigrateAppServiceAppServicePlans.yaml b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-MigrateAppServiceAppServicePlans.yaml
new file mode 100644
index 000000000..34bdd9b3b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-MigrateAppServiceAppServicePlans.yaml
@@ -0,0 +1,27 @@
+name: aprl-MigrateAppServiceAppServicePlans
+title: Migrate App Service to availability Zone Support
+description: |-
+ Azure's feature of deploying App Service plans across availability zones enhances resiliency and reliability by ensuring operation during datacenter failures, providing redundancy without needing different regions, thus minimizing downtime and maintaining uninterrupted services.
+source:
+ type: aprl
+ file: azure-resources/Web/serverFarms/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/serverFarms
+severity: 0
+labels:
+ guid: 88cb90c2-3b99-814b-9820-821a63f600dd
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // The query filters the qualified App Service Plans that do not have Zone Redundancy enabled.
+ // Its important to check regions that support availability zones for Azure App Services running on multi-tenant and App Service Environments https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service?tabs=graph%2Ccli#:~:text=The%20following%20regions%20support%20Azure%20App%20Services%20running%20on%20multi%2Dtenant%20environments%3A
+
+ resources
+ | where type =~ 'microsoft.web/serverfarms'
+ | extend zoneRedundant = tobool(properties.zoneRedundant)
+ | extend sku_tier = tostring(sku.tier)
+ | where (tolower(sku_tier) contains "isolated" or tolower(sku_tier) contains "premium") and zoneRedundant == false
+ | project recommendationId="88cb90c2-3b99-814b-9820-821a63f600dd", name, id, tags, param1=sku_tier, param2="Not Zone Redundant"
diff --git a/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-SeparateAppServicePlansTestingPurposes.yaml b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-SeparateAppServicePlansTestingPurposes.yaml
new file mode 100644
index 000000000..c51a6cee4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-SeparateAppServicePlansTestingPurposes.yaml
@@ -0,0 +1,18 @@
+name: aprl-SeparateAppServicePlansTestingPurposes
+title: Create separate App Service plans for production and test
+description: |-
+ It is strongly recommended to create separate App Service plans for production and test environments to avoid using slots within your production deployment for testing purposes.
+source:
+ type: aprl
+ file: azure-resources/Web/serverFarms/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/serverFarms
+severity: 0
+labels:
+ guid: dbe3fd66-fb2a-9d46-b162-1791e21da236
+ area: Governance
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-StandardPremiumAzureAppServicePlanUseStandard.yaml b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-StandardPremiumAzureAppServicePlanUseStandard.yaml
new file mode 100644
index 000000000..544d1d357
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-serverFarms/aprl-StandardPremiumAzureAppServicePlanUseStandard.yaml
@@ -0,0 +1,27 @@
+name: aprl-StandardPremiumAzureAppServicePlanUseStandard
+title: Use Standard or Premium tier
+description: |-
+ Choose Standard/Premium Azure App Service Plan for robust apps with advanced scaling, high availability, better performance, and multiple slots, ensuring resilience and continuous operation.
+source:
+ type: aprl
+ file: azure-resources/Web/serverFarms/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/serverFarms
+severity: 0
+labels:
+ guid: b2113023-a553-2e41-9789-597e2fb54c31
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure App Service Plans that are not in the "Standard", "Premium", or "IsolatedV2" SKU tiers.
+
+ resources
+ | where type =~ 'microsoft.web/serverfarms'
+ | extend sku_tier = tostring(sku.tier)
+ | where tolower(sku_tier) !contains "standard" and
+ tolower(sku_tier) !contains "premium" and
+ tolower(sku_tier) !contains "isolatedv2"
+ | project recommendationId="b2113023-a553-2e41-9789-597e2fb54c31", name, id, tags, param1= strcat("SKU=",sku_tier)
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-FunctionAppsPlan.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-FunctionAppsPlan.yaml
new file mode 100644
index 000000000..8b81c8993
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-FunctionAppsPlan.yaml
@@ -0,0 +1,16 @@
+name: revcl-FunctionAppsPlan
+title: Function apps in a given plan are all scaled together, so any issues with scaling
+ can affect all apps in the plan.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: ad53cc7d-e2e8-4aaa-a357-1549ab9153d8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-Functions.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-Functions.yaml
new file mode 100644
index 000000000..157dbe5e8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-Functions.yaml
@@ -0,0 +1,17 @@
+name: revcl-Functions
+title: Functions - Keep your functions warm
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 0e7c28dc-9366-4572-82bf-f4564b0d934a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-FunctionsData.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-FunctionsData.yaml
new file mode 100644
index 000000000..b6b1c9efb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-FunctionsData.yaml
@@ -0,0 +1,17 @@
+name: revcl-FunctionsData
+title: Functions - Cache data locally
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 27139b82-1102-4dbd-9eaf-11e6f843e52f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/automation/update-management/overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-GbSecondCalculationAsyncOperation.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-GbSecondCalculationAsyncOperation.yaml
new file mode 100644
index 000000000..95bd40ebd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-GbSecondCalculationAsyncOperation.yaml
@@ -0,0 +1,23 @@
+name: revcl-GbSecondCalculationAsyncOperation
+title: Am I billed for 'await time'? This question is typically asked in the context
+ of a C# function that does an async operation and waits for the result, e.g. await
+ Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes
+ - the GB second calculation is based on the start and end time of the function and
+ the memory usage over that period. What actually happens over that time in terms
+ of CPU activity is not factored into the calculation.One exception to this rule
+ is if you are using durable functions. You are not billed for time spent at awaits
+ in orchestrator functions.apply demand shaping techinques where possible (dev environments?)
+ https://github.com/Azure-Samples/functions-csharp-premium-scaler
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 9f89dc7b-44be-43b1-a27f-8b9e91be1f38
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-ReuseConnectionsFunctions.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-ReuseConnectionsFunctions.yaml
new file mode 100644
index 000000000..59b83f838
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-ReuseConnectionsFunctions.yaml
@@ -0,0 +1,17 @@
+name: revcl-ReuseConnectionsFunctions
+title: Functions - Reuse connections
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: cc881470-607c-41cc-a0e6-14658dd458e9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create
+- type: docs
+ url: https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-SeparateConsumptionPlanHigherPlan.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-SeparateConsumptionPlanHigherPlan.yaml
new file mode 100644
index 000000000..36b445312
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-SeparateConsumptionPlanHigherPlan.yaml
@@ -0,0 +1,17 @@
+name: revcl-SeparateConsumptionPlanHigherPlan
+title: When using autoscale with different functions, there might be one driving all
+ the autoscale for all the resources - consider moving it to a separate consumption
+ plan (and consider higher plan for CPU)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 359c363e-7dd6-4162-9a36-4a907ebae38e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-SingleZipFileColdStarts.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-SingleZipFileColdStarts.yaml
new file mode 100644
index 000000000..3c2d69cc0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/revcl-SingleZipFileColdStarts.yaml
@@ -0,0 +1,21 @@
+name: revcl-SingleZipFileColdStarts
+title: Functions - Cold starts-Use the 'Run from package' functionality. This way,
+ the code is downloaded as a single zip file. This can, for example, result in significant
+ improvements with Javascript functions, which have a lot of node modules.Use language
+ specific tools to reduce the package size, for example, tree shaking Javascript
+ applications.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 4722d928-c1b1-4cd5-81e5-4a29b9de39ac
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/configure-network-watcher/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanAzureMonitor.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanAzureMonitor.yaml
new file mode 100644
index 000000000..20356bcfc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanAzureMonitor.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AppServicePlanAzureMonitor
+title: (App Service plan) Scale in when demand decreases. To scale in, define scale
+ rules to reduce the number of instances in Azure Monitor.
+description: Prevent wastage and reduce unnecessary expenses.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: a14a3b78-26d3-4159-975b-df8e82c9590e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanLowerEnvironments.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanLowerEnvironments.yaml
new file mode 100644
index 000000000..d9a0ac424
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanLowerEnvironments.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AppServicePlanLowerEnvironments
+title: (App Service plan) Choose Free or Basic tiers for lower environments. We recommend
+ these tiers for experimental use. Remove the tiers when you no longer need them.
+description: The Free and Basic tiers are budget-friendly compared to higher tiers.
+ They provide a cost-effective solution for nonproduction environments that don't
+ need the full features and performance of premium plans.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: dc84dbbc-6816-48ae-9926-e52e68d4273e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanPremiumVTier.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanPremiumVTier.yaml
new file mode 100644
index 000000000..c2427f941
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlanPremiumVTier.yaml
@@ -0,0 +1,20 @@
+name: wafsg-AppServicePlanPremiumVTier
+title: '(App Service plan) Take advantage of discounts and explore preferred pricing
+ for: - Lower environments with dev/test plans. - Azure reservations and Azure
+ savings plans for dedicated compute that you provision in the Premium V3 tier and
+ App Service Environment. Use reserved instances for stable workloads that have
+ predictable usage patterns.'
+description: Dev/test plans provide reduced rates for Azure services, which makes
+ them cost-effective for nonproduction environments. Use reserved instances to prepay
+ for compute resources and get significant discounts.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 1572941a-e08a-4d0c-bae6-5af048bbcc2a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlansMultipleApplications.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlansMultipleApplications.yaml
new file mode 100644
index 000000000..979c68178
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-AppServicePlansMultipleApplications.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AppServicePlansMultipleApplications
+title: 'Consider the tradeoffs between density and isolation: You can use App Service
+ plans to host multiple applications on the same compute, which saves costs with
+ shared environments. For more information, see Tradeoffs.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 66723d3b-34de-4f55-8861-299453c5b6d8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ConsistentUsagePatternDedicatedComputeInstances.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ConsistentUsagePatternDedicatedComputeInstances.yaml
new file mode 100644
index 000000000..2552d93da
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ConsistentUsagePatternDedicatedComputeInstances.yaml
@@ -0,0 +1,19 @@
+name: wafsg-ConsistentUsagePatternDedicatedComputeInstances
+title: 'Evaluate the discounted options: Higher tiers include dedicated compute instances.
+ You can apply a reservation discount if your workload has a predictable and consistent
+ usage pattern. Make sure that you analyze usage data to determine the type of reservation
+ that suits your workload. For more information, see Save costs with App Service
+ reserved instances.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 692ab2db-ff92-44e9-ae54-910c66389e0d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-CostAnalysisToolAppServiceResources.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-CostAnalysisToolAppServiceResources.yaml
new file mode 100644
index 000000000..1b16b0856
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-CostAnalysisToolAppServiceResources.yaml
@@ -0,0 +1,17 @@
+name: wafsg-CostAnalysisToolAppServiceResources
+title: (App Service) Monitor costs that App Service resources incur. Run the cost
+ analysis tool in the Azure portal. Create budgets and alerts to notify stakeholders.
+description: You can identify cost spikes, inefficiencies, or unexpected expenses
+ early on. This proactive approach helps you to provide budgetary controls to prevent
+ overspending.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 83127c0d-df6c-4785-be24-e54d0933118d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-EachAppServiceTierAzurePricingCalculator.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-EachAppServiceTierAzurePricingCalculator.yaml
new file mode 100644
index 000000000..73891b64e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-EachAppServiceTierAzurePricingCalculator.yaml
@@ -0,0 +1,18 @@
+name: wafsg-EachAppServiceTierAzurePricingCalculator
+title: 'Estimate the initial cost: As part of your cost modeling exercise, use the
+ Azure pricing calculator to evaluate the approximate costs associated with various
+ tiers based on the number of instances that you plan to run. Each App Service tier
+ offers different compute options.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 551337b1-cb7a-4f60-870b-331efa943936
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-EnvironmentCostsPreProductionEnvironments.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-EnvironmentCostsPreProductionEnvironments.yaml
new file mode 100644
index 000000000..3704d2d37
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-EnvironmentCostsPreProductionEnvironments.yaml
@@ -0,0 +1,18 @@
+name: wafsg-EnvironmentCostsPreProductionEnvironments
+title: 'Optimize environment costs: Consider the Basic or Free tier to run pre-production
+ environments. These tiers are low performance and low cost. If you use the Basic
+ or Free tier, use governance to enforce the tier, constrain the number of instances
+ and CPUs, restrict scaling, and limit log retention.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 4e2a03a6-ff51-46c5-902d-3d7161d9c99c
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ExtendedDataRetentionPeriodsExpensiveStorageTiers.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ExtendedDataRetentionPeriodsExpensiveStorageTiers.yaml
new file mode 100644
index 000000000..3f6cfb096
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ExtendedDataRetentionPeriodsExpensiveStorageTiers.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExtendedDataRetentionPeriodsExpensiveStorageTiers
+title: 'Regularly check data-related costs: Extended data retention periods or expensive
+ storage tiers can lead to high storage costs. More expenses can accumulate due to
+ both bandwidth usage and prolonged retention of logging data.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: b7564349-7885-4f66-89ae-b732adaf29ae
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-GatewayAggregationPatternImplementDesignPatterns.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-GatewayAggregationPatternImplementDesignPatterns.yaml
new file mode 100644
index 000000000..d7d517f49
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-GatewayAggregationPatternImplementDesignPatterns.yaml
@@ -0,0 +1,18 @@
+name: wafsg-GatewayAggregationPatternImplementDesignPatterns
+title: 'Implement design patterns: This strategy reduces the volume of requests that
+ your workload generates. Consider using patterns like the Backends for Frontends
+ pattern and the Gateway Aggregation pattern, which can minimize the number of requests
+ and reduce costs.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 7ce7bbb5-df18-4e4d-86b6-83e25e835457
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-SameComputeEnvironmentProductionInstance.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-SameComputeEnvironmentProductionInstance.yaml
new file mode 100644
index 000000000..2d1c68786
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-SameComputeEnvironmentProductionInstance.yaml
@@ -0,0 +1,18 @@
+name: wafsg-SameComputeEnvironmentProductionInstance
+title: 'Optimize deployment costs: Take advantage of deployment slots to optimize
+ costs. The slot runs in the same compute environment as the production instance.
+ Use them strategically for scenarios like blue-green deployments that switch between
+ slots. This approach minimizes downtime and ensures smooth transitions.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 41026085-4728-4bff-abbe-be08a46e4735
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ScalingStrategyPreciseMaximum.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ScalingStrategyPreciseMaximum.yaml
new file mode 100644
index 000000000..75e2b94bc
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-ScalingStrategyPreciseMaximum.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ScalingStrategyPreciseMaximum
+title: 'Evaluate the effect of your scaling strategy on cost: You must properly design,
+ test, and configure for scaling out and for scaling in when you implement autoscaling.
+ Establish precise maximum and minimum limits on autoscaling.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 289a2a9d-eda1-4be4-af63-23d230194724
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-SuboptimalSkuSelectionAppServicePlan.yaml b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-SuboptimalSkuSelectionAppServicePlan.yaml
new file mode 100644
index 000000000..6222d577a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Cost/wafsg-SuboptimalSkuSelectionAppServicePlan.yaml
@@ -0,0 +1,20 @@
+name: wafsg-SuboptimalSkuSelectionAppServicePlan
+title: 'Understand usage meters: Azure charges an hourly rate, prorated to the second,
+ based on your App Service plan''s pricing tier. Charges apply to each scaled-out
+ instance in your plan, based on the time that you allocate the VM instance. Pay
+ attention to underused compute resources that might increase your costs as a result
+ of overallocation due to suboptimal SKU selection, or poorly configured scale-in
+ configuration.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Cost
+severity: 1
+labels:
+ guid: 84808948-46c4-4cd5-aa74-b79826a19b32
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/revcl-LeverageAzureDevopsFunctionAppCode.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/revcl-LeverageAzureDevopsFunctionAppCode.yaml
new file mode 100644
index 000000000..3454b8ad6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/revcl-LeverageAzureDevopsFunctionAppCode.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAzureDevopsFunctionAppCode
+title: Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function
+ App code
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: bb42650c-257d-4cb0-822a-131138b8e6f0
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/revcl-LeverageAzureDevopsLogicAppCode-1.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/revcl-LeverageAzureDevopsLogicAppCode-1.yaml
new file mode 100644
index 000000000..e0f3d8d14
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/revcl-LeverageAzureDevopsLogicAppCode-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAzureDevopsLogicAppCode-1
+title: Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic
+ App code
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: 74275fa5-9e08-4c7e-b096-13b538fe1501
+links:
+- type: docs
+ url: https://learn.microsoft.com/training/modules/deploy-azure-functions/
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServicePlanAppChanges.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServicePlanAppChanges.yaml
new file mode 100644
index 000000000..4e9823b83
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServicePlanAppChanges.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AppServicePlanAppChanges
+title: (App Service plan) Validate app changes in the staging slot before you swap
+ it with the production slot.
+description: Avoid downtime and errors. Quickly revert to the last-known good state
+ if you detect a problem after a swap.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: 02d5a8b1-6038-49c3-96b1-87ac56064269
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServiceResourceProviderCertificationManagement.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServiceResourceProviderCertificationManagement.yaml
new file mode 100644
index 000000000..90452027f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServiceResourceProviderCertificationManagement.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AppServiceResourceProviderCertificationManagement
+title: (App Service) Take advantage of App Service managed certificates to offload
+ certification management to Azure.
+description: App Service automatically handles processes like certificate procurement,
+ certificate verification, certificate renewal, and importing certificates from Key
+ Vault. Alternatively, upload your certificate to Key Vault and authorize the App
+ Service resource provider to access it.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: 471061e9-3f5f-43a3-a861-79108871cf91
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServiceWebAppDeploymentStampsPattern.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServiceWebAppDeploymentStampsPattern.yaml
new file mode 100644
index 000000000..9a12e07cd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AppServiceWebAppDeploymentStampsPattern.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AppServiceWebAppDeploymentStampsPattern
+title: 'Deploy immutable units: Implement the Deployment Stamps pattern to compartmentalize
+ App Service into an immutable stamp. App Service supports the use of containers,
+ which are inherently immutable. Consider custom containers for your App Service
+ web app.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: 669390a7-ea5f-4e73-ba58-bf3606702be1
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AzureLoadTestingAutomatedTests.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AzureLoadTestingAutomatedTests.yaml
new file mode 100644
index 000000000..080831752
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-AzureLoadTestingAutomatedTests.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureLoadTestingAutomatedTests
+title: 'Run automated tests: Before you promote a release of your web app, thoroughly
+ test its performance, functionality, and integration with other components. Use
+ Azure Load Testing, which integrates with Apache JMeter, a popular tool for performance
+ testing. Explore automated tools for other types of testing, such as Phantom for
+ functional testing.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: a4224cce-1a82-4c9e-a488-86bb6b215a39
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-CustomDomainsTlsCertificates.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-CustomDomainsTlsCertificates.yaml
new file mode 100644
index 000000000..d908b748c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-CustomDomainsTlsCertificates.yaml
@@ -0,0 +1,15 @@
+name: wafsg-CustomDomainsTlsCertificates
+title: 'Manage certificates: For custom domains, you need to manage TLS certificates.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: dc4ab7a7-f32b-44e3-a2e5-830459d5359a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-FrequentLoggingStorageCosts.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-FrequentLoggingStorageCosts.yaml
new file mode 100644
index 000000000..b613f624b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-FrequentLoggingStorageCosts.yaml
@@ -0,0 +1,20 @@
+name: wafsg-FrequentLoggingStorageCosts
+title: '(App Service) Enable diagnostics logs for the application and the instance. Frequent
+ logging can slow down the performance of the system, add to storage costs, and introduce
+ risk if you have unsecure access to logs. Follow these best practices: - Log the
+ right level of information. - Set retention policies. - Keep an audit trail of
+ authorized access and unauthorized attempts. - Treat logs as data and apply data-protection
+ controls.'
+description: Diagnostic logs provide valuable insights into your app's behavior. Monitor
+ traffic patterns and identify anomalies.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: 306767a6-b162-4b64-91a0-091a3d3b37cb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-InstanceHealthProbesHealthProbeRequests.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-InstanceHealthProbesHealthProbeRequests.yaml
new file mode 100644
index 000000000..13fe0d2d6
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-InstanceHealthProbesHealthProbeRequests.yaml
@@ -0,0 +1,16 @@
+name: wafsg-InstanceHealthProbesHealthProbeRequests
+title: (App Service) Monitor the health of your instances and activate instance health
+ probes. Set up a specific path for handling health probe requests.
+description: You can detect problems promptly and take necessary actions to maintain
+ availability and performance.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: 2bf6f5fc-cc4d-4ae3-98bc-ce4d42fafc32
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-SameVirtualMachineDeploymentSlots.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-SameVirtualMachineDeploymentSlots.yaml
new file mode 100644
index 000000000..3110be2bb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-SameVirtualMachineDeploymentSlots.yaml
@@ -0,0 +1,19 @@
+name: wafsg-SameVirtualMachineDeploymentSlots
+title: 'Manage releases: Use deployment slots to manage releases effectively. You
+ can deploy your application to a slot, perform testing, and validate its functionality.
+ After verification, you can seamlessly move the app to production. This process
+ doesn''t incur extra costs because the slot runs in the same virtual machine (VM)
+ environment as the production instance.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: d4909fdf-867b-43b7-828d-197247a83530
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-SeparateAppServicePlansSeparateInstances.yaml b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-SeparateAppServicePlansSeparateInstances.yaml
new file mode 100644
index 000000000..d0eb0e77f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Operations/wafsg-SeparateAppServicePlansSeparateInstances.yaml
@@ -0,0 +1,18 @@
+name: wafsg-SeparateAppServicePlansSeparateInstances
+title: 'Keep production environments safe: Create separate App Service plans to run
+ production and pre-production environments. Don''t make changes directly in the
+ production environment to ensure stability and reliability. Separate instances allow
+ flexibility in development and testing before you promote changes to production.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Operations
+severity: 1
+labels:
+ guid: 6e19d92c-1d22-486b-81d2-bb3125e74231
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-AdequatePerformanceTestingScalingStrategy.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-AdequatePerformanceTestingScalingStrategy.yaml
new file mode 100644
index 000000000..5bf0d4a72
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-AdequatePerformanceTestingScalingStrategy.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AdequatePerformanceTestingScalingStrategy
+title: 'Optimize your scaling strategy: When possible, use autoscaling instead of
+ manually adjusting the number of instances as application load changes. With autoscaling,
+ App Service adjusts server capacity based on predefined rules or triggers. Make
+ sure you do adequate performance testing and set the right rules for the right triggers.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: 4cb7ff21-66c1-4347-b93c-5c4073b3c4af
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-CacheQueryResultsRepeatedRoundTrips.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-CacheQueryResultsRepeatedRoundTrips.yaml
new file mode 100644
index 000000000..29b9c585a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-CacheQueryResultsRepeatedRoundTrips.yaml
@@ -0,0 +1,19 @@
+name: wafsg-CacheQueryResultsRepeatedRoundTrips
+title: 'Use caching: Retrieving information from a resource that doesn''t change frequently
+ and is expensive to access affects performance. Complex queries, including joins
+ and multiple lookups, contribute to runtime. Perform caching to minimize the processing
+ time and latency. Cache query results to avoid repeated round trips to the database
+ or back end and reduce processing time for subsequent requests.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: 66321b11-3e45-4fa8-9afa-b5f9d6894c28
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-PerformanceIndicatorsKeyIndicators.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-PerformanceIndicatorsKeyIndicators.yaml
new file mode 100644
index 000000000..7333d1e72
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-PerformanceIndicatorsKeyIndicators.yaml
@@ -0,0 +1,18 @@
+name: wafsg-PerformanceIndicatorsKeyIndicators
+title: 'Identify and monitor performance indicators: Set targets for the key indicators
+ for the application, such as the volume of incoming requests, time that the application
+ takes to respond to requests, pending requests, and errors in HTTP responses. Consider
+ key indicators as part of the performance baseline for the workload.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: bebcf697-35e6-4f4d-abce-329e52c87367
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-PremiumVPricingTierRightTier.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-PremiumVPricingTierRightTier.yaml
new file mode 100644
index 000000000..9e33f9477
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-PremiumVPricingTierRightTier.yaml
@@ -0,0 +1,18 @@
+name: wafsg-PremiumVPricingTierRightTier
+title: 'Select the right tier: Use dedicated compute for production workloads. Premium
+ tiers offer larger SKUs with increased memory and CPU capacity, more instances,
+ and more features, such as zone redundancy. For more information, see Premium V3
+ pricing tier.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: 5ae81d49-ba81-423f-b8a2-d7a29a30f349
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-ProtocolEfficiencyDataTransfer.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-ProtocolEfficiencyDataTransfer.yaml
new file mode 100644
index 000000000..818cbb38b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-ProtocolEfficiencyDataTransfer.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ProtocolEfficiencyDataTransfer
+title: Consider using HTTP/2 for applications to improve protocol efficiency.
+description: Choose HTTP/2 over HTTP/1.1 because HTTP/2 fully multiplexes connections,
+ reuses connections to reduce overhead, and compresses headers to minimize data transfer.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: 4b759c59-9b6c-44d9-a7e1-1826948deb4a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-SingleAppServicePlanAppServiceApps.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-SingleAppServicePlanAppServiceApps.yaml
new file mode 100644
index 000000000..055424759
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-SingleAppServicePlanAppServiceApps.yaml
@@ -0,0 +1,16 @@
+name: wafsg-SingleAppServicePlanAppServiceApps
+title: Enable the Always On setting when applications share a single App Service plan.
+ App Service apps automatically unload when idle to save resources. The next request
+ triggers a cold start, which can cause request timeouts.
+description: The application is never unloaded with Always On enabled.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: 225c3a4c-ee57-48b4-99f4-93d4c4884f4d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-VariousUserScenariosUseLoadTesting.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-VariousUserScenariosUseLoadTesting.yaml
new file mode 100644
index 000000000..8fad779d4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-VariousUserScenariosUseLoadTesting.yaml
@@ -0,0 +1,17 @@
+name: wafsg-VariousUserScenariosUseLoadTesting
+title: 'Assess capacity: Simulate various user scenarios to determine the optimal
+ capacity that you need to handle expected traffic. Use Load Testing to understand
+ how your application behaves under different levels of load.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: 26455527-f19a-43ef-adf4-29ed5e966a44
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-WebApplicationBusinessRequirements.yaml b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-WebApplicationBusinessRequirements.yaml
new file mode 100644
index 000000000..ba4a9f60e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Performance/wafsg-WebApplicationBusinessRequirements.yaml
@@ -0,0 +1,17 @@
+name: wafsg-WebApplicationBusinessRequirements
+title: 'Review the performance antipatterns: To make sure the web application performs
+ and scales in accordance with your business requirements, avoid the typical antipatterns.
+ Here are some antipatterns that App Service corrects.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Performance
+severity: 1
+labels:
+ guid: 62ea8582-63cb-4ac6-8a73-c800a2a0428a
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceAppRegion.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceAppRegion.yaml
new file mode 100644
index 000000000..877bdfe23
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceAppRegion.yaml
@@ -0,0 +1,16 @@
+name: revcl-AppServiceAppRegion
+title: Familiarize with how to move an App Service app to another region During a
+ disaster
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 2
+labels:
+ guid: bd2a865c-0835-4418-bb58-4df91a5a9b3f
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1-2-3.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1-2-3.yaml
new file mode 100644
index 000000000..7e04d24ad
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment-1-2-3.yaml
@@ -0,0 +1,16 @@
+name: revcl-AppServiceEnvironmentIsolatedEnvironment-1-2-3
+title: If deploying to an Isolated environment, use or migrate to App Service Environment
+ (ASE) v3
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 82118ec5-ed6f-4c68-9471-eb0da98a1b34
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/environment/intro
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment.yaml
new file mode 100644
index 000000000..f6e581284
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceEnvironmentIsolatedEnvironment.yaml
@@ -0,0 +1,16 @@
+name: revcl-AppServiceEnvironmentIsolatedEnvironment
+title: If deploying to an Isolated environment, use or migrate to App Service Environment
+ (ASE) v3
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 47a0aae0-d8a0-43b1-9791-e934dee3754c
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/environment/intro
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceInstancesHealthChecks.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceInstancesHealthChecks.yaml
new file mode 100644
index 000000000..c01bbf544
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServiceInstancesHealthChecks.yaml
@@ -0,0 +1,15 @@
+name: revcl-AppServiceInstancesHealthChecks
+title: Monitor App Service instances using Health checks
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServicePlanFunctionApps-1.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServicePlanFunctionApps-1.yaml
new file mode 100644
index 000000000..cfdc09d74
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServicePlanFunctionApps-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-AppServicePlanFunctionApps-1
+title: Ensure 'Always On' is enabled for all Function Apps running on App Service
+ Plan
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 17232891-f89f-4eaa-90f1-3b34bf798ed5
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServicePlanFunctionApps.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServicePlanFunctionApps.yaml
new file mode 100644
index 000000000..e318ee504
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AppServicePlanFunctionApps.yaml
@@ -0,0 +1,15 @@
+name: revcl-AppServicePlanFunctionApps
+title: Ensure "Always On" is enabled for Function Apps running on a app service plan
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-ApplicationInsightsAvailabilityTestsWebApp.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-ApplicationInsightsAvailabilityTestsWebApp.yaml
new file mode 100644
index 000000000..a2aa79c40
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-ApplicationInsightsAvailabilityTestsWebApp.yaml
@@ -0,0 +1,16 @@
+name: revcl-ApplicationInsightsAvailabilityTestsWebApp
+title: Monitor availability and responsiveness of web app or website using Application
+ Insights availability tests
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: c7d3e5f9-a19c-4833-8ca6-1dcb0128e129
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-ApplicationInsightsStandardTestWebApp.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-ApplicationInsightsStandardTestWebApp.yaml
new file mode 100644
index 000000000..7f73ec5e0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-ApplicationInsightsStandardTestWebApp.yaml
@@ -0,0 +1,16 @@
+name: revcl-ApplicationInsightsStandardTestWebApp
+title: Use Application Insights Standard test to monitor availability and responsiveness
+ of web app or website
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 2
+labels:
+ guid: b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceBestPractices.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceBestPractices.yaml
new file mode 100644
index 000000000..06ee2123f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureAppServiceBestPractices
+title: Refer to backup and restore best practices for Azure App Service
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/manage-backup
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceReliabilityBestPractices.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceReliabilityBestPractices.yaml
new file mode 100644
index 000000000..0d700defa
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceReliabilityBestPractices.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureAppServiceReliabilityBestPractices
+title: Implement Azure App Service reliability best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceReliabilitySupport.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceReliabilitySupport.yaml
new file mode 100644
index 000000000..ec4446be2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-AzureAppServiceReliabilitySupport.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureAppServiceReliabilitySupport
+title: Familiarize with reliability support in Azure App Service
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-BaselineHighlyAvailableZoneRedundantWebApplicationArchitectureBestPractices.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-BaselineHighlyAvailableZoneRedundantWebApplicationArchitectureBestPractices.yaml
new file mode 100644
index 000000000..7c90a95db
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-BaselineHighlyAvailableZoneRedundantWebApplicationArchitectureBestPractices.yaml
@@ -0,0 +1,16 @@
+name: revcl-BaselineHighlyAvailableZoneRedundantWebApplicationArchitectureBestPractices
+title: Refer to baseline highly available zone-redundant web application architecture
+ for best practices
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 2
+labels:
+ guid: b32e1aa1-4813-4602-88fe-27ca2891f421
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3-4.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3-4.yaml
new file mode 100644
index 000000000..21839c938
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3-4.yaml
@@ -0,0 +1,15 @@
+name: revcl-CrossRegionDrStrategyCriticalWorkloads-1-2-3-4
+title: Consider a Cross-Region DR strategy for critical workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 1cda768f-a206-445d-8234-56f6a6e7286e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads.yaml
new file mode 100644
index 000000000..bd5f373ff
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-CrossRegionDrStrategyCriticalWorkloads.yaml
@@ -0,0 +1,15 @@
+name: revcl-CrossRegionDrStrategyCriticalWorkloads
+title: Consider a Cross-Region DR strategy for critical workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 5969d03e-eacf-4042-b127-73c55e3575fa
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-FunctionAppStorageAccount.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-FunctionAppStorageAccount.yaml
new file mode 100644
index 000000000..069960881
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-FunctionAppStorageAccount.yaml
@@ -0,0 +1,16 @@
+name: revcl-FunctionAppStorageAccount
+title: Pair a Function App to its own storage account. Try not to re-use storage accounts
+ for Function Apps unless they are tightly coupled
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 40a325c2-7c0e-49e6-86d8-c273b4dc21ba
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-HealthChecksImplement.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-HealthChecksImplement.yaml
new file mode 100644
index 000000000..b58156969
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-HealthChecksImplement.yaml
@@ -0,0 +1,15 @@
+name: revcl-HealthChecksImplement
+title: Implement health checks
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LeverageAvailabilityZonesConsumptionTier.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LeverageAvailabilityZonesConsumptionTier.yaml
new file mode 100644
index 000000000..e1870e773
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LeverageAvailabilityZonesConsumptionTier.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAvailabilityZonesConsumptionTier
+title: Leverage Availability Zones where regionally applicable (not available for
+ Consumption tier)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: a9808100-d640-4f77-ac56-1ec0600f6752
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LeverageAvailabilityZonesPremiumV.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LeverageAvailabilityZonesPremiumV.yaml
new file mode 100644
index 000000000..da20d248b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LeverageAvailabilityZonesPremiumV.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAvailabilityZonesPremiumV
+title: Leverage Availability Zones where regionally applicable (requires Premium v2
+ or v3 tier)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: a7e2e6c2-491f-4fa4-a82b-521d0bc3b202
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LogicAppsRegionFailures-1.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LogicAppsRegionFailures-1.yaml
new file mode 100644
index 000000000..4405b0ee8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-LogicAppsRegionFailures-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-LogicAppsRegionFailures-1
+title: Protect logic apps from region failures with zone redundancy and availability
+ zones
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-RightFunctionHostingPlanSloRequirements.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-RightFunctionHostingPlanSloRequirements.yaml
new file mode 100644
index 000000000..34a1bbccb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-RightFunctionHostingPlanSloRequirements.yaml
@@ -0,0 +1,15 @@
+name: revcl-RightFunctionHostingPlanSloRequirements
+title: Select the right Function hosting plan based on your business & SLO requirements
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 4238f409-2ea0-43be-a06b-2a993c98aa7b
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-RightLogicAppHostingPlanSloRequirements-1.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-RightLogicAppHostingPlanSloRequirements-1.yaml
new file mode 100644
index 000000000..a670d2869
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-RightLogicAppHostingPlanSloRequirements-1.yaml
@@ -0,0 +1,15 @@
+name: revcl-RightLogicAppHostingPlanSloRequirements-1
+title: Select the right Logic App hosting plan based on your business & SLO requirements
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 0
+labels:
+ guid: 3b7a56de-5020-4642-b3cb-c976e80b6d6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-UsePremiumStagingSlots.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-UsePremiumStagingSlots.yaml
new file mode 100644
index 000000000..5263a241f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/revcl-UsePremiumStagingSlots.yaml
@@ -0,0 +1,16 @@
+name: revcl-UsePremiumStagingSlots
+title: Use Premium and Standard tiers. These tiers support staging slots and automated
+ backups.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanOverviewPremiumAppServicePlan.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanOverviewPremiumAppServicePlan.yaml
new file mode 100644
index 000000000..17ee05eca
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanOverviewPremiumAppServicePlan.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AppServicePlanOverviewPremiumAppServicePlan
+title: (App Service plan) Choose the Premium tier of an App Service plan for production
+ workloads. Set the maximum and minimum number of workers according to your capacity
+ planning. For more information, see App Service plan overview.
+description: A premium App Service plan offers advanced scaling features and ensures
+ redundancy if failures occur.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 9ba4ebdd-a039-47e8-bff9-884e1852a030
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanUserFlowDesign.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanUserFlowDesign.yaml
new file mode 100644
index 000000000..f79920821
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanUserFlowDesign.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AppServicePlanUserFlowDesign
+title: 'Prioritize user flows: Not all flows are equally critical. Assign priorities
+ to each flow to guide your design decisions. User flow design can influence which
+ service tiers and number of instances that you choose for an App Service plan and
+ configuration.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: e545b2de-84e1-4c41-81a6-46914c8e72cf
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanZoneRedundancy.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanZoneRedundancy.yaml
new file mode 100644
index 000000000..74723d7ad
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AppServicePlanZoneRedundancy.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AppServicePlanZoneRedundancy
+title: (App Service plan) Enable zone redundancy. Consider provisioning more than
+ three instances to enhance fault tolerance. Check regional support for zone redundancy
+ because not all regions offer this feature.
+description: Your application can withstand failures in a single zone when multiple
+ instances are spread across zones. Traffic automatically shifts to healthy instances
+ in other zones and maintains application reliability if one zone is unavailable.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: f6d4a1ff-bf30-4477-823d-b2163667a87d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-ApplicationRequestRoutingOtherHealthyNodes.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-ApplicationRequestRoutingOtherHealthyNodes.yaml
new file mode 100644
index 000000000..a6c4662c2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-ApplicationRequestRoutingOtherHealthyNodes.yaml
@@ -0,0 +1,22 @@
+name: wafsg-ApplicationRequestRoutingOtherHealthyNodes
+title: (App Service) Consider disabling the application request routing (ARR) affinity
+ feature. ARR affinity creates sticky sessions that redirect users to the node that
+ handled their previous requests.
+description: Incoming requests are evenly distributed across all available nodes when
+ you disable ARR affinity. Evenly distributed requests prevent traffic from overwhelming
+ any single node. Requests can be seamlessly redirected to other healthy nodes if
+ a node is unavailable. Avoid session affinity to ensure that your App Service instance
+ remains stateless. A stateless App Service reduces complexity and ensures consistent
+ behavior across nodes. Remove sticky sessions so that App Service can add or remove
+ instances to scale horizontally.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 784f255c-4436-47c2-a1fc-65de9b5de39e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomatedRecoveryOperationsConductReliabilityTesting.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomatedRecoveryOperationsConductReliabilityTesting.yaml
new file mode 100644
index 000000000..42c7f4ea8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomatedRecoveryOperationsConductReliabilityTesting.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AutomatedRecoveryOperationsConductReliabilityTesting
+title: 'Conduct reliability testing: Conduct load testing to evaluate your application''s
+ reliability and performance under load. Test plans should include scenarios that
+ validate your automated recovery operations.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 04ae0e82-112b-4433-8a90-273a5684b328
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomaticHealingCapabilitiesAutomaticRepair.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomaticHealingCapabilitiesAutomaticRepair.yaml
new file mode 100644
index 000000000..d0c8d8e67
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomaticHealingCapabilitiesAutomaticRepair.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AutomaticHealingCapabilitiesAutomaticRepair
+title: 'Plan your recoverability: Redundancy is crucial for business continuity. Fail
+ over to another instance if one instance is unreachable. Explore automatic healing
+ capabilities in App Service, such as automatic repair of instances.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: bc69b314-43db-4c70-8b68-fcaf3b01137e
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomaticProactiveMaintenanceAutomaticHealingRules.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomaticProactiveMaintenanceAutomaticHealingRules.yaml
new file mode 100644
index 000000000..d0e0080ea
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AutomaticProactiveMaintenanceAutomaticHealingRules.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AutomaticProactiveMaintenanceAutomaticHealingRules
+title: (App Service) Define automatic healing rules based on request count, slow requests,
+ memory limits, and other indicators that are part of your performance baseline.
+ Consider this configuration as part of your scaling strategy.
+description: Automatic healing rules help your application recover automatically from
+ unexpected problems. The configured rules trigger healing actions when thresholds
+ are breached. Automatic healing enables automatic proactive maintenance.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 152ed4b6-dba0-4737-92c1-441704fbfe83
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AvailabilityZonesFaultTolerance.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AvailabilityZonesFaultTolerance.yaml
new file mode 100644
index 000000000..ac15346b3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-AvailabilityZonesFaultTolerance.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AvailabilityZonesFaultTolerance
+title: 'Build redundancy: Build redundancy in the application and supporting infrastructure.
+ Spread instances across availability zones to improve fault tolerance. Traffic is
+ routed to other zones if one zone fails. Deploy your application across multiple
+ regions to ensure that your app remains available, even if an entire region experiences
+ an outage.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 87816451-1e4f-42f0-a497-753b966193b0
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-FailureModeAnalysisPotentialFailures.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-FailureModeAnalysisPotentialFailures.yaml
new file mode 100644
index 000000000..8127b0e39
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-FailureModeAnalysisPotentialFailures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-FailureModeAnalysisPotentialFailures
+title: 'Anticipate potential failures: Plan mitigation strategies for potential failures.
+ The following table shows examples of failure mode analysis.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: f5e1c56f-e3a8-4dbd-b235-fdb88c41216d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-HealthCheckFeatureHealthCheckRequests.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-HealthCheckFeatureHealthCheckRequests.yaml
new file mode 100644
index 000000000..fcf092dad
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-HealthCheckFeatureHealthCheckRequests.yaml
@@ -0,0 +1,17 @@
+name: wafsg-HealthCheckFeatureHealthCheckRequests
+title: (App Service) Enable the health check feature and provide a path that responds
+ to the health check requests.
+description: Health checks can detect problems early. Then the system can automatically
+ take corrective actions when a health check request fails. The load balancer routes
+ traffic away from unhealthy instances, which directs users to healthy nodes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 874fa451-0ef2-4638-8cfd-c07cef131d7f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-HealthProbesUnresponsiveWorkers.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-HealthProbesUnresponsiveWorkers.yaml
new file mode 100644
index 000000000..bd65259f2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-HealthProbesUnresponsiveWorkers.yaml
@@ -0,0 +1,17 @@
+name: wafsg-HealthProbesUnresponsiveWorkers
+title: 'Use health probes to identify unresponsive workers: App Service has built-in
+ capabilities that periodically ping a specific path of your web application. Unresponsive
+ instances are removed from the load balancer and replaced with a new instance.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: 10e2e605-ef6e-4f70-a77f-15ba305c15d7
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-ReliableScalingStrategyRightScalingApproach.yaml b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-ReliableScalingStrategyRightScalingApproach.yaml
new file mode 100644
index 000000000..392878810
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Reliability/wafsg-ReliableScalingStrategyRightScalingApproach.yaml
@@ -0,0 +1,20 @@
+name: wafsg-ReliableScalingStrategyRightScalingApproach
+title: 'Have a reliable scaling strategy: Unexpected load on an application can make
+ it unreliable. Consider the right scaling approach based on your workload characteristics.
+ You can sometimes scale up to handle the load. However, if the load continues to
+ increase, scale out to new instances. Prefer automatic scaling over manual approaches.
+ Always maintain a buffer of extra capacity during scaling operations to prevent
+ performance degradation.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Reliability
+severity: 1
+labels:
+ guid: e03792ee-d7db-4ec3-8596-9d77baf09f8f
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceAccessRestrictionsDifferentAccessRestrictions.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceAccessRestrictionsDifferentAccessRestrictions.yaml
new file mode 100644
index 000000000..93341deb1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceAccessRestrictionsDifferentAccessRestrictions.yaml
@@ -0,0 +1,18 @@
+name: revcl-AppServiceAccessRestrictionsDifferentAccessRestrictions
+title: Inbound network access should be controlled
+description: Control inbound network access using a combination of App Service Access
+ Restrictions, Service Endpoints or Private Endpoints. Different access restrictions
+ can be required and configured for the web app itself and the SCM site.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 0725769e-e669-41a4-a34a-c932223ece80
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceActivityLogsAppServiceResource.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceActivityLogsAppServiceResource.yaml
new file mode 100644
index 000000000..e1aa16372
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceActivityLogsAppServiceResource.yaml
@@ -0,0 +1,18 @@
+name: revcl-AppServiceActivityLogsAppServiceResource
+title: Send App Service activity logs to Log Analytics
+description: Set up a diagnostic setting to send the activity log to Log Analytics
+ as the central destination for logging and monitoring. This allows you to monitor
+ control plane activity on the App Service resource itself.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: ee72734b-475b-4a18-bdbf-590ce65de8e0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceKeyVaultReferencesAzureKeyVault.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceKeyVaultReferencesAzureKeyVault.yaml
new file mode 100644
index 000000000..c21a7bd8f
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceKeyVaultReferencesAzureKeyVault.yaml
@@ -0,0 +1,18 @@
+name: revcl-AppServiceKeyVaultReferencesAzureKeyVault
+title: Use Key Vault to store secrets
+description: Use Azure Key Vault to store any secrets the application needs. Key
+ Vault provides a safe and audited environment for storing secrets and is well-integrated
+ with App Service through the Key Vault SDK or App Service Key Vault References.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 834ac932-223e-4ce8-8b12-3071a5416415
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/app-service-key-vault-references
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceKeyVaultReferencesKeyVaultSdk.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceKeyVaultReferencesKeyVaultSdk.yaml
new file mode 100644
index 000000000..b9e23409c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceKeyVaultReferencesKeyVaultSdk.yaml
@@ -0,0 +1,17 @@
+name: revcl-AppServiceKeyVaultReferencesKeyVaultSdk
+title: Use Managed Identity to connect to Key Vault
+description: Use a Managed Identity to connect to Key Vault either using the Key Vault
+ SDK or through App Service Key Vault References.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 833ea3ad-2c2d-4e73-8165-c3acbef4abe1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/app-service-key-vault-references
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceRuntimeLogsRuntimeActivity.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceRuntimeLogsRuntimeActivity.yaml
new file mode 100644
index 000000000..5dd900014
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceRuntimeLogsRuntimeActivity.yaml
@@ -0,0 +1,19 @@
+name: revcl-AppServiceRuntimeLogsRuntimeActivity
+title: Send App Service runtime logs to Log Analytics
+description: By configuring the diagnostic settings of App Service, you can send all
+ telemetry to Log Analytics as the central destination for logging and monitoring.
+ This allows you to monitor runtime activity of App Service such as HTTP logs, application
+ logs, platform logs, ...
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 47768314-c115-4775-a2ea-55b46ad48408
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceTlsCertificateKeyVault.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceTlsCertificateKeyVault.yaml
new file mode 100644
index 000000000..a21bc7e0e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AppServiceTlsCertificateKeyVault.yaml
@@ -0,0 +1,16 @@
+name: revcl-AppServiceTlsCertificateKeyVault
+title: Use Key Vault to store TLS certificate.
+description: Store the App Service TLS certificate in Key Vault.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: f8d39fda-4776-4831-9c11-5775c2ea55b4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/configure-ssl-certificate
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AuthenticatedWebApplicationAzureAdBC.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AuthenticatedWebApplicationAzureAdBC.yaml
new file mode 100644
index 000000000..ec030cae1
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AuthenticatedWebApplicationAzureAdBC.yaml
@@ -0,0 +1,19 @@
+name: revcl-AuthenticatedWebApplicationAzureAdBC
+title: Use an established Identity Provider for authentication
+description: For authenticated web application, use a well established Identity Provider
+ like Azure AD or Azure AD B2C. Leverage the application framework of your choice
+ to integrate with this provider or use the App Service Authentication / Authorization
+ feature.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 919ca0b2-c121-459e-814b-933df574eccc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/overview-authentication-authorization
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureAdCredentialsBasicAuthentication.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureAdCredentialsBasicAuthentication.yaml
new file mode 100644
index 000000000..f04e76b6d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureAdCredentialsBasicAuthentication.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureAdCredentialsBasicAuthentication
+title: Disable basic authentication
+description: Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This
+ disables access to these services and enforces the use of Azure AD secured endpoints
+ for deployment. Note that the SCM site can also be opened using Azure AD credentials.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 5d04c2c3-919c-4a0b-8c12-159e114b933d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureContainerRegistryManagedIdentity.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureContainerRegistryManagedIdentity.yaml
new file mode 100644
index 000000000..1193f3b82
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureContainerRegistryManagedIdentity.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureContainerRegistryManagedIdentity
+title: Pull containers using a Managed Identity
+description: Where using images stored in Azure Container Registry, pull these using
+ a Managed Identity.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: d9a25827-18d2-4ddb-8072-5769ee6691a4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureContainerRegistryVirtualNetwork.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureContainerRegistryVirtualNetwork.yaml
new file mode 100644
index 000000000..58e209178
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-AzureContainerRegistryVirtualNetwork.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureContainerRegistryVirtualNetwork
+title: Pull containers over a Virtual Network
+description: Where using images stored in Azure Container Registry, pull these over
+ a virtual network from Azure Container Registry using its private endpoint and the
+ app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 2c2de732-165c-43ac-aef4-abe1f8d39fda
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-CorsConfigurationWildcards.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-CorsConfigurationWildcards.yaml
new file mode 100644
index 000000000..2a1d85939
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-CorsConfigurationWildcards.yaml
@@ -0,0 +1,18 @@
+name: revcl-CorsConfigurationWildcards
+title: Wildcards must not be used for CORS
+description: Do not use wildcards in your CORS configuration, as this allows all origins
+ to access the service (thereby defeating the purpose of CORS). Specifically only
+ allow the origins that you expect to be able to access the service.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 68266abc-a264-4f9a-89ae-d9c55d04c2c3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-DevopsDeploymentPipelineTrustedEnvironment.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-DevopsDeploymentPipelineTrustedEnvironment.yaml
new file mode 100644
index 000000000..dbfdc2ddb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-DevopsDeploymentPipelineTrustedEnvironment.yaml
@@ -0,0 +1,18 @@
+name: revcl-DevopsDeploymentPipelineTrustedEnvironment
+title: Deploy from a trusted environment
+description: Deploy code to App Service from a controlled and trusted environment,
+ like a well-managed and secured DevOps deployment pipeline. This avoids code that
+ was not version controlled and verified to be deployed from a malicious host.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/deploy-best-practices
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-HttpStrictTransportSecurityAppService.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-HttpStrictTransportSecurityAppService.yaml
new file mode 100644
index 000000000..f62c577ee
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-HttpStrictTransportSecurityAppService.yaml
@@ -0,0 +1,21 @@
+name: revcl-HttpStrictTransportSecurityAppService
+title: Use HTTPS only
+description: Configure App Service to use HTTPS only. This causes App Service to
+ redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport
+ Security (HSTS) in your code or from your WAF, which informs browsers that the site
+ should only be accessed using HTTPS.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 475ba18f-dbf5-490c-b65d-e8e03f9bcbd4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https
+queries:
+ arg: where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux'
+ )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-IntelligentDdosStandardCapabilitiesDdosProtectionStandard.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-IntelligentDdosStandardCapabilitiesDdosProtectionStandard.yaml
new file mode 100644
index 000000000..18ba78c46
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-IntelligentDdosStandardCapabilitiesDdosProtectionStandard.yaml
@@ -0,0 +1,20 @@
+name: revcl-IntelligentDdosStandardCapabilitiesDdosProtectionStandard
+title: Enable DDOS Protection Standard on the WAF VNet
+description: Azure provides DDoS Basic protection on its network, which can be improved
+ with intelligent DDoS Standard capabilities which learns about normal traffic patterns
+ and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it
+ must be configured for the network resource in front of the app, such as Application
+ Gateway or an NVA.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 223ece80-b123-4071-a541-6415833ea3ad
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-LatestVersionsDatePlatforms-1.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-LatestVersionsDatePlatforms-1.yaml
new file mode 100644
index 000000000..81b5cb6d4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-LatestVersionsDatePlatforms-1.yaml
@@ -0,0 +1,17 @@
+name: revcl-LatestVersionsDatePlatforms-1
+title: Use up-to-date platforms, languages, protocols and frameworks
+description: Use the latest versions of supported platforms, programming languages,
+ protocols, and frameworks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 114b933d-f574-4ecc-ad9b-d3bafcda3b54
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MaliciousInboundTrafficWebApplicationFirewall.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MaliciousInboundTrafficWebApplicationFirewall.yaml
new file mode 100644
index 000000000..b1222b36c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MaliciousInboundTrafficWebApplicationFirewall.yaml
@@ -0,0 +1,17 @@
+name: revcl-MaliciousInboundTrafficWebApplicationFirewall
+title: Use a WAF in front of App Service
+description: Protect against malicious inbound traffic using a Web Application Firewall
+ like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: b123071a-5416-4415-a33e-a3ad2c2de732
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MaliciousIpAddressesAppService.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MaliciousIpAddressesAppService.yaml
new file mode 100644
index 000000000..8b163d372
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MaliciousIpAddressesAppService.yaml
@@ -0,0 +1,18 @@
+name: revcl-MaliciousIpAddressesAppService
+title: Enable Defender for Cloud - Defender for App Service
+description: Enable Defender for App Service. This (amongst other threats) detects
+ communications to known malicious IP addresses. Review the recommendations from
+ Defender for App Service as part of your operations.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 18d2ddb1-0725-4769-be66-91a4834ac932
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ManagedIdentityAzureAd.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ManagedIdentityAzureAd.yaml
new file mode 100644
index 000000000..7c50c2021
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ManagedIdentityAzureAd.yaml
@@ -0,0 +1,18 @@
+name: revcl-ManagedIdentityAzureAd
+title: Use Managed Identity to connect to resources
+description: Where possible use Managed Identity to connect to Azure AD secured resources. If
+ this is not possible, store secrets in Key Vault and connect to Key Vault using
+ a Managed Identity instead.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: f574eccc-d9bd-43ba-bcda-3b54eb2eb03d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MinimumTlsPolicyAppServiceConfiguration.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MinimumTlsPolicyAppServiceConfiguration.yaml
new file mode 100644
index 000000000..61d73d70d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-MinimumTlsPolicyAppServiceConfiguration.yaml
@@ -0,0 +1,18 @@
+name: revcl-MinimumTlsPolicyAppServiceConfiguration
+title: Set minimum TLS policy to 1.2
+description: Set minimum TLS policy to 1.2 in App Service configuration.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: c115775c-2ea5-45b4-9ad4-8408ee72734b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions
+queries:
+ arg: appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant
+ = (properties.MinTlsVersion>=1.2) | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-OutboundNetworkAccessRegionalVnetIntegration.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-OutboundNetworkAccessRegionalVnetIntegration.yaml
new file mode 100644
index 000000000..95d63acbe
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-OutboundNetworkAccessRegionalVnetIntegration.yaml
@@ -0,0 +1,18 @@
+name: revcl-OutboundNetworkAccessRegionalVnetIntegration
+title: Outbound network access should be controlled
+description: Control outbound network access using a combination of regional VNet
+ integration, network security groups and UDR's. Traffic should be routed to an
+ NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: c12159e1-14b9-433d-b574-ecccd9bd3baf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/overview-vnet-integration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-PenetrationTestingRulesWebApplication.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-PenetrationTestingRulesWebApplication.yaml
new file mode 100644
index 000000000..c440d72e4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-PenetrationTestingRulesWebApplication.yaml
@@ -0,0 +1,17 @@
+name: revcl-PenetrationTestingRulesWebApplication
+title: Conduct a penetration test
+description: Conduct a penetration test on the web application following the penetration
+ testing rules of engagement.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: eb2eb03d-d9a2-4582-918d-2ddb10725769
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/security/fundamentals/pen-testing
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-RemoteDebuggingAdditionalPorts.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-RemoteDebuggingAdditionalPorts.yaml
new file mode 100644
index 000000000..dd5b32287
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-RemoteDebuggingAdditionalPorts.yaml
@@ -0,0 +1,20 @@
+name: revcl-RemoteDebuggingAdditionalPorts
+title: Turn off remote debugging
+description: Remote debugging must not be turned on in production as this opens additional
+ ports on the service which increases the attack surface. Note that the service does
+ turn of remote debugging automatically after 48 hours.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: d9bd3baf-cda3-4b54-bb2e-b03dd9a25827
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings
+queries:
+ arg: appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant
+ = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-SensitiveDataLocalDisk.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-SensitiveDataLocalDisk.yaml
new file mode 100644
index 000000000..61aa6d08d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-SensitiveDataLocalDisk.yaml
@@ -0,0 +1,17 @@
+name: revcl-SensitiveDataLocalDisk
+title: Do not store sensitive data on local disk
+description: 'Local disks on App Service are not encrypted and sensitive data should
+ not be stored on those. (For example: D:\\Local and %TMP%).'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: e65de8e0-3f9b-4cbd-9682-66abca264f9a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-SeparateAppServicePlansAppServiceEnvironments.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-SeparateAppServicePlansAppServiceEnvironments.yaml
new file mode 100644
index 000000000..9f9847dd2
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-SeparateAppServicePlansAppServiceEnvironments.yaml
@@ -0,0 +1,18 @@
+name: revcl-SeparateAppServicePlansAppServiceEnvironments
+title: Isolate systems that process sensitive information
+description: Systems that process sensitive information should be isolated. To do
+ so, use separate App Service Plans or App Service Environments and consider the
+ use of different subscriptions or management groups.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 6ad48408-ee72-4734-a475-ba18fdbf590c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/overview-hosting-plans
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ServiceEndpointsPrivateEndpoints.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ServiceEndpointsPrivateEndpoints.yaml
new file mode 100644
index 000000000..67d44ed8e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ServiceEndpointsPrivateEndpoints.yaml
@@ -0,0 +1,17 @@
+name: revcl-ServiceEndpointsPrivateEndpoints
+title: Avoid for WAF to be bypassed
+description: Make sure the WAF cannot be bypassed by locking down access to only the
+ WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 0
+labels:
+ guid: 165c3acb-ef4a-4be1-b8d3-9fda47768314
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-StableOutboundIpRangeVnetNatGateway.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-StableOutboundIpRangeVnetNatGateway.yaml
new file mode 100644
index 000000000..064e0f8b0
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-StableOutboundIpRangeVnetNatGateway.yaml
@@ -0,0 +1,22 @@
+name: revcl-StableOutboundIpRangeVnetNatGateway
+title: Ensure a stable IP for outbound communications towards internet addresses
+description: You can provide a stable outbound IP by using VNet integration and using
+ a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party
+ to allow-list based on IP, should that be needed. Note that for communications
+ towards Azure Services often there's no need to depend on the IP address and mechanics
+ like Service Endpoints should be used instead. (Also the use of private endpoints
+ on the receiving end avoids for SNAT to happen and provides a stable outbound IP
+ range.)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 2
+labels:
+ guid: cda3b54e-b2eb-403d-b9a2-582718d2ddb1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ValidatedCodeTrustedCode.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ValidatedCodeTrustedCode.yaml
new file mode 100644
index 000000000..f1be0df32
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/revcl-ValidatedCodeTrustedCode.yaml
@@ -0,0 +1,17 @@
+name: revcl-ValidatedCodeTrustedCode
+title: Deploy validated code
+description: Deploy trusted code that was validated and scanned for vulnerabilities
+ according to DevSecOps practices.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 19aed9c5-5d04-4c2c-9919-ca0b2c12159e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServiceAppsAzureVirtualNetwork.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServiceAppsAzureVirtualNetwork.yaml
new file mode 100644
index 000000000..f304581ca
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServiceAppsAzureVirtualNetwork.yaml
@@ -0,0 +1,20 @@
+name: wafsg-AppServiceAppsAzureVirtualNetwork
+title: 'Create segmentation through isolation boundaries to contain breach: Apply
+ identity segmentation. For example, implement role-based access control (RBAC) to
+ assign specific permissions based on roles. Follow the principle of least privilege
+ to limit access rights to only what''s necessary. Also create segmentation at the
+ network level. Inject App Service apps in an Azure virtual network for isolation
+ and define network security groups (NSGs) to filter traffic.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: dbeebd4f-c94a-4060-a2ac-c523b3e64a3d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServicePlanSecurityBaselines.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServicePlanSecurityBaselines.yaml
new file mode 100644
index 000000000..d30c8a7bd
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServicePlanSecurityBaselines.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AppServicePlanSecurityBaselines
+title: 'Review security baselines: To enhance the security posture of your application
+ that''s hosted on an App Service plan, review the security baseline for App Service.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 44ba257f-d6b6-4eed-b5a1-eff3dcb027e8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServiceWebApp.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServiceWebApp.yaml
new file mode 100644
index 000000000..eb878735a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AppServiceWebApp.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AppServiceWebApp
+title: (App Service) Assign managed identities to the web app. To maintain isolation
+ boundaries, don't share or reuse identities across applications. Make sure that
+ you securely connect to your container registry if you use containers for your deployment.
+description: The application retrieves secrets from Key Vault to authenticate outward
+ communication from the application. Azure manages the identity and doesn't require
+ you to provision or rotate any secrets. You have distinct identities for granularity
+ of control. Distinct identities make revocation easy if an identity is compromised.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 14bc5ea3-400b-4bbf-9187-f0b21505173d
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureFrontDoorNetworkTraffic.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureFrontDoorNetworkTraffic.yaml
new file mode 100644
index 000000000..11cd6ad4a
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureFrontDoorNetworkTraffic.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureFrontDoorNetworkTraffic
+title: 'Control network traffic to and from the application: Don''t expose application
+ endpoints to the public internet. Instead, add a private endpoint on the web app
+ that''s placed in a dedicated subnet. Front your application with a reverse proxy
+ that communicates with that private endpoint. Consider using Application Gateway
+ or Azure Front Door for that purpose.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: e9b8f604-ff04-4eef-9949-bd6c23179186
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureKeyVaultReferencesSensitiveInformation.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureKeyVaultReferencesSensitiveInformation.yaml
new file mode 100644
index 000000000..a15de3652
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureKeyVaultReferencesSensitiveInformation.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureKeyVaultReferencesSensitiveInformation
+title: 'Protect application secrets: You need to handle sensitive information, like
+ API keys or authentication tokens. Instead of hardcoding these secrets directly
+ into your application code or configuration files, you can use Azure Key Vault references
+ in app settings. When the application starts, App Service automatically retrieves
+ the secret values from Key Vault by using the app''s managed identity.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 0545fb6c-0662-4ffd-8834-7d4d4ac7f2bb
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureStorageAccountsAzureEventHubs.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureStorageAccountsAzureEventHubs.yaml
new file mode 100644
index 000000000..313f9d313
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-AzureStorageAccountsAzureEventHubs.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureStorageAccountsAzureEventHubs
+title: (App Service plan) Enable diagnostic logging and add instrumentation to your
+ app. The logs are sent to Azure Storage accounts, Azure Event Hubs, and Log Analytics.
+ For more information about audit log types, see Supported log types.
+description: Logging captures access patterns. It records relevant events that provide
+ valuable insights into how users interact with an application or platform. This
+ information is crucial for accountability, compliance, and security purposes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 603bf106-42e6-43d3-a8e0-4470d05093b9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-ComprehensiveActivityTrailsResourceLogs.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-ComprehensiveActivityTrailsResourceLogs.yaml
new file mode 100644
index 000000000..3f5e660bf
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-ComprehensiveActivityTrailsResourceLogs.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ComprehensiveActivityTrailsResourceLogs
+title: 'Enable resource logs for your application: Enable resource logs for your application
+ to create comprehensive activity trails that provide valuable data during investigations
+ that follow security incidents.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 1c90ec2a-85e3-400e-8937-22686ac115b8
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-KeyVaultReferencesSecretRotations.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-KeyVaultReferencesSecretRotations.yaml
new file mode 100644
index 000000000..a23fbd17e
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-KeyVaultReferencesSecretRotations.yaml
@@ -0,0 +1,15 @@
+name: wafsg-KeyVaultReferencesSecretRotations
+title: (App Service) Always use Key Vault references as app settings.
+description: Secrets are kept separate from your app's configuration. App settings
+ are encrypted at rest. App Service also manages secret rotations.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 59402f53-7298-4295-b919-609d8fc73876
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-LanguageRuntimeSupportPolicyLatestRuntime.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-LanguageRuntimeSupportPolicyLatestRuntime.yaml
new file mode 100644
index 000000000..e908bd707
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-LanguageRuntimeSupportPolicyLatestRuntime.yaml
@@ -0,0 +1,18 @@
+name: wafsg-LanguageRuntimeSupportPolicyLatestRuntime
+title: 'Use the latest runtime and libraries: Thoroughly test your application builds
+ before you do updates to catch problems early and ensure a smooth transition to
+ the new version. App Service supports the language runtime support policy for updating
+ existing stacks and retiring end-of-support stacks.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 4133fafa-441c-4d27-bfd1-f76a58ab6620
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-MicrosoftEntraIdBasedAuthenticationSecureDeploymentMethod.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-MicrosoftEntraIdBasedAuthenticationSecureDeploymentMethod.yaml
new file mode 100644
index 000000000..cee0753b8
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-MicrosoftEntraIdBasedAuthenticationSecureDeploymentMethod.yaml
@@ -0,0 +1,21 @@
+name: wafsg-MicrosoftEntraIdBasedAuthenticationSecureDeploymentMethod
+title: '(App Service) To implement hardening: - Disable basic authentication that
+ uses a username and password in favor of Microsoft Entra ID-based authentication. -
+ Turn off remote debugging so that inbound ports aren''t opened. - Enable CORS policies
+ to tighten incoming requests. - Disable protocols, such as FTP.'
+description: We don't recommend basic authentication as a secure deployment method.
+ Microsoft Entra ID employs OAuth 2.0 token-based authentication, which offers numerous
+ advantages and enhancements that address the limitations that are associated with
+ basic authentication. Policies restrict access to application resources, only allow
+ requests from specific domains, and secure cross-region requests.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 78fd4f02-98f6-459c-882c-5f0d659a2251
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-MicrosoftEntraIdMultipleSignInProviders.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-MicrosoftEntraIdMultipleSignInProviders.yaml
new file mode 100644
index 000000000..a7ae26793
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-MicrosoftEntraIdMultipleSignInProviders.yaml
@@ -0,0 +1,21 @@
+name: wafsg-MicrosoftEntraIdMultipleSignInProviders
+title: (App Service) valuate whether App Service built-in authentication is the right
+ mechanism to authenticate users that access your application. App Service built-in
+ authentication integrates with Microsoft Entra ID. This feature handles token validation
+ and user identity management across multiple sign-in providers and supports OpenID
+ Connect. With this feature, you don't have authorization at a granular level, and
+ you don't have a mechanism to test authentication.
+description: When you use this feature, you don't have to use authentication libraries
+ in application code, which reduces complexity. The user is already authenticated
+ when a request reaches the application.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 8cde5bed-8dd0-4a16-ae15-0672275bd473
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-OverallSecurityPostureAccessControls.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-OverallSecurityPostureAccessControls.yaml
new file mode 100644
index 000000000..f63944c69
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-OverallSecurityPostureAccessControls.yaml
@@ -0,0 +1,18 @@
+name: wafsg-OverallSecurityPostureAccessControls
+title: 'Apply access controls on identities: Restrict both inward access to the web
+ app and outward access from the web app to other resources. This configuration applies
+ access controls on identities and helps maintain the workload''s overall security
+ posture.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 5bb8daca-fde8-45bf-82f6-e55cdb28da05
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-OverallSecurityPostureAppServicePlan.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-OverallSecurityPostureAppServicePlan.yaml
new file mode 100644
index 000000000..9ebd85552
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-OverallSecurityPostureAppServicePlan.yaml
@@ -0,0 +1,15 @@
+name: wafsg-OverallSecurityPostureAppServicePlan
+title: (App Service plan) Enable Microsoft Defender for Cloud for App Service.
+description: Get real-time protection for resources that run in an App Service plan.
+ Guard against threats and enhance your overall security posture.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: def198c3-8a34-4d8f-8e46-91b6f36064ab
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-SourceControlManagerFileTransferProtocol.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-SourceControlManagerFileTransferProtocol.yaml
new file mode 100644
index 000000000..c4dae808c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-SourceControlManagerFileTransferProtocol.yaml
@@ -0,0 +1,19 @@
+name: wafsg-SourceControlManagerFileTransferProtocol
+title: 'Reduce the attack surface: Remove default configurations that you don''t need.
+ For example, disable remote debugging, local authentication for Source Control Manager
+ (SCM) sites, and basic authentication. Disable unsecure protocols like HTTP and
+ File Transfer Protocol (FTP). Enforce configurations through Azure policies. For
+ more information, see Azure policies.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: d63a7c58-a495-4ff3-a164-88e8eac4febf
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-TransportLayerSecurityAppService.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-TransportLayerSecurityAppService.yaml
new file mode 100644
index 000000000..b768e9aeb
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-TransportLayerSecurityAppService.yaml
@@ -0,0 +1,17 @@
+name: wafsg-TransportLayerSecurityAppService
+title: (App Service) Configure custom domains for applications. Disable HTTP and
+ only accept HTTPS requests.
+description: Custom domains enable secure communication through HTTPS using Transport
+ Layer Security (TLS) protocol, which ensures the protection of sensitive data and
+ builds user trust.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: ef64b1c3-a41f-4913-8ac4-27be04d96d10
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-TransportLayerSecurityCustomerManagedKeys.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-TransportLayerSecurityCustomerManagedKeys.yaml
new file mode 100644
index 000000000..e350ddcf4
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-TransportLayerSecurityCustomerManagedKeys.yaml
@@ -0,0 +1,17 @@
+name: wafsg-TransportLayerSecurityCustomerManagedKeys
+title: 'Encrypt data: Protect data in transit with end-to-end Transport Layer Security
+ (TLS). Use your customer-managed keys for full encryption of data at rest. For more
+ information, see Encryption at rest using customer-managed keys.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/app-service-web-apps.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 4ed59aaa-9948-4387-975e-11e1fc65ff40
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-VirtualNetworkIntegrationAzureVirtualNetwork.yaml b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-VirtualNetworkIntegrationAzureVirtualNetwork.yaml
new file mode 100644
index 000000000..82f9b57e9
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/Security/wafsg-VirtualNetworkIntegrationAzureVirtualNetwork.yaml
@@ -0,0 +1,20 @@
+name: wafsg-VirtualNetworkIntegrationAzureVirtualNetwork
+title: (App Service) Configure the application for virtual network integration. Use
+ private endpoints for App Service apps. Block all public traffic. Route the container
+ image pull through the virtual network integration. All outgoing traffic from the
+ application passes through the virtual network.
+description: Get the security benefits of using an Azure virtual network. For example,
+ the application can securely access resources within the network. Add a private
+ endpoint to help protect your application. Private endpoints limit direct exposure
+ to the public network and allow controlled access through the reverse proxy.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.web/sites
+waf: Security
+severity: 1
+labels:
+ guid: 703d13a6-d768-443b-b9f9-4e31d74767f9
+links: []
+queries: {}
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureAppServiceAspNetCore.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureAppServiceAspNetCore.yaml
new file mode 100644
index 000000000..2ed772937
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureAppServiceAspNetCore.yaml
@@ -0,0 +1,20 @@
+name: aprl-AzureAppServiceAspNetCore
+title: Monitor Performance
+description: |-
+ Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: a7e8bb3d-8ceb-442d-b26f-007cd63f9ffc
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |+
+ // cannot-be-validated-with-arg
+
+...
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureAppServiceWebServerLogging.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureAppServiceWebServerLogging.yaml
new file mode 100644
index 000000000..bfb8bd493
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureAppServiceWebServerLogging.yaml
@@ -0,0 +1,20 @@
+name: aprl-AzureAppServiceWebServerLogging
+title: Enable diagnostics logging
+description: |-
+ Enabling diagnostics logging for your Azure App Service is crucial for monitoring and diagnostics, including both application logging and web server logging.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 2
+labels:
+ guid: 493f6079-3bb6-4a56-96ba-ab3248474cb1
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |+
+ // cannot-be-validated-with-arg
+
+...
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureFunctionsRuntimeFunctionApp.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureFunctionsRuntimeFunctionApp.yaml
new file mode 100644
index 000000000..8346ef971
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-AzureFunctionsRuntimeFunctionApp.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureFunctionsRuntimeFunctionApp
+title: Ensure Function App runs a supported version
+description: |-
+ Beginning on December 13, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime have reached the end of life (EOL) of extended support. We highly recommend you migrating your function apps to version 4.x of the Functions runtime.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: c9a278b7-024b-454b-bd54-41587c512b74
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-BadUpdateChancesPreviousGoodDeployment.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-BadUpdateChancesPreviousGoodDeployment.yaml
new file mode 100644
index 000000000..a7479041d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-BadUpdateChancesPreviousGoodDeployment.yaml
@@ -0,0 +1,31 @@
+name: aprl-BadUpdateChancesPreviousGoodDeployment
+title: Deploy to a staging slot
+description: |-
+ Create a deployment slot for staging to deploy updates, verify them, and ensure all instances are warmed up before production swap, reducing bad update chances. An LKG slot allows easy rollback to a previous good deployment if issues arise later, enhancing reliability.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 2
+labels:
+ guid: a1d91661-32d4-430b-b3b6-5adeb0975df7
+ area: Governance
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Display App Service with the count of deployment slots for Apps under eligible App service plans and it shows if deployment slot is enabled or not
+
+ resources
+ | where type =~ 'microsoft.web/sites' or type =~ 'microsoft.web/sites/slots'
+ | extend isSlot = iff(type =~ 'microsoft.web/sites/slots', 1, 0)
+ | extend AspName = iff(isSlot == 1, split(name, '/')[0], name)
+ | extend Sku = tostring(properties.sku)
+ | where tolower(Sku) contains "standard" or tolower(Sku) contains "premium" or tolower(Sku) contains "isolatedv2"
+ | project id, name, AspName, isSlot, Sku
+ | summarize Slots = countif(isSlot == 1) by id, name, AspName, Sku
+ | extend DeploymentSlotEnabled = iff(Slots > 1, true, false)
+ | where DeploymentSlotEnabled = false
+ | project recommendationId="a1d91661-32d4-430b-b3b6-5adeb0975df7", name, id, tags="", param1=Sku, param2=Slots, param3="DeploymentSlotEnabled=false"
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-FunctionAppConfigurationAppropriateValue.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-FunctionAppConfigurationAppropriateValue.yaml
new file mode 100644
index 000000000..a0f72f33b
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-FunctionAppConfigurationAppropriateValue.yaml
@@ -0,0 +1,18 @@
+name: aprl-FunctionAppConfigurationAppropriateValue
+title: Ensure FUNCTIONS_WORKER_RUNTIME is set properly
+description: |-
+ The FUNCTIONS_WORKER_RUNTIME setting in the Function App configuration should be set to the appropriate value based on the language you are using. This setting is used to determine the language worker that will be used to execute your functions.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: 7c608f46-46b2-4cc0-bbd6-1d457c16671c
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-HttpServerErrorsAutoHeal.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-HttpServerErrorsAutoHeal.yaml
new file mode 100644
index 000000000..6e6d9e2a3
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-HttpServerErrorsAutoHeal.yaml
@@ -0,0 +1,30 @@
+name: aprl-HttpServerErrorsAutoHeal
+title: Enable auto heal for Functions App
+description: |-
+ Auto Heal allows you to mitigate your apps when it runs into unexpected situations like HTTP server errors, resource exhaustion, etc. You can configure different triggers based on your need and choose to recycle the app to recover it from a bad state.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 2
+labels:
+ guid: c6c4b962-5af4-447a-9d74-7b9c53a5dff5
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Provides a list of Azure Function App resources that do not have auto heal enabled
+
+ Resources
+ | where type =~ 'microsoft.web/sites'
+ | where properties.kind contains 'functionapp'
+ | join kind=inner
+ (appserviceresources
+ | where type == "microsoft.web/sites/config"
+ | where properties.AutoHealEnabled == 'false'
+ | project id, name, tenantId, location, resourceGroup, properties.AutoHealEnabled
+ ) on name
+ | project recommendationID = "c6c4b962-5af4-447a-9d74-7b9c53a5dff5", name, id, type, kind, param1="AutoHealEnabled =false"
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-LongerWarmupTimeMinimumInstanceCount.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-LongerWarmupTimeMinimumInstanceCount.yaml
new file mode 100644
index 000000000..af54e0294
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-LongerWarmupTimeMinimumInstanceCount.yaml
@@ -0,0 +1,30 @@
+name: aprl-LongerWarmupTimeMinimumInstanceCount
+title: Set minimum instance count to 2 for app service
+description: |-
+ App Service should be configured with a minimum of two instances for production workloads. If apps have a longer warmup time a minimum of three instances should be used.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: 9e6682ac-31bc-4635-9959-ab74b52454e6
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Provides a list of App services that do not have minimum instance count of 2
+
+ resources
+ | where type =~ 'microsoft.web/sites'
+ | where properties.kind has 'app'
+ | join kind = inner
+ (
+ appserviceresources
+ | where properties.PreWarmedInstanceCount < 2
+ | project name
+ ) on name
+ | project recommendationId = "9e6682ac-31bc-4635-9959-ab74b52454e6", name, id, tags, param1 = "PreWarmedInstanceCount is less than 2"
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-PriorityOrderedAllowDenyListPublicFacingWebApplications.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-PriorityOrderedAllowDenyListPublicFacingWebApplications.yaml
new file mode 100644
index 000000000..3798f358c
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-PriorityOrderedAllowDenyListPublicFacingWebApplications.yaml
@@ -0,0 +1,31 @@
+name: aprl-PriorityOrderedAllowDenyListPublicFacingWebApplications
+title: Configure network access restrictions
+description: |-
+ Use network access restrictions to define a priority-ordered allow/deny list that controls network access to your app. Web application firewalls, such as the one available in Application Gateway, are recommended for protection of public-facing web applications.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: aab6b4a4-9981-43a4-8728-35c7ecbb746d
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Check if Network access restrictions defined for App service
+
+ resources
+ | where type =~ 'microsoft.web/sites'
+ | where properties.kind has 'app'
+ | join kind = inner
+ (
+ appserviceresources
+ | mv-expand IpSecurityRestrictions = properties.IpSecurityRestrictions
+ | where isnotnull(IpSecurityRestrictions) == true
+ | project name
+ ) on name
+ | project recommendationId = "aab6b4a4-9981-43a4-8728-35c7ecbb746d", name, id, tags, param1 = "No network restrictions set"
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-ResourceManagerTemplatesAutomatedDeploymentUpdateProcess.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-ResourceManagerTemplatesAutomatedDeploymentUpdateProcess.yaml
new file mode 100644
index 000000000..92c27e303
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-ResourceManagerTemplatesAutomatedDeploymentUpdateProcess.yaml
@@ -0,0 +1,25 @@
+name: aprl-ResourceManagerTemplatesAutomatedDeploymentUpdateProcess
+title: Store configuration as app settings
+description: |-
+ Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: 0b80b67c-afbe-4988-ad58-a85a146b681e
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure App Service resources that don't have App Settings configured
+
+ appserviceresources
+ | where type == "microsoft.web/sites/config"
+ | extend AppSettings = iif(isempty(properties.AppSettings), true, false)
+ | where AppSettings == false
+ | project recommendationId="0b80b67c-afbe-4988-ad58-a85a146b681e", id, name, tags="", param1="AppSettings is not configured"
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-SeparateAppServiceAppsWebFrontEnd.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-SeparateAppServiceAppsWebFrontEnd.yaml
new file mode 100644
index 000000000..a0260208d
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-SeparateAppServiceAppsWebFrontEnd.yaml
@@ -0,0 +1,18 @@
+name: aprl-SeparateAppServiceAppsWebFrontEnd
+title: Separate web apps from web APIs
+description: |-
+ If your solution includes both a web front end and a web API, decomposing them into separate App Service apps facilitates solution decomposition by workload, allowing for independent scaling. Initially, you can deploy both in the same plan and separate them for independent scaling when necessary.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 2
+labels:
+ guid: 78a5c033-ff51-4332-8a71-83464c34494b
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-SeparateStorageAccountSameOne.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-SeparateStorageAccountSameOne.yaml
new file mode 100644
index 000000000..cc0739681
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-SeparateStorageAccountSameOne.yaml
@@ -0,0 +1,18 @@
+name: aprl-SeparateStorageAccountSameOne
+title: Create a separate storage account for logs
+description: |-
+ Creating a separate storage account for logs and not using the same one for application data prevents logging activities from reducing application performance by ensuring that the resources dedicated to handling application data are not burdened by logging processes.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: 3f9ddb59-0bb3-4acb-9c9b-99aa1776f0ab
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-TheHealthCheckPathUseHealthCheck.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-TheHealthCheckPathUseHealthCheck.yaml
new file mode 100644
index 000000000..615ddef21
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-TheHealthCheckPathUseHealthCheck.yaml
@@ -0,0 +1,30 @@
+name: aprl-TheHealthCheckPathUseHealthCheck
+title: Enable Health check for App Services
+description: |-
+ Use Health Check for production workloads. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. The Health check path should check critical components of your application.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d
+ area: Other Best Practices
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Check if Health Check is enabled for App Service
+
+ resources
+ | where type =~ 'microsoft.web/sites'
+ | where properties.kind has 'app'
+ | join kind = inner
+ (
+ appserviceresources
+ | where isnull(properties.HealthCheckPath) == true
+ | project name
+ ) on name
+ | project recommendationId = "fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d", name, id, tags, param1 = "Healthcheckpath = not set"
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-UniqueHostidSetHostIdValue.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-UniqueHostidSetHostIdValue.yaml
new file mode 100644
index 000000000..f988fba68
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-UniqueHostidSetHostIdValue.yaml
@@ -0,0 +1,18 @@
+name: aprl-UniqueHostidSetHostIdValue
+title: Ensure unique hostid set for Function App
+description: |-
+ A host ID must be between 1 and 32 characters, contain only lowercase letters, numbers, and dashes, not start or end with a dash, and not contain consecutive dashes. The host ID value should be unique for all apps/slots you're running.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 2
+labels:
+ guid: 0b06a688-0dd6-4d73-9f72-6666ff853ca9
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/MicrosoftWeb-sites/aprl-WarmupTriggerFunctionApp.yaml b/v2/recos/Services/MicrosoftWeb-sites/aprl-WarmupTriggerFunctionApp.yaml
new file mode 100644
index 000000000..ed2e5d766
--- /dev/null
+++ b/v2/recos/Services/MicrosoftWeb-sites/aprl-WarmupTriggerFunctionApp.yaml
@@ -0,0 +1,18 @@
+name: aprl-WarmupTriggerFunctionApp
+title: No warmup trigger added to Function App
+description: |-
+ Add a warmup trigger to pre-load custom dependencies during the pre-warming process so that your functions are ready to start processing requests immediately.
+source:
+ type: aprl
+ file: azure-resources/Web/sites/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Web/sites
+severity: 1
+labels:
+ guid: 52f368ee-1d77-4b34-92db-64be269642d0
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcache-redis/Reliability/revcl-AzureCacheRedisInstance.yaml b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-AzureCacheRedisInstance.yaml
new file mode 100644
index 000000000..6d09bb8a4
--- /dev/null
+++ b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-AzureCacheRedisInstance.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzureCacheRedisInstance
+title: Configure data persistence for an Azure Cache for Redis instance. Because your
+ cache data is stored in memory, a rare and unplanned failure of multiple nodes can
+ cause all the data to be dropped. To avoid losing data completely, Redis persistence
+ allows you to take periodic snapshots of in-memory data, and store it to your storage
+ account.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cache/redis
+waf: Reliability
+severity: 1
+labels:
+ guid: bc178bdc-5a06-4ca7-8443-51e19dd34429
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence
+queries: {}
diff --git a/v2/recos/Services/microsoftcache-redis/Reliability/revcl-DifferentAzureAvailabilityZonesZoneRedundantCache.yaml b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-DifferentAzureAvailabilityZonesZoneRedundantCache.yaml
new file mode 100644
index 000000000..9605a4699
--- /dev/null
+++ b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-DifferentAzureAvailabilityZonesZoneRedundantCache.yaml
@@ -0,0 +1,19 @@
+name: revcl-DifferentAzureAvailabilityZonesZoneRedundantCache
+title: Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports
+ zone redundant configurations in the Premium and Enterprise tiers. A zone redundant
+ cache can place its nodes across different Azure Availability Zones in the same
+ region. It eliminates data center or AZ outage as a single point of failure and
+ increases the overall availability of your cache.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cache/redis
+waf: Reliability
+severity: 0
+labels:
+ guid: 65285269-440b-44be-9d3e-0844276d4bdc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy
+queries: {}
diff --git a/v2/recos/Services/microsoftcache-redis/Reliability/revcl-GeoRedundantStorageAccountAzureCache.yaml b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-GeoRedundantStorageAccountAzureCache.yaml
new file mode 100644
index 000000000..34dfbe37e
--- /dev/null
+++ b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-GeoRedundantStorageAccountAzureCache.yaml
@@ -0,0 +1,16 @@
+name: revcl-GeoRedundantStorageAccountAzureCache
+title: Use Geo-redundant storage account to persist Azure Cache for Redis data, or
+ zonally redundant where geo-redundancy is not available
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cache/redis
+waf: Reliability
+severity: 1
+labels:
+ guid: eb722823-7a15-41c5-ab4e-4f1814387e5c
+links:
+- type: docs
+ url: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence
+queries: {}
diff --git a/v2/recos/Services/microsoftcache-redis/Reliability/revcl-TwoPremiumTierCacheInstancesPremiumAzureCache.yaml b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-TwoPremiumTierCacheInstancesPremiumAzureCache.yaml
new file mode 100644
index 000000000..87a6d0d7d
--- /dev/null
+++ b/v2/recos/Services/microsoftcache-redis/Reliability/revcl-TwoPremiumTierCacheInstancesPremiumAzureCache.yaml
@@ -0,0 +1,20 @@
+name: revcl-TwoPremiumTierCacheInstancesPremiumAzureCache
+title: Configure passive geo-replication for Premium Azure Cache for Redis instances.
+ Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances,
+ typically spanning two Azure regions. Geo-replication is designed mainly for cross-region
+ disaster recovery. Two Premium tier cache instances are connected through geo-replication
+ in a way that provides reads and writes to your primary cache, and that data is
+ replicated to the secondary cache.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.cache/redis
+waf: Reliability
+severity: 1
+labels:
+ guid: a8c26c9b-32ab-45bd-bc69-98a135e33789
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication
+queries: {}
diff --git a/v2/recos/Services/microsoftcache-redis/aprl-MaintenanceWindowAzureCache.yaml b/v2/recos/Services/microsoftcache-redis/aprl-MaintenanceWindowAzureCache.yaml
new file mode 100644
index 000000000..28ae7cd20
--- /dev/null
+++ b/v2/recos/Services/microsoftcache-redis/aprl-MaintenanceWindowAzureCache.yaml
@@ -0,0 +1,18 @@
+name: aprl-MaintenanceWindowAzureCache
+title: Schedule updates by setting a maintenance window
+description: |-
+ Azure Cache for Redis allows for specifying maintenance windows. A maintenance window allows you to control the days and times of a week during which the VMs hosting your cache can be updated.
+source:
+ type: aprl
+ file: azure-resources/Cache/Redis/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cache/redis
+severity: 1
+labels:
+ guid: cabc1f98-c8a7-44f7-ab24-977982ef3f70
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcache-redis/aprl-MultipleAvailabilityZonesZoneRedundancy.yaml b/v2/recos/Services/microsoftcache-redis/aprl-MultipleAvailabilityZonesZoneRedundancy.yaml
new file mode 100644
index 000000000..e9bca6a9c
--- /dev/null
+++ b/v2/recos/Services/microsoftcache-redis/aprl-MultipleAvailabilityZonesZoneRedundancy.yaml
@@ -0,0 +1,24 @@
+name: aprl-MultipleAvailabilityZonesZoneRedundancy
+title: Enable zone redundancy for Azure Cache for Redis
+description: |-
+ Azure Cache for Redis offers zone redundancy in Premium and Enterprise tiers, using VMs across multiple Availability Zones to ensure greater resilience and availability.
+source:
+ type: aprl
+ file: azure-resources/Cache/Redis/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cache/Redis
+severity: 0
+labels:
+ guid: 5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find Cache for Redis instances with one or no Zones selected
+ resources
+ | where type =~ "microsoft.cache/redis"
+ | where array_length(zones) <= 1 or isnull(zones)
+ | project recommendationId = "5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8", name, id, tags, param1 = "AvailabilityZones: Single Zone"
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcache-redis/aprl-PrivateEndpointsSecureConnection.yaml b/v2/recos/Services/microsoftcache-redis/aprl-PrivateEndpointsSecureConnection.yaml
new file mode 100644
index 000000000..d4eb285ab
--- /dev/null
+++ b/v2/recos/Services/microsoftcache-redis/aprl-PrivateEndpointsSecureConnection.yaml
@@ -0,0 +1,24 @@
+name: aprl-PrivateEndpointsSecureConnection
+title: Configure Private Endpoints
+description: |-
+ Use private endpoints for secure connection to cache via a private link, avoiding the public internet.
+source:
+ type: aprl
+ file: azure-resources/Cache/Redis/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Cache/redis
+severity: 1
+labels:
+ guid: c474fc96-4e6a-4fb0-95d0-a26b3f35933c
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Azure Redis cache services not protected by private endpoints.
+ Resources
+ | where type =~ "microsoft.cache/redis"
+ | where properties['publicNetworkAccess'] == "Enabled"
+ | project recommendationId = "c474fc96-4e6a-4fb0-95d0-a26b3f35933c", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Reliability/revcl-PrivateRegistryRegionReplication.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Reliability/revcl-PrivateRegistryRegionReplication.yaml
new file mode 100644
index 000000000..e49db787b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Reliability/revcl-PrivateRegistryRegionReplication.yaml
@@ -0,0 +1,16 @@
+name: revcl-PrivateRegistryRegionReplication
+title: If using a private registry, configure region replication to store images in
+ multiple regions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Reliability
+severity: 0
+labels:
+ guid: 3c763963-7a55-42d5-a15e-401955387e5c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AcrPullPushOperationsAcrpushRbacRoles.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AcrPullPushOperationsAcrpushRbacRoles.yaml
new file mode 100644
index 000000000..4e212ab18
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AcrPullPushOperationsAcrpushRbacRoles.yaml
@@ -0,0 +1,18 @@
+name: revcl-AcrPullPushOperationsAcrpushRbacRoles
+title: Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access
+ to identity principals
+description: Disable Administrator account and assign RBAC roles to principals for
+ ACR Pull/Push operations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: 387e5ced-126c-4d13-8af5-b20c6998a646
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AcrpullPushRbacAccessManagedIdentities.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AcrpullPushRbacAccessManagedIdentities.yaml
new file mode 100644
index 000000000..daef101cf
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AcrpullPushRbacAccessManagedIdentities.yaml
@@ -0,0 +1,17 @@
+name: revcl-AcrpullPushRbacAccessManagedIdentities
+title: Use Managed Identities to connect instead of Service Principals
+description: Use managed identities to secure ACRPull/Push RBAC access from client
+ applications
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: 8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AnonymousPullPushAccess.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AnonymousPullPushAccess.yaml
new file mode 100644
index 000000000..41d53a70f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AnonymousPullPushAccess.yaml
@@ -0,0 +1,16 @@
+name: revcl-AnonymousPullPushAccess
+title: Disable Anonymous pull access
+description: Disable anonymous pull/push access
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: e338997e-41c7-47d7-acf6-a62a1194956d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AuditComplianceVisibilityAzureContainerRegistry.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AuditComplianceVisibilityAzureContainerRegistry.yaml
new file mode 100644
index 000000000..dbce058c6
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AuditComplianceVisibilityAzureContainerRegistry.yaml
@@ -0,0 +1,17 @@
+name: revcl-AuditComplianceVisibilityAzureContainerRegistry
+title: Enable Azure Policies for Azure Container Registry
+description: Enable audit compliance visibility by enabling Azure Policy for Azure
+ Container Registry
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: d503547c-d447-4e82-9128-a7100f1cac6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureArmAudienceTokensConditionalAccessPolicies.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureArmAudienceTokensConditionalAccessPolicies.yaml
new file mode 100644
index 000000000..bbc8691c6
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureArmAudienceTokensConditionalAccessPolicies.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureArmAudienceTokensConditionalAccessPolicies
+title: Disable Azure ARM audience tokens for authentication
+description: Only tokens with an ACR audience can be used for authentication. Used
+ when enabling Conditional access policies for ACR
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: 3a041fd3-2947-498b-8288-b3c6a56ceb54
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistryContainerImages.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistryContainerImages.yaml
new file mode 100644
index 000000000..71286245f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistryContainerImages.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureContainerRegistryContainerImages
+title: Enable Defender for Containers to scan Azure Container Registry for vulnerabilities
+description: Azure Defender for containers or equivalent service should be used to
+ scan container images for vulnerabilities
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 2
+labels:
+ guid: bad37dac-43bc-46ce-8d7a-a9b24604489a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistryImageExportImageImport.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistryImageExportImageImport.yaml
new file mode 100644
index 000000000..0df2ae366
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistryImageExportImageImport.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureContainerRegistryImageExportImageImport
+title: Disable Azure Container Registry image export
+description: Disable image export to prevent data exfiltration. Note that this will
+ prevent image import of images into another ACR instance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/data-loss-prevention
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistrySkuAcrPremiumSku.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistrySkuAcrPremiumSku.yaml
new file mode 100644
index 000000000..8e17a89cb
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-AzureContainerRegistrySkuAcrPremiumSku.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureContainerRegistrySkuAcrPremiumSku
+title: Use an Azure Container Registry SKU that supports Private Link (Premium SKU)
+description: Only the ACR Premium SKU supports Private Link access
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: fc833934-8b26-42d6-ac5f-512925498f6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-skus
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ContainerImagesTrustedCode.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ContainerImagesTrustedCode.yaml
new file mode 100644
index 000000000..bcb992303
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ContainerImagesTrustedCode.yaml
@@ -0,0 +1,15 @@
+name: revcl-ContainerImagesTrustedCode
+title: Deploy validated container images
+description: Deploy trusted code that was validated and scanned for vulnerabilities
+ according to DevSecOps practices.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: 4451e1a2-d345-4293-a763-9637a551c5c0
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-CustomerManagedKeyAdditionalEncryptionLayer.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-CustomerManagedKeyAdditionalEncryptionLayer.yaml
new file mode 100644
index 000000000..62af7dd05
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-CustomerManagedKeyAdditionalEncryptionLayer.yaml
@@ -0,0 +1,19 @@
+name: revcl-CustomerManagedKeyAdditionalEncryptionLayer
+title: Encrypt registry with a customer managed key
+description: Azure Container Registry automatically encrypts images and other artifacts
+ that you store. By default, Azure automatically encrypts the registry content at
+ rest by using service-managed keys. By using a customer-managed key, you can supplement
+ default encryption with an additional encryption layer.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: 0bd05dc2-efd5-4d76-8d41-d2500cc47b49
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-DiagnosticSettingLogAnalytics.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-DiagnosticSettingLogAnalytics.yaml
new file mode 100644
index 000000000..960b6ab65
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-DiagnosticSettingLogAnalytics.yaml
@@ -0,0 +1,18 @@
+name: revcl-DiagnosticSettingLogAnalytics
+title: Enable diagnostics logging
+description: Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents'
+ to Log Analytics as the central destination for logging and monitoring. This allows
+ you to monitor control plane activity on the ACR resource itself.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: 8a488cde-c486-42bc-9bd2-1be77f26e5e6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/monitor-service
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ImagesVulnerabilities.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ImagesVulnerabilities.yaml
new file mode 100644
index 000000000..ca12adf9a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ImagesVulnerabilities.yaml
@@ -0,0 +1,15 @@
+name: revcl-ImagesVulnerabilities
+title: Scan your images for vulnerabilities
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: 59bce65d-e8a0-43f9-9879-468d66a786d6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/security-center/container-security
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-LatestVersionsDatePlatforms.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-LatestVersionsDatePlatforms.yaml
new file mode 100644
index 000000000..8d054ab60
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-LatestVersionsDatePlatforms.yaml
@@ -0,0 +1,15 @@
+name: revcl-LatestVersionsDatePlatforms
+title: Use up-to-date platforms, languages, protocols and frameworks
+description: Use the latest versions of supported platforms, programming languages,
+ protocols, and frameworks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: 4e401955-387e-45ce-b126-cd132af5b20c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ManagementPlaneAccessRbacBasedAccessMethods.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ManagementPlaneAccessRbacBasedAccessMethods.yaml
new file mode 100644
index 000000000..07bd6333d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ManagementPlaneAccessRbacBasedAccessMethods.yaml
@@ -0,0 +1,17 @@
+name: revcl-ManagementPlaneAccessRbacBasedAccessMethods
+title: Disable local authentication for management plane access
+description: The local Administrator account is disabled by default and should not
+ be enabled. Use either Token or RBAC-based access methods instead
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: be0e38ce-e297-411b-b363-caaab79b198d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-PublicNetworkAccessInboundNetworkAccess.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-PublicNetworkAccessInboundNetworkAccess.yaml
new file mode 100644
index 000000000..ecdaae48a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-PublicNetworkAccessInboundNetworkAccess.yaml
@@ -0,0 +1,17 @@
+name: revcl-PublicNetworkAccessInboundNetworkAccess
+title: Disable Public Network access
+description: Disable public network access if inbound network access is secured using
+ Private Link
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: cd289ced-6b17-4db8-8554-62f2aee4553a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-RepositoryScopedAccessTokensAadPrincipal.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-RepositoryScopedAccessTokensAadPrincipal.yaml
new file mode 100644
index 000000000..3c864dd2f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-RepositoryScopedAccessTokensAadPrincipal.yaml
@@ -0,0 +1,17 @@
+name: revcl-RepositoryScopedAccessTokensAadPrincipal
+title: Disable repository-scoped access tokens
+description: Token authentication doesn't support assignment to an AAD principal.
+ Any tokens provided are able to be used by anyone who can access the token
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: 698dc3a2-fd27-4b2e-8870-1a1252beedf6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ServiceLevelIpAclFilteringRuleDisablePublicNetworkAccessToggle.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ServiceLevelIpAclFilteringRuleDisablePublicNetworkAccessToggle.yaml
new file mode 100644
index 000000000..3ff99508e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-ServiceLevelIpAclFilteringRuleDisablePublicNetworkAccessToggle.yaml
@@ -0,0 +1,18 @@
+name: revcl-ServiceLevelIpAclFilteringRuleDisablePublicNetworkAccessToggle
+title: Control inbound network access with Private Link
+description: Service supports disabling public network access either through using
+ service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable
+ Public Network Access' toggle switch
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 1
+labels:
+ guid: 21d41d25-00b7-407a-b9ea-b40fd3290798
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-private-link
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-TheAzureKeyVaultTheAzureContainerRegistry.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-TheAzureKeyVaultTheAzureContainerRegistry.yaml
new file mode 100644
index 000000000..ee81d3d6a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-TheAzureKeyVaultTheAzureContainerRegistry.yaml
@@ -0,0 +1,19 @@
+name: revcl-TheAzureKeyVaultTheAzureContainerRegistry
+title: Sign and Verify containers with notation (Notary v2)
+description: The Azure Key Vault (AKV) is used to store a signing key that can be
+ utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify
+ container images and other artifacts. The Azure Container Registry (ACR) allows
+ you to attach these signatures using the?az?or?oras?CLI commands.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: d345293c-7639-4637-a551-c5c04e401955
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-TrustedEnvironmentPrivateEndpoint.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-TrustedEnvironmentPrivateEndpoint.yaml
new file mode 100644
index 000000000..7fb48f34d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/Security/revcl-TrustedEnvironmentPrivateEndpoint.yaml
@@ -0,0 +1,15 @@
+name: revcl-TrustedEnvironmentPrivateEndpoint
+title: Deploy images from a trusted environment
+description: Deploy container images to an ACR behind a Private endpoint within a
+ trusted network
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerregistry/registries
+waf: Security
+severity: 0
+labels:
+ guid: b3bec3d4-f343-47c1-936d-b55f27a71eee
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistriesDiagnosticSettings.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistriesDiagnosticSettings.yaml
new file mode 100644
index 000000000..5792e9587
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistriesDiagnosticSettings.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureContainerRegistriesDiagnosticSettings
+title: Configure Diagnostic Settings for all Azure Container Registries
+description: |-
+ Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 1
+labels:
+ guid: 44107155-7a32-9348-89f3-d5aa7e7c5a1d
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryAnonymousPullAccess.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryAnonymousPullAccess.yaml
new file mode 100644
index 000000000..f1b5ae3de
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryAnonymousPullAccess.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureContainerRegistryAnonymousPullAccess
+title: Disable anonymous pull access
+description: |-
+ By default, Azure container registry requires authentication for pull/push actions. Enabling anonymous pull access exposes all content for public read actions. This applies to all repositories, potentially allowing unrestricted access if repository-scoped tokens are used.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 1
+labels:
+ guid: 03f4a7d8-c5b4-7842-8e6e-14997a34842b
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Container Registries that have anonymous pull access enabled
+ resources
+ | where type =~ "microsoft.containerregistry/registries"
+ | where properties.anonymousPullEnabled == "true"
+ | project recommendationId = "03f4a7d8-c5b4-7842-8e6e-14997a34842b", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryCriticalProductionWorkloads.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryCriticalProductionWorkloads.yaml
new file mode 100644
index 000000000..8bfb60d98
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryCriticalProductionWorkloads.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureContainerRegistryCriticalProductionWorkloads
+title: Use Premium tier for critical production workloads
+description: |-
+ Choose a service tier of Azure Container Registry to meet your performance needs. Premium offers the most bandwidth and highest rate of read and write operations for high-volume deployments. Use Basic to start, Standard for production, and Premium for hyper-scale performance and geo-replication.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 0
+labels:
+ guid: eb005943-40a8-194b-9db2-474d430046b7
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Container Registries that are not using the Premium tier
+ resources
+ | where type =~ "microsoft.containerregistry/registries"
+ | where sku.name != "Premium"
+ | project recommendationId = "eb005943-40a8-194b-9db2-474d430046b7", name, id, tags, param1=strcat("SkuName: ", tostring(sku.name))
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryFullStackMonitoringService.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryFullStackMonitoringService.yaml
new file mode 100644
index 000000000..5d8930949
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryFullStackMonitoringService.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureContainerRegistryFullStackMonitoringService
+title: Monitor Azure Container Registry with Azure Monitor
+description: |-
+ Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 1
+labels:
+ guid: d594cde6-4116-d143-a64a-25f63289a2f8
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryOptionalZoneRedundancy.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryOptionalZoneRedundancy.yaml
new file mode 100644
index 000000000..6d531709d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryOptionalZoneRedundancy.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureContainerRegistryOptionalZoneRedundancy
+title: Enable zone redundancy
+description: |-
+ Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 0
+labels:
+ guid: 63491f70-22e4-3b4a-8b0c-845450e46fac
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Container Registries that do not have zone redundancy enabled
+ resources
+ | where type =~ "microsoft.containerregistry/registries"
+ | where properties.zoneRedundancy != "Enabled"
+ | project recommendationId = "63491f70-22e4-3b4a-8b0c-845450e46fac", name, id, tags, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy))
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryRegistrySize.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryRegistrySize.yaml
new file mode 100644
index 000000000..eec496e9f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistryRegistrySize.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureContainerRegistryRegistrySize
+title: Manage registry size
+description: |-
+ The storage constraints of Azure Container Registry's service tiers align with usage scenarios: Basic for starters, Standard for production, and Premium for high-scale performance and geo-replication.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 1
+labels:
+ guid: 3ef86f16-f65b-c645-9901-7830d6dc3a1b
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Container Registries that have their retention policy disabled
+ resources
+ | where type =~ "microsoft.containerregistry/registries"
+ | where properties.policies.retentionPolicy.status == "disabled"
+ | project recommendationId = "3ef86f16-f65b-c645-9901-7830d6dc3a1b", name, id, tags, param1='retentionPolicy:disabled'
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistrySoftDeletePolicy.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistrySoftDeletePolicy.yaml
new file mode 100644
index 000000000..d81ecfd29
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-AzureContainerRegistrySoftDeletePolicy.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureContainerRegistrySoftDeletePolicy
+title: Enable soft delete policy
+description: |-
+ Enabling soft delete in Azure Container Registry (ACR) allows for the management of deleted artifacts with a specified retention period. Users can list, filter, and restore these artifacts until automatically purged post-retention.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 1
+labels:
+ guid: e7f0fd54-fba0-054e-9ab8-e676f2851f88
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of Azure Container Registry resources that do not have soft delete enabled
+ resources
+ | where type =~ "microsoft.containerregistry/registries"
+ | where properties.policies.softDeletePolicy.status == "disabled"
+ | project recommendationId = "e7f0fd54-fba0-054e-9ab8-e676f2851f88", name, id, tags
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-LocalDataCentersDistributedDevelopmentTeams.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-LocalDataCentersDistributedDevelopmentTeams.yaml
new file mode 100644
index 000000000..2becd4754
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-LocalDataCentersDistributedDevelopmentTeams.yaml
@@ -0,0 +1,32 @@
+name: aprl-LocalDataCentersDistributedDevelopmentTeams
+title: Enable geo-replication
+description: |-
+ Use Azure Container Registry's geo-replication for multi-region deployments to simplify registry management and minimize latency. It enables serving global customers from local data centers and supports distributed development teams. Regional webhooks can notify of events in replicas.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 0
+labels:
+ guid: 36ea6c09-ef6e-d743-9cfb-bd0c928a430b
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Container Registries that do not have geo-replication enabled
+ resources
+ | where type =~ "microsoft.containerregistry/registries"
+ | project registryName = name, registryId = id, tags, primaryRegion = location
+ | join kind=leftouter (
+ Resources
+ | where type =~ "microsoft.containerregistry/registries/replications"
+ | project replicationRegion=name, replicationId = id
+ | extend registryId=strcat_array(array_slice(split(replicationId, '/'), 0, -3), '/')
+ ) on registryId
+ | project-away registryId1, replicationId
+ | where isempty(replicationRegion)
+ | project recommendationId = "36ea6c09-ef6e-d743-9cfb-bd0c928a430b", name=registryName, id=registryId, tags
+ | order by id asc
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-MoveContainerRegistryDedicatedResourceGroup.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-MoveContainerRegistryDedicatedResourceGroup.yaml
new file mode 100644
index 000000000..577afd241
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-MoveContainerRegistryDedicatedResourceGroup.yaml
@@ -0,0 +1,29 @@
+name: aprl-MoveContainerRegistryDedicatedResourceGroup
+title: Move Container Registry to a dedicated resource group
+description: |-
+ Container registries, used across multiple hosts, should be in their own resource group to prevent accidental deletion of images when container instances are deleted, preserving the image collection while experimenting with hosts.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 2
+labels:
+ guid: 8e389532-5db5-7e4c-9d4d-443b3e55ae82
+ area: Governance
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // List container registries that contain additional resources within the same resource group.
+ resources
+ | where type =~ "microsoft.containerregistry/registries"
+ | project registryName=name, registryId=id, registryTags=tags, resourceGroupId=strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), resourceGroup, subscriptionId
+ | join kind=inner (
+ resources
+ | where not(type =~ "microsoft.containerregistry/registries")
+ | summarize recourceCount=count() by subscriptionId, resourceGroup
+ | where recourceCount != 0
+ ) on resourceGroup, subscriptionId
+ | project recommendationId = "8e389532-5db5-7e4c-9d4d-443b3e55ae82", name=registryName, id=registryId, tags=registryTags, param1=strcat('resourceGroupName:',resourceGroup), param2=strcat('resourceGroupId:',resourceGroupId)
diff --git a/v2/recos/Services/microsoftcontainerregistry-registries/aprl-SingleRegistryMultipleGroups.yaml b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-SingleRegistryMultipleGroups.yaml
new file mode 100644
index 000000000..634edb86f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerregistry-registries/aprl-SingleRegistryMultipleGroups.yaml
@@ -0,0 +1,18 @@
+name: aprl-SingleRegistryMultipleGroups
+title: Use Repository namespaces
+description: |-
+ Using repository namespaces allows a single registry to be shared across multiple groups and deployments within an organization, supporting nested namespaces for group isolation. However, repositories are managed independently, not hierarchically.
+source:
+ type: aprl
+ file: azure-resources/ContainerRegistry/registries/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerRegistry/registries
+severity: 2
+labels:
+ guid: a5a0101a-a240-8742-90ba-81dbde9a0c0c
+ area: Security
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-AksAutoscalerClustersUsage.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-AksAutoscalerClustersUsage.yaml
new file mode 100644
index 000000000..deeae1e58
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-AksAutoscalerClustersUsage.yaml
@@ -0,0 +1,16 @@
+name: revcl-AksAutoscalerClustersUsage
+title: Use AKS autoscaler to match your clusters usage (make sure the pods requirements
+ match the scaler)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/cross-region-replication-azure
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-DevTestClusterNodepoolStart.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-DevTestClusterNodepoolStart.yaml
new file mode 100644
index 000000000..dcd864bd8
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-DevTestClusterNodepoolStart.yaml
@@ -0,0 +1,15 @@
+name: revcl-DevTestClusterNodepoolStart
+title: If running a Dev/Test cluster use NodePool Start/Stop
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 2
+labels:
+ guid: 2b72a08b-0410-4cd6-9093-e068a5cf27e8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/start-stop-nodepools
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-ExternalApplicationDifferentUsers.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-ExternalApplicationDifferentUsers.yaml
new file mode 100644
index 000000000..11fa0d7e7
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-ExternalApplicationDifferentUsers.yaml
@@ -0,0 +1,16 @@
+name: revcl-ExternalApplicationDifferentUsers
+title: Use an external application such as kubecost to allocate costs to different
+ users
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 2
+labels:
+ guid: f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-MultiInstancePartitioningGpuAksClusters.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-MultiInstancePartitioningGpuAksClusters.yaml
new file mode 100644
index 000000000..6d3c874f4
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-MultiInstancePartitioningGpuAksClusters.yaml
@@ -0,0 +1,15 @@
+name: revcl-MultiInstancePartitioningGpuAksClusters
+title: When required use multi-instance partitioning GPU on AKS Clusters
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 87e651ea-bc4a-4a87-a6df-c06a4b570ebc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/gpu-multi-instance
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-NodepoolSnapshots.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-NodepoolSnapshots.yaml
new file mode 100644
index 000000000..374559a6d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-NodepoolSnapshots.yaml
@@ -0,0 +1,15 @@
+name: revcl-NodepoolSnapshots
+title: If required use nodePool snapshots
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 2
+labels:
+ guid: 64d1a846-e28a-4b6b-9a33-22a635c15a21
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/node-pool-snapshot
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-ScaleMode.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-ScaleMode.yaml
new file mode 100644
index 000000000..97058c623
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/revcl-ScaleMode.yaml
@@ -0,0 +1,15 @@
+name: revcl-ScaleMode
+title: Use scale down mode to delete/deallocate nodes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 2
+labels:
+ guid: 4d3dfbab-9924-4831-a68d-fdf0d72f462c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/scale-down-mode
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AppropriateManagedDiskTierWorkloadArchitectures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AppropriateManagedDiskTierWorkloadArchitectures.yaml
new file mode 100644
index 000000000..50a98455c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AppropriateManagedDiskTierWorkloadArchitectures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AppropriateManagedDiskTierWorkloadArchitectures
+title: 'Cluster and workload architectures: Use appropriate managed disk tier and
+ size.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 9cd3e427-64d5-48e8-aa6a-dfa7a473512c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AppropriateVmSkuClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AppropriateVmSkuClusterArchitecture.yaml
new file mode 100644
index 000000000..7d0fd44fc
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AppropriateVmSkuClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AppropriateVmSkuClusterArchitecture
+title: 'Cluster architecture: Use appropriate VM SKU per node pool and reserved instances
+ where long-term capacity is expected.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: ec710c29-e6c0-4675-b051-73fc3a0010d7
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ArmUbuntuAgentNodesArmArchitectureNodes.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ArmUbuntuAgentNodesArmArchitectureNodes.yaml
new file mode 100644
index 000000000..875597dfc
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ArmUbuntuAgentNodesArmArchitectureNodes.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ArmUbuntuAgentNodesArmArchitectureNodes
+title: 'Cluster architecture: Select virtual machines based on the Arm architecture.'
+description: AKS supports creating ARM64 Ubuntu agent nodes, as well as a of mix Intel
+ and ARM architecture nodes within a cluster that can bring better performance at
+ a lower cost.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 620cb68e-2005-464b-90d3-0e767babcfcd
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureManagedGrafanaContainerInsights.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureManagedGrafanaContainerInsights.yaml
new file mode 100644
index 000000000..b69d42f39
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureManagedGrafanaContainerInsights.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureManagedGrafanaContainerInsights
+title: 'Cluster architecture: Configure monitoring of cluster with Container insights.'
+description: Container insights help provides actionable insights into your clusters
+ idle and unallocated resources. Container insights also supports collecting Prometheus
+ metrics and integrates with Azure Managed Grafana to get a holistic view of your
+ application and infrastructure.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 3c328ad3-02b3-4b44-b833-e8e0edcf8fd8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureSavingsPlanAzureReservations.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureSavingsPlanAzureReservations.yaml
new file mode 100644
index 000000000..5d6e43f51
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureSavingsPlanAzureReservations.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureSavingsPlanAzureReservations
+title: 'Cluster architecture: Sign up for Azure Reservations or Azure Savings Plan.'
+description: If you properly planned for capacity, your workload is predictable and
+ exists for an extended period of time, sign up for an Azure Reservation or a savings
+ plan to further reduce your resource costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 8b20a125-f425-42b9-9636-128941325958
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureSpotVirtualMachinesUnutilizedAzureCapacity.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureSpotVirtualMachinesUnutilizedAzureCapacity.yaml
new file mode 100644
index 000000000..f28a3d46e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-AzureSpotVirtualMachinesUnutilizedAzureCapacity.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureSpotVirtualMachinesUnutilizedAzureCapacity
+title: 'Cluster architecture: Select Azure Spot Virtual Machines.'
+description: Spot VMs allow you to take advantage of unutilized Azure capacity with
+ significant discounts (up to 90% as compared to pay-as-you-go prices). If Azure
+ needs capacity back, the Azure infrastructure evicts the Spot nodes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 357e61fe-86e6-41c6-b446-3f0def6d8bcf
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostAnalysisClusterExtensionAksCostAnalysis.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostAnalysisClusterExtensionAksCostAnalysis.yaml
new file mode 100644
index 000000000..f79abfe2f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostAnalysisClusterExtensionAksCostAnalysis.yaml
@@ -0,0 +1,15 @@
+name: wafsg-CostAnalysisClusterExtensionAksCostAnalysis
+title: 'Cluster architecture: Configure the AKS Cost Analysis add-on.'
+description: The cost analysis cluster extension enables you to obtain granular insight
+ into costs associated with various Kubernetes resources in your clusters or namespaces.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 1104dc91-14f0-4330-ac7d-fa85039a0802
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostOptimizationOpportunitiesPerformanceMetrics.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostOptimizationOpportunitiesPerformanceMetrics.yaml
new file mode 100644
index 000000000..675d3d76c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostOptimizationOpportunitiesPerformanceMetrics.yaml
@@ -0,0 +1,17 @@
+name: wafsg-CostOptimizationOpportunitiesPerformanceMetrics
+title: 'Cluster architecture: Review performance metrics, starting with CPU, memory,
+ storage, and network, to identify cost optimization opportunities by cluster, nodes,
+ and namespace.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: aa2243d7-e30a-4963-b569-a93bf2660bb2
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostSavingGoalsCloudFinancialDiscipline.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostSavingGoalsCloudFinancialDiscipline.yaml
new file mode 100644
index 000000000..ea0a058c0
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-CostSavingGoalsCloudFinancialDiscipline.yaml
@@ -0,0 +1,19 @@
+name: wafsg-CostSavingGoalsCloudFinancialDiscipline
+title: 'Cluster and workload architectures: Adopt a cloud financial discipline and
+ cultural practice to drive ownership of cloud usage.'
+description: The foundation of enabling cost optimization is the spread of a cost
+ saving cluster. A financial operations approach (FinOps) is often used to help organizations
+ reduce cloud costs. It is a practice involving collaboration between finance, operations,
+ and engineering teams to drive alignment on cost saving goals and bring transparency
+ to cloud costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 7bf19a02-eeec-4611-b559-f5cef964cc63
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ExcessResourceCapacityClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ExcessResourceCapacityClusterArchitecture.yaml
new file mode 100644
index 000000000..a53b0098e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ExcessResourceCapacityClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ExcessResourceCapacityClusterArchitecture
+title: 'Cluster architecture: Enable Cluster Autoscaler to automatically reduce the
+ number of agent nodes in response to excess resource capacity.'
+description: Automatically scaling down the number of nodes in your AKS cluster lets
+ you run an efficient cluster when demand is low and scale up when demand returns.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 330a0b20-69f1-44b9-9b9e-907e8e1bf5ca
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ExtraNetworkingChargesClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ExtraNetworkingChargesClusterArchitecture.yaml
new file mode 100644
index 000000000..563238608
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-ExtraNetworkingChargesClusterArchitecture.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExtraNetworkingChargesClusterArchitecture
+title: 'Cluster architecture: Select the appropriate region.'
+description: Due to many factors, cost of resources varies per region in Azure. Evaluate
+ the cost, latency, and compliance requirements to ensure you are running your workload
+ cost-effectively and it doesn't affect your end-users or create extra networking
+ charges.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: ddb71774-895b-4149-9e0c-e348a9829df5
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-HorizontalPodAutoscalerOtherSelectMetrics.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-HorizontalPodAutoscalerOtherSelectMetrics.yaml
new file mode 100644
index 000000000..7485ddc32
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-HorizontalPodAutoscalerOtherSelectMetrics.yaml
@@ -0,0 +1,15 @@
+name: wafsg-HorizontalPodAutoscalerOtherSelectMetrics
+title: 'Workload architecture: Use the Horizontal Pod Autoscaler.'
+description: Adjust the number of pods in a deployment depending on CPU utilization
+ or other select metrics, which support cluster scale-in operations.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 18dfc1c5-f5e8-4c89-9805-af9dd82f595d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-KubernetesEventDrivenAutoscalingKedaScalers.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-KubernetesEventDrivenAutoscalingKedaScalers.yaml
new file mode 100644
index 000000000..eaa6124ec
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-KubernetesEventDrivenAutoscalingKedaScalers.yaml
@@ -0,0 +1,15 @@
+name: wafsg-KubernetesEventDrivenAutoscalingKedaScalers
+title: 'Workload architecture: Use Kubernetes Event Driven Autoscaling (KEDA).'
+description: Scale based on the number of events being processed. Choose from a rich
+ catalogue of 50+ KEDA scalers.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: afad2446-229b-4b5c-89fc-33e0a1ffdf05
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-PendingPodResourceRequirementsVmSkuSelection.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-PendingPodResourceRequirementsVmSkuSelection.yaml
new file mode 100644
index 000000000..6f60f6db9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-PendingPodResourceRequirementsVmSkuSelection.yaml
@@ -0,0 +1,16 @@
+name: wafsg-PendingPodResourceRequirementsVmSkuSelection
+title: 'Cluster architecture: Enable Node Autoprovision to automate VM SKU selection.'
+description: Node Autoprovision simplifies the SKU selection process and decides,
+ based on pending pod resource requirements, the optimal VM configuration to run
+ workloads in the most efficient and cost effective manner.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 479e3bcb-48bb-4f49-a449-d67df3a82c1e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-RightVirtualMachineInstanceTypeHighPerformanceInstance.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-RightVirtualMachineInstanceTypeHighPerformanceInstance.yaml
new file mode 100644
index 000000000..05afbbdea
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-RightVirtualMachineInstanceTypeHighPerformanceInstance.yaml
@@ -0,0 +1,19 @@
+name: wafsg-RightVirtualMachineInstanceTypeHighPerformanceInstance
+title: 'Cluster architecture: Select the right virtual machine instance type.'
+description: Selecting the right virtual machine instance type is critical as it directly
+ impacts the cost of running applications on AKS. Choosing a high-performance instance
+ without proper utilization can lead to wasteful spending, while choosing a powerful
+ instance can lead to performance issues and increased downtime. To determine the
+ right virtual machine instance type, consider workload characteristics, resource
+ requirements, and availability needs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 45c1b3bf-8e01-4337-984d-e8b03a969e4c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-UserRequestFailuresWorkloadArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-UserRequestFailuresWorkloadArchitecture.yaml
new file mode 100644
index 000000000..cf9778d65
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-UserRequestFailuresWorkloadArchitecture.yaml
@@ -0,0 +1,17 @@
+name: wafsg-UserRequestFailuresWorkloadArchitecture
+title: 'Workload architecture: Maintain small and optimized images.'
+description: Streamlining your images helps reduce costs since new nodes need to download
+ these images. Build images in a way that allows the container start as soon as possible
+ to help avoid user request failures or timeouts while the application is starting
+ up, potentially leading to overprovisioning.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: d6b9a1b1-66b9-4f32-9269-4dba8ff3691d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-VerticalPodAutoscalerWorkloadArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-VerticalPodAutoscalerWorkloadArchitecture.yaml
new file mode 100644
index 000000000..bcd83df88
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-VerticalPodAutoscalerWorkloadArchitecture.yaml
@@ -0,0 +1,15 @@
+name: wafsg-VerticalPodAutoscalerWorkloadArchitecture
+title: 'Workload architecture: Use Vertical Pod Autoscaler (preview).'
+description: Rightsize your pods and dynamically set requests and limits based on
+ historic usage.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: ff159e4c-281f-4c30-aa1c-819ce3c94aad
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-WorkloadArchitectureCluster.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-WorkloadArchitectureCluster.yaml
new file mode 100644
index 000000000..eec4873a0
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-WorkloadArchitectureCluster.yaml
@@ -0,0 +1,16 @@
+name: wafsg-WorkloadArchitectureCluster
+title: 'Cluster and workload architecture: Use autoscalers to scale in when workloads
+ are less active.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: d917bb41-11ca-4487-a354-abad918096e6
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-WorkloadArchitecturesDiskSize.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-WorkloadArchitecturesDiskSize.yaml
new file mode 100644
index 000000000..22a7abf70
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Cost/wafsg-WorkloadArchitecturesDiskSize.yaml
@@ -0,0 +1,16 @@
+name: wafsg-WorkloadArchitecturesDiskSize
+title: 'Cluster and workload architectures: Align SKU selection and managed disk size
+ with workload requirements.'
+description: Matching your selection to your workload demands ensures you don't pay
+ for unneeded resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Cost
+severity: 1
+labels:
+ guid: 60822342-a88f-4260-a595-c5919386bbdd
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksAutoCertificateRotation.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksAutoCertificateRotation.yaml
new file mode 100644
index 000000000..3bd55080d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksAutoCertificateRotation.yaml
@@ -0,0 +1,15 @@
+name: revcl-AksAutoCertificateRotation
+title: Enable AKS auto-certificate rotation
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 3aa70560-e7e7-4968-be3d-628af35b2ced
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/certificate-rotation
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksAutoupgradeFeatureRegularProcess.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksAutoupgradeFeatureRegularProcess.yaml
new file mode 100644
index 000000000..5af85d65b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksAutoupgradeFeatureRegularProcess.yaml
@@ -0,0 +1,16 @@
+name: revcl-AksAutoupgradeFeatureRegularProcess
+title: Have a regular process to upgrade your kubernetes version periodically (quarterly,
+ for example), or use the AKS autoupgrade feature
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: e189c599-df0d-45a7-9dd4-ce32c1881370
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/supported-kubernetes-versions
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksCommandPrivateClusters.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksCommandPrivateClusters.yaml
new file mode 100644
index 000000000..fafc094f3
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksCommandPrivateClusters.yaml
@@ -0,0 +1,15 @@
+name: revcl-AksCommandPrivateClusters
+title: Consider using AKS command invoke on private clusters
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: d7672c26-7602-4482-85a4-14527fbe855c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/command-invoke
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksVirtualNodeQuickBursting.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksVirtualNodeQuickBursting.yaml
new file mode 100644
index 000000000..2cd10c863
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AksVirtualNodeQuickBursting.yaml
@@ -0,0 +1,18 @@
+name: revcl-AksVirtualNodeQuickBursting
+title: Consider AKS virtual node for quick bursting
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: c755562f-2b4e-4456-9b4d-874a748b662e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/concepts-scale
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true)
+ | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AzureAdvisorRecommendations.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AzureAdvisorRecommendations.yaml
new file mode 100644
index 000000000..555d5154f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AzureAdvisorRecommendations.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureAdvisorRecommendations
+title: Check regularly Azure Advisor for recommendations on your cluster
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 337453a3-cc63-4963-9a65-22ac19e80696
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/advisor/advisor-get-started
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AzureCniPodIps.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AzureCniPodIps.yaml
new file mode 100644
index 000000000..5dc5b4524
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-AzureCniPodIps.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureCniPodIps
+title: If using Azure CNI, monitor % of pod IPs consumed per node
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 1a4835ac-9422-423e-ae80-b123081a5417
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/configure-azure-cni
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterConfigurationMultipleClusters.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterConfigurationMultipleClusters.yaml
new file mode 100644
index 000000000..d884f443c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterConfigurationMultipleClusters.yaml
@@ -0,0 +1,16 @@
+name: revcl-ClusterConfigurationMultipleClusters
+title: Consider gitops to deploy applications or cluster configuration to multiple
+ clusters
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 0102ce16-ee30-41e6-b882-e52e4621dd68
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterLogsContainerInsights.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterLogsContainerInsights.yaml
new file mode 100644
index 000000000..cce39ac94
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterLogsContainerInsights.yaml
@@ -0,0 +1,19 @@
+name: revcl-ClusterLogsContainerInsights
+title: Store and analyze your cluster logs with Container Insights (or other tools
+ like Telegraf/ElasticSearch)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: eaa8dc4a-2436-47b3-9697-15b1752beee0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true)
+ | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterMetricsContainerInsights.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterMetricsContainerInsights.yaml
new file mode 100644
index 000000000..b4984010a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterMetricsContainerInsights.yaml
@@ -0,0 +1,15 @@
+name: revcl-ClusterMetricsContainerInsights
+title: Monitor your cluster metrics with Container Insights (or other tools like Prometheus)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: 6f8389a7-f82c-4b8e-a8c0-aa63a25a4956
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterNodeImagesRegularProcess.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterNodeImagesRegularProcess.yaml
new file mode 100644
index 000000000..22cd93a85
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ClusterNodeImagesRegularProcess.yaml
@@ -0,0 +1,16 @@
+name: revcl-ClusterNodeImagesRegularProcess
+title: Have a regular process to upgrade the cluster node images periodically (weekly,
+ for example)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: 139c9580-ade3-426a-ba09-cf157d9f6477
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/node-image-upgrade
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-CriticalMetricsContainerInsights.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-CriticalMetricsContainerInsights.yaml
new file mode 100644
index 000000000..53e056669
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-CriticalMetricsContainerInsights.yaml
@@ -0,0 +1,15 @@
+name: revcl-CriticalMetricsContainerInsights
+title: Configure alerts on the most critical metrics (see Container Insights for recommendations)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: 67f7a9ed-5b31-4f38-a3f3-9812b2463cff
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-CustomNodeRgInfraRg.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-CustomNodeRgInfraRg.yaml
new file mode 100644
index 000000000..034806482
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-CustomNodeRgInfraRg.yaml
@@ -0,0 +1,17 @@
+name: revcl-CustomNodeRgInfraRg
+title: Use custom Node RG (aka 'Infra RG') name
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 73b32a5a-67f7-4a9e-b5b3-1f38c3f39812
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/cluster-configuration
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-DeprecatedKubernetesApisYamlManifests.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-DeprecatedKubernetesApisYamlManifests.yaml
new file mode 100644
index 000000000..90ecab7e1
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-DeprecatedKubernetesApisYamlManifests.yaml
@@ -0,0 +1,15 @@
+name: revcl-DeprecatedKubernetesApisYamlManifests
+title: Do not use deprecated Kubernetes APIs in your YAML manifests
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: b2463cff-e189-4c59-adf0-d5a73dd4ce32
+links:
+- type: docs
+ url: https://kubernetes.io/docs/setup/release/notes/
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-EgressFilteringStandardAlb.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-EgressFilteringStandardAlb.yaml
new file mode 100644
index 000000000..9a0d31db9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-EgressFilteringStandardAlb.yaml
@@ -0,0 +1,16 @@
+name: revcl-EgressFilteringStandardAlb
+title: If not using egress filtering with AzFW/NVA, monitor standard ALB allocated
+ SNAT ports
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: be209d39-fda4-4777-a424-d116785c2fa5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/load-balancer-standard
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-EnoughQuotaSubscription.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-EnoughQuotaSubscription.yaml
new file mode 100644
index 000000000..2e4a31650
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-EnoughQuotaSubscription.yaml
@@ -0,0 +1,15 @@
+name: revcl-EnoughQuotaSubscription
+title: Ensure your subscription has enough quota to scale out your nodepools
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: 081a5417-4158-433e-a3ad-3c2de733165c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-GovernancePracticesNodeRg.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-GovernancePracticesNodeRg.yaml
new file mode 100644
index 000000000..99d6b9c86
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-GovernancePracticesNodeRg.yaml
@@ -0,0 +1,16 @@
+name: revcl-GovernancePracticesNodeRg
+title: Develop own governance practices to make sure no changes are performed by operators
+ in the node RG (aka 'infra RG')
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: ed0fda7f-211b-47c7-8b6e-c18873fb473c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/faq
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-HostPatchLevelWindowsContainers.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-HostPatchLevelWindowsContainers.yaml
new file mode 100644
index 000000000..045b5414f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-HostPatchLevelWindowsContainers.yaml
@@ -0,0 +1,15 @@
+name: revcl-HostPatchLevelWindowsContainers
+title: Keep windows containers patch level in sync with host patch level
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 67138b82-0102-4ce1-9ee3-01e6e882e52e
+links:
+- type: docs
+ url: https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-LinuxNodeUpgradesNodeImageUpgrade.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-LinuxNodeUpgradesNodeImageUpgrade.yaml
new file mode 100644
index 000000000..a0c859741
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-LinuxNodeUpgradesNodeImageUpgrade.yaml
@@ -0,0 +1,15 @@
+name: revcl-LinuxNodeUpgradesNodeImageUpgrade
+title: Use kured for Linux node upgrades in case you are not using node-image upgrade
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: 6f7c4c0d-4e51-4464-ad24-57ed67138b82
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/node-updates-kured
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-MemoryUtilizationCpu.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-MemoryUtilizationCpu.yaml
new file mode 100644
index 000000000..494cd7a85
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-MemoryUtilizationCpu.yaml
@@ -0,0 +1,15 @@
+name: revcl-MemoryUtilizationCpu
+title: Monitor CPU and memory utilization of the nodes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 4621dd68-c5a5-4be2-bdb1-1726769ef669
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-MicroserviceDevelopmentDapr.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-MicroserviceDevelopmentDapr.yaml
new file mode 100644
index 000000000..0bce8abdf
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-MicroserviceDevelopmentDapr.yaml
@@ -0,0 +1,15 @@
+name: revcl-MicroserviceDevelopmentDapr
+title: Use Dapr to ease microservice development
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 26886d20-b66c-457b-a591-19bf8e8f5c58
+links:
+- type: docs
+ url: https://dapr.io/
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-NodeAutoDrainEvents.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-NodeAutoDrainEvents.yaml
new file mode 100644
index 000000000..ab3fb0a34
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-NodeAutoDrainEvents.yaml
@@ -0,0 +1,15 @@
+name: revcl-NodeAutoDrainEvents
+title: For planned events consider using Node Auto Drain
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 31d7aaab-7571-4449-ab80-53d89e89d17b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-OsDiskQueueDepthCriticalResource.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-OsDiskQueueDepthCriticalResource.yaml
new file mode 100644
index 000000000..0e0b63bb1
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-OsDiskQueueDepthCriticalResource.yaml
@@ -0,0 +1,18 @@
+name: revcl-OsDiskQueueDepthCriticalResource
+title: Monitor OS disk queue depth in nodes
+description: I/O in the OS disk is a critical resource. If the OS in the nodes gets
+ throttled on I/O, this could lead to unpredictable behavior, typically ending up
+ in node being declared NotReady
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 415833ea-3ad3-4c2d-b733-165c3acbe04b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-PodSpecsRequests.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-PodSpecsRequests.yaml
new file mode 100644
index 000000000..e6b9f8c43
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-PodSpecsRequests.yaml
@@ -0,0 +1,15 @@
+name: revcl-PodSpecsRequests
+title: Configure requests and limits in your pod specs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: b54eb2eb-03dd-4aa3-9927-18e2edb11726
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-PreferredLogManagementSolutionViaDiagnosticSettings.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-PreferredLogManagementSolutionViaDiagnosticSettings.yaml
new file mode 100644
index 000000000..ada6f5f48
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-PreferredLogManagementSolutionViaDiagnosticSettings.yaml
@@ -0,0 +1,17 @@
+name: revcl-PreferredLogManagementSolutionViaDiagnosticSettings
+title: Send master logs (aka API logs) to Azure Monitor or your preferred log management
+ solution
+description: Via Diagnostic Settings at the cluster level
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: 5b56ad48-408f-4e72-934c-476ba280dcf5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/monitor-aks
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ReadinessProbesLiveness.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ReadinessProbesLiveness.yaml
new file mode 100644
index 000000000..4ba21c4b8
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ReadinessProbesLiveness.yaml
@@ -0,0 +1,15 @@
+name: revcl-ReadinessProbesLiveness
+title: Configure Liveness and Readiness probes for all deployments
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 0
+labels:
+ guid: f4fd0602-7ab5-46f1-b66a-e9dea9654a65
+links:
+- type: docs
+ url: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ResourceHealthNotificationsAksCluster.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ResourceHealthNotificationsAksCluster.yaml
new file mode 100644
index 000000000..0c47eedf0
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ResourceHealthNotificationsAksCluster.yaml
@@ -0,0 +1,15 @@
+name: revcl-ResourceHealthNotificationsAksCluster
+title: Subscribe to resource health notifications for your AKS cluster
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 74c2ee76-569b-4a79-a57e-dedf91b022c9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/aks-resource-health
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ResourceQuotasNamespaces.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ResourceQuotasNamespaces.yaml
new file mode 100644
index 000000000..0ec053aa8
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-ResourceQuotasNamespaces.yaml
@@ -0,0 +1,15 @@
+name: revcl-ResourceQuotasNamespaces
+title: Enforce resource quotas for namespaces
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 769ef669-1a48-435a-a942-223ece80b123
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-SpotNodePoolsTimeSensitiveWorkloads.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-SpotNodePoolsTimeSensitiveWorkloads.yaml
new file mode 100644
index 000000000..cd25f0fe4
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-SpotNodePoolsTimeSensitiveWorkloads.yaml
@@ -0,0 +1,15 @@
+name: revcl-SpotNodePoolsTimeSensitiveWorkloads
+title: Consider spot node pools for non time-sensitive workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: c5a5b252-1e44-4a59-a9d2-399c4d7b68d0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/spot-node-pool
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-TaintWindowsNodes.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-TaintWindowsNodes.yaml
new file mode 100644
index 000000000..dc54bb44c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/revcl-TaintWindowsNodes.yaml
@@ -0,0 +1,15 @@
+name: revcl-TaintWindowsNodes
+title: Taint Windows nodes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 2
+labels:
+ guid: c1881370-6f7c-44c0-b4e5-14648d2457ed
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AksBestPracticesDocumentationWorkloadArchitectures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AksBestPracticesDocumentationWorkloadArchitectures.yaml
new file mode 100644
index 000000000..0d9b6b4ae
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AksBestPracticesDocumentationWorkloadArchitectures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AksBestPracticesDocumentationWorkloadArchitectures
+title: 'Cluster and workload architectures: Review AKS best practices documentation.'
+description: To build and run applications successfully in AKS, there are key considerations
+ to understand and implement. These areas include multi-tenancy and scheduler features,
+ cluster, and pod security, or business continuity and disaster recovery.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: df3a72a5-8d24-4289-aa12-803287bb182d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AutomatedDeploymentProcessesSoftwareDevelopmentLifecycle.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AutomatedDeploymentProcessesSoftwareDevelopmentLifecycle.yaml
new file mode 100644
index 000000000..f17edcda5
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AutomatedDeploymentProcessesSoftwareDevelopmentLifecycle.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AutomatedDeploymentProcessesSoftwareDevelopmentLifecycle
+title: 'Workload architecture: Use a repeatable and automated deployment processes
+ for your workload within your software development lifecycle.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: a394bfb7-a185-4416-af7f-908ad78ba2cf
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AzureChaosStudioDisasterRecoverySituations.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AzureChaosStudioDisasterRecoverySituations.yaml
new file mode 100644
index 000000000..3c1cfd24f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-AzureChaosStudioDisasterRecoverySituations.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureChaosStudioDisasterRecoverySituations
+title: 'Cluster and workload architectures: Review Azure Chaos Studio.'
+description: Azure Chaos Studio can help simulate faults and trigger disaster recovery
+ situations.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 037e283c-7763-4006-939e-f101331fef86
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-CentralizedConsistentMannerPodsConfigurationStandards.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-CentralizedConsistentMannerPodsConfigurationStandards.yaml
new file mode 100644
index 000000000..bb26d8770
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-CentralizedConsistentMannerPodsConfigurationStandards.yaml
@@ -0,0 +1,17 @@
+name: wafsg-CentralizedConsistentMannerPodsConfigurationStandards
+title: 'Cluster architecture: Operationalize clusters and pods configuration standards
+ with Azure Policy.'
+description: Azure Policy can help to apply at-scale enforcement and safeguards on
+ your clusters in a centralized, consistent manner. It can also control what functions
+ pods are granted and if anything is running against company policy.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 3dc59879-d877-4719-84d1-8262c08c7081
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ChaosEngineeringPracticesPlatformReliabilityIssues.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ChaosEngineeringPracticesPlatformReliabilityIssues.yaml
new file mode 100644
index 000000000..4f0b37c85
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ChaosEngineeringPracticesPlatformReliabilityIssues.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ChaosEngineeringPracticesPlatformReliabilityIssues
+title: 'Cluster and workload architectures: Use chaos engineering practices that target
+ Kubernetes to identify application or platform reliability issues.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: e14572fc-3556-4968-a23b-dcdb2305c57c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-CoreApiServerInteractionsClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-CoreApiServerInteractionsClusterArchitecture.yaml
new file mode 100644
index 000000000..8ed3a96eb
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-CoreApiServerInteractionsClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CoreApiServerInteractionsClusterArchitecture
+title: 'Cluster architecture: Enable diagnostics settings to ensure control plane
+ or core API server interactions are logged.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: b88f9b48-fd82-404f-8b7b-5acea4d17dc4
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-DifferentAzureRegionsInternetFacingWorkloads-1.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-DifferentAzureRegionsInternetFacingWorkloads-1.yaml
new file mode 100644
index 000000000..9c5f5fb14
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-DifferentAzureRegionsInternetFacingWorkloads-1.yaml
@@ -0,0 +1,17 @@
+name: wafsg-DifferentAzureRegionsInternetFacingWorkloads-1
+title: 'Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters
+ deployed across different Azure regions to maximize availability and provide business
+ continuity.'
+description: Internet facing workloads should leverage Azure Front Door or Azure Traffic
+ Manager to route traffic globally across AKS clusters.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 8dd12fab-e3cb-4b39-9ebf-3609a3de2e34
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ManyAdvancedDeploymentPatternsReleaseEngineeringProcess.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ManyAdvancedDeploymentPatternsReleaseEngineeringProcess.yaml
new file mode 100644
index 000000000..198adbf2a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ManyAdvancedDeploymentPatternsReleaseEngineeringProcess.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ManyAdvancedDeploymentPatternsReleaseEngineeringProcess
+title: 'Workload architecture: Use platform capabilities in your release engineering
+ process.'
+description: Kubernetes and ingress controllers support many advanced deployment patterns
+ for inclusion in your release engineering process. Consider patterns like blue-green
+ deployments or canary releases.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: cb3372a2-16ef-4ebf-b7c2-b58f984ef966
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-NecessaryClusterWideConfigurationsClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-NecessaryClusterWideConfigurationsClusterArchitecture.yaml
new file mode 100644
index 000000000..89fc4873f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-NecessaryClusterWideConfigurationsClusterArchitecture.yaml
@@ -0,0 +1,17 @@
+name: wafsg-NecessaryClusterWideConfigurationsClusterArchitecture
+title: 'Cluster architecture: Build an automated process to ensure your clusters are
+ bootstrapped with the necessary cluster-wide configurations and deployments. This
+ is often performed using GitOps.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 484c6621-c021-430c-a94b-633da893adc5
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ReadinessStatusesWorkloadArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ReadinessStatusesWorkloadArchitecture.yaml
new file mode 100644
index 000000000..4714de234
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-ReadinessStatusesWorkloadArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ReadinessStatusesWorkloadArchitecture
+title: 'Workload architecture: The workload should be designed to emit telemetry that
+ can be collected, which should also include liveliness and readiness statuses.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: a36b0ea0-7805-4deb-8c01-75ad610ecdc7
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-SeamlessOnboardingExperienceReferenceConfigureScraping.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-SeamlessOnboardingExperienceReferenceConfigureScraping.yaml
new file mode 100644
index 000000000..57ed3b6d5
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-SeamlessOnboardingExperienceReferenceConfigureScraping.yaml
@@ -0,0 +1,17 @@
+name: wafsg-SeamlessOnboardingExperienceReferenceConfigureScraping
+title: 'Workload architecture: Configure scraping of Prometheus metrics with Container
+ insights.'
+description: Container insights, which are part of Azure Monitor, provide a seamless
+ onboarding experience to collect Prometheus metrics. Reference Configure scraping
+ of Prometheus metrics for more information.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 35367a45-61fb-4731-a636-e59e8ce67fac
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-SourceCodeRepoClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-SourceCodeRepoClusterArchitecture.yaml
new file mode 100644
index 000000000..a3b99e278
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-SourceCodeRepoClusterArchitecture.yaml
@@ -0,0 +1,17 @@
+name: wafsg-SourceCodeRepoClusterArchitecture
+title: 'Cluster architecture: Use a template-based deployment using Bicep, Terraform,
+ or others. Make sure that all deployments are repeatable, traceable, and stored
+ in a source code repo.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 231e994a-ffa3-4eef-bcd5-e85c0fd017ef
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-StampLevelBlueGreenDeploymentsMissionCriticalDesignAreas.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-StampLevelBlueGreenDeploymentsMissionCriticalDesignAreas.yaml
new file mode 100644
index 000000000..e870463cb
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-StampLevelBlueGreenDeploymentsMissionCriticalDesignAreas.yaml
@@ -0,0 +1,16 @@
+name: wafsg-StampLevelBlueGreenDeploymentsMissionCriticalDesignAreas
+title: 'Cluster and workload architectures: For mission-critical workloads, use stamp-level
+ blue/green deployments.'
+description: Automate your mission-critical design areas, including deployment and
+ testing.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 0586a21b-1b24-4112-b1b6-9e10119bed8b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitectureApplicationPerformance.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitectureApplicationPerformance.yaml
new file mode 100644
index 000000000..e2113d45d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitectureApplicationPerformance.yaml
@@ -0,0 +1,15 @@
+name: wafsg-WorkloadArchitectureApplicationPerformance
+title: 'Workload architecture: Monitor application performance with Azure Monitor.'
+description: Configure Application Insights for code-based monitoring of applications
+ running in an AKS cluster.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: ea1485fc-32d7-46dc-a000-9e87c4834091
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitectureContainer.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitectureContainer.yaml
new file mode 100644
index 000000000..10b563939
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitectureContainer.yaml
@@ -0,0 +1,16 @@
+name: wafsg-WorkloadArchitectureContainer
+title: 'Workload architecture: Optimize your workload to operate and deploy efficiently
+ in a container.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 3e3b24ae-ab28-40fe-8074-1a30b6c1a71f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesContainerInsights-1-2.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesContainerInsights-1-2.yaml
new file mode 100644
index 000000000..c9b0b00c0
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesContainerInsights-1-2.yaml
@@ -0,0 +1,17 @@
+name: wafsg-WorkloadArchitecturesContainerInsights-1-2
+title: 'Cluster and workload architectures: Configure monitoring of cluster with Container
+ insights.'
+description: Container insights help monitor the performance of containers by collecting
+ memory and processor metrics from controllers, nodes, and containers that are available
+ in Kubernetes through the Metrics API and container logs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: bdab324d-7736-4444-a03e-a1ec180f3699
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesContainerInsights-1.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesContainerInsights-1.yaml
new file mode 100644
index 000000000..191a7346a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesContainerInsights-1.yaml
@@ -0,0 +1,17 @@
+name: wafsg-WorkloadArchitecturesContainerInsights-1
+title: 'Cluster and workload architectures: Enable Container insights to collect metrics,
+ logs, and diagnostics to monitor the availability and performance of the cluster
+ and workloads running on it.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: 9ab6b90d-899e-4c61-8127-e097c1d80cca
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesWorkloadGovernance.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesWorkloadGovernance.yaml
new file mode 100644
index 000000000..3735d1baa
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Operations/wafsg-WorkloadArchitecturesWorkloadGovernance.yaml
@@ -0,0 +1,16 @@
+name: wafsg-WorkloadArchitecturesWorkloadGovernance
+title: 'Cluster and workload architectures: Enforce cluster and workload governance
+ using Azure Policy.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Operations
+severity: 1
+labels:
+ guid: cb964e93-b3f5-43b4-a52f-30f53a16d163
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AdditionalAksClusterNodes.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AdditionalAksClusterNodes.yaml
new file mode 100644
index 000000000..6fae6dcfd
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AdditionalAksClusterNodes.yaml
@@ -0,0 +1,16 @@
+name: revcl-AdditionalAksClusterNodes
+title: If more than 5000 nodes are required for scalability then consider using an
+ additional AKS cluster
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: 38800e6a-ae01-40a2-9fbc-ae5a06e5462d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AksNodePoolsNodeConfiguration.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AksNodePoolsNodeConfiguration.yaml
new file mode 100644
index 000000000..68c15fd4e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AksNodePoolsNodeConfiguration.yaml
@@ -0,0 +1,17 @@
+name: revcl-AksNodePoolsNodeConfiguration
+title: Customize node configuration for AKS node pools
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: 831c2872-c693-4b39-a887-a561bada49bc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/custom-node-configuration
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AppropriateNodeSizeLargerNodes.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AppropriateNodeSizeLargerNodes.yaml
new file mode 100644
index 000000000..12f3a98cd
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AppropriateNodeSizeLargerNodes.yaml
@@ -0,0 +1,18 @@
+name: revcl-AppropriateNodeSizeLargerNodes
+title: Consider an appropriate node size, not too large or too small
+description: Larger nodes will bring higher performance and features such as ephemeral
+ disks and accelerated networking, but they will increase the blast radius and decrease
+ the scaling granularity
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 0
+labels:
+ guid: 5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3
+links:
+- type: docs
+ url: https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureCniMaximumNumber.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureCniMaximumNumber.yaml
new file mode 100644
index 000000000..cb20586c1
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureCniMaximumNumber.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureCniMaximumNumber
+title: If using Azure CNI, size your subnet accordingly considering the maximum number
+ of pods per node
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 0
+labels:
+ guid: 7faf12e7-0943-4f63-8472-2da29c2b1cd6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/configure-azure-cni
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureCniMaximumPodsNode.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureCniMaximumPodsNode.yaml
new file mode 100644
index 000000000..57eee48f2
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureCniMaximumPodsNode.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureCniMaximumPodsNode
+title: If using Azure CNI, check the maximum pods/node (default 30)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 0
+labels:
+ guid: 22f54b29-bade-43aa-b1e8-c38ec9366673
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/configure-azure-cni
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureDedicatedHostsAksNodes.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureDedicatedHostsAksNodes.yaml
new file mode 100644
index 000000000..3ca11e2aa
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureDedicatedHostsAksNodes.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureDedicatedHostsAksNodes
+title: If required consider using Azure Dedicated Hosts for AKS nodes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: c4e37133-f186-4ce1-aed9-9f1b32f6e021
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureDisksLrsDisk.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureDisksLrsDisk.yaml
new file mode 100644
index 000000000..f4e01c6f3
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-AzureDisksLrsDisk.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureDisksLrsDisk
+title: If using Azure Disks and AZs, consider having nodepools within a zone for LRS
+ disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right
+ zone or use ZRS disk for nodepools spanning multiple zones
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 83958a8c-2689-4b32-ab57-cfc64546135a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-ClusterAutoscaler.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-ClusterAutoscaler.yaml
new file mode 100644
index 000000000..162ecd5b3
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-ClusterAutoscaler.yaml
@@ -0,0 +1,17 @@
+name: revcl-ClusterAutoscaler
+title: Use the Cluster Autoscaler
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 90ce65de-8e13-4f9c-abd4-69266abca264
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/concepts-scale
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-DefaultAksLogRotationThresholdsLargerOsDisks.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-DefaultAksLogRotationThresholdsLargerOsDisks.yaml
new file mode 100644
index 000000000..86a0a3828
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-DefaultAksLogRotationThresholdsLargerOsDisks.yaml
@@ -0,0 +1,17 @@
+name: revcl-DefaultAksLogRotationThresholdsLargerOsDisks
+title: For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when
+ running many pods/node since it requires high performance for running multiple pods
+ and will generate huge logs with default AKS log rotation thresholds
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 0
+labels:
+ guid: f0ce315f-1120-4166-8206-94f2cf3a4d07
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-machines/disks-types
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EphemeralOsDisks.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EphemeralOsDisks.yaml
new file mode 100644
index 000000000..cccfb36e6
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EphemeralOsDisks.yaml
@@ -0,0 +1,18 @@
+name: revcl-EphemeralOsDisks
+title: Use ephemeral OS disks
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 0
+labels:
+ guid: 24367b33-6971-45b1-952b-eee0b9b588de
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/cluster-configuration
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles
+ | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project
+ id,name=strcat(name,'-',pools.name), resourceGroup, compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EventDrivenWorkloadsKeda.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EventDrivenWorkloadsKeda.yaml
new file mode 100644
index 000000000..76efba5b9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EventDrivenWorkloadsKeda.yaml
@@ -0,0 +1,15 @@
+name: revcl-EventDrivenWorkloadsKeda
+title: Use KEDA if running event-driven workloads
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: a280dcf5-90ce-465d-b8e1-3f9ccbd46926
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EventgridEventsAksAutomation.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EventgridEventsAksAutomation.yaml
new file mode 100644
index 000000000..4201610f9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-EventgridEventsAksAutomation.yaml
@@ -0,0 +1,15 @@
+name: revcl-EventgridEventsAksAutomation
+title: Consider subscribing to EventGrid Events for AKS automation
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: 9583c0f6-6083-43f6-aa6b-df7102c901bb
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-grid/event-schema-aks
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-HorizontalPodAutoscaler.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-HorizontalPodAutoscaler.yaml
new file mode 100644
index 000000000..0abaf3a20
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-HorizontalPodAutoscaler.yaml
@@ -0,0 +1,15 @@
+name: revcl-HorizontalPodAutoscaler
+title: Use the Horizontal Pod Autoscaler when required
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: faa19bfe-9d55-4d04-a3c4-919ca1b2d121
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/concepts-scale
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-HyperPerformanceStorageOptionUltraDisks.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-HyperPerformanceStorageOptionUltraDisks.yaml
new file mode 100644
index 000000000..eba3de3eb
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-HyperPerformanceStorageOptionUltraDisks.yaml
@@ -0,0 +1,15 @@
+name: revcl-HyperPerformanceStorageOptionUltraDisks
+title: For hyper performance storage option use Ultra Disks on AKS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: 39c486ce-d5af-4062-89d5-18bb5fd795db
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-ultra-disks
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-LongRunningOperationAksCluster.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-LongRunningOperationAksCluster.yaml
new file mode 100644
index 000000000..7035a895c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-LongRunningOperationAksCluster.yaml
@@ -0,0 +1,15 @@
+name: revcl-LongRunningOperationAksCluster
+title: For long running operation on an AKS cluster consider event termination
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: c5016d8c-c6c9-4165-89ae-673ef0fff19d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/manage-abort-operations
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-PerformanceReasonsAzfilesStandard.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-PerformanceReasonsAzfilesStandard.yaml
new file mode 100644
index 000000000..c7b220153
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-PerformanceReasonsAzfilesStandard.yaml
@@ -0,0 +1,16 @@
+name: revcl-PerformanceReasonsAzfilesStandard
+title: If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance
+ reasons
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 24429eb7-2281-4376-85cc-57b4a4b18142
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-storage
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-PublicIpNode.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-PublicIpNode.yaml
new file mode 100644
index 000000000..25bd142f6
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-PublicIpNode.yaml
@@ -0,0 +1,15 @@
+name: revcl-PublicIpNode
+title: If required configure Public IP per node in AKS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 2
+labels:
+ guid: 4b3bb365-9458-44d9-9ed1-5c8f52890364
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-StateCluster.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-StateCluster.yaml
new file mode 100644
index 000000000..15252034f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-StateCluster.yaml
@@ -0,0 +1,16 @@
+name: revcl-StateCluster
+title: Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL,
+ Cosmos, etc)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 9f7547c1-747d-4c56-868a-714435bd19dd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-WindowsWorkloadsAcceleratedNetworking.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-WindowsWorkloadsAcceleratedNetworking.yaml
new file mode 100644
index 000000000..283e4b85a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/revcl-WindowsWorkloadsAcceleratedNetworking.yaml
@@ -0,0 +1,15 @@
+name: revcl-WindowsWorkloadsAcceleratedNetworking
+title: For Windows workloads use Accelerated Networking
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-AksAdvancedSchedulerFeaturesWorkloadArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-AksAdvancedSchedulerFeaturesWorkloadArchitecture.yaml
new file mode 100644
index 000000000..42f5e5af5
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-AksAdvancedSchedulerFeaturesWorkloadArchitecture.yaml
@@ -0,0 +1,14 @@
+name: wafsg-AksAdvancedSchedulerFeaturesWorkloadArchitecture
+title: 'Workload architecture: Use AKS advanced scheduler features.'
+description: Helps control balancing of resources for workloads that require them.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 259b98d6-ff88-4ba1-b459-bf1fab15ae3e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DetailedCapacityPlanExerciseWorkloadArchitectures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DetailedCapacityPlanExerciseWorkloadArchitectures.yaml
new file mode 100644
index 000000000..c533d0b03
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DetailedCapacityPlanExerciseWorkloadArchitectures.yaml
@@ -0,0 +1,17 @@
+name: wafsg-DetailedCapacityPlanExerciseWorkloadArchitectures
+title: 'Cluster and workload architectures: Perform and iterate on a detailed capacity
+ plan exercise that includes SKU, autoscale settings, IP addressing, and failover
+ considerations.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: f527e0a1-3ba5-48d8-93db-07cf5ce42fdd
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DetailedCapacityPlanWorkloadArchitectures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DetailedCapacityPlanWorkloadArchitectures.yaml
new file mode 100644
index 000000000..fb03a5ecc
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DetailedCapacityPlanWorkloadArchitectures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-DetailedCapacityPlanWorkloadArchitectures
+title: 'Cluster and workload architectures: Develop a detailed capacity plan and continually
+ review and revise.'
+description: After formalizing your capacity plan, it should be frequently updated
+ by continuously observing the resource utilization of the cluster.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 1b9c4ae0-1ae6-4d09-a1e8-22dec6edb20b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DifferentNodePoolsUserNodePools.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DifferentNodePoolsUserNodePools.yaml
new file mode 100644
index 000000000..bab571ef9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DifferentNodePoolsUserNodePools.yaml
@@ -0,0 +1,16 @@
+name: wafsg-DifferentNodePoolsUserNodePools
+title: 'Cluster and workload architectures: Separate workloads into different node
+ pools and consider scaling user node pools.'
+description: Unlike System node pools that always require running nodes, user node
+ pools allow you to scale up or down.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 0b3fd6dd-f113-441a-bf35-e6e49400a99e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DifferentNodePoolsWorkloadArchitectures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DifferentNodePoolsWorkloadArchitectures.yaml
new file mode 100644
index 000000000..a846b8746
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-DifferentNodePoolsWorkloadArchitectures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-DifferentNodePoolsWorkloadArchitectures
+title: 'Cluster and workload architectures: Separate workloads into different node
+ pools allowing independent scalling.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 162e3ed3-bde4-4a09-b074-aec1140b735a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-EfficientCostEffectiveClusterClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-EfficientCostEffectiveClusterClusterArchitecture.yaml
new file mode 100644
index 000000000..b9e96bf85
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-EfficientCostEffectiveClusterClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-EfficientCostEffectiveClusterClusterArchitecture
+title: 'Cluster architecture: Enable cluster autoscaler to automatically adjust the
+ number of agent nodes in response to resource constraints.'
+description: The ability to automatically scale up or down the number of nodes in
+ your AKS cluster lets you run an efficient, cost-effective cluster.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: b71f8835-94bd-4396-88e2-07a8ce2916e0
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-HorizontalPodAutoscalerOtherSelectMetrics-1.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-HorizontalPodAutoscalerOtherSelectMetrics-1.yaml
new file mode 100644
index 000000000..3c1010e81
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-HorizontalPodAutoscalerOtherSelectMetrics-1.yaml
@@ -0,0 +1,16 @@
+name: wafsg-HorizontalPodAutoscalerOtherSelectMetrics-1
+title: 'Cluster architecture: Use the Horizontal pod autoscaler to adjust the number
+ of pods in a deployment depending on CPU utilization or other select metrics.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 1cb2782a-f301-4c47-b0a5-f355abdbb796
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-MeaningfulAutoScaleRulesetMeaningfulWorkloadScalingMetrics.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-MeaningfulAutoScaleRulesetMeaningfulWorkloadScalingMetrics.yaml
new file mode 100644
index 000000000..c58b1bc8d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-MeaningfulAutoScaleRulesetMeaningfulWorkloadScalingMetrics.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MeaningfulAutoScaleRulesetMeaningfulWorkloadScalingMetrics
+title: 'Workload architecture: Use meaningful workload scaling metrics.'
+description: Not all scale decisions can be derived from CPU or memory metrics. Often
+ scale considerations will come from more complex or even external data points. Use
+ KEDA to build a meaningful auto scale ruleset based on signals that are specific
+ to your workload.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: 5cf34320-3414-4c06-93c7-945fc9f3d7e2
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-OngoingLoadTestingActivitiesWorkloadArchitectures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-OngoingLoadTestingActivitiesWorkloadArchitectures.yaml
new file mode 100644
index 000000000..59a98dad9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-OngoingLoadTestingActivitiesWorkloadArchitectures.yaml
@@ -0,0 +1,16 @@
+name: wafsg-OngoingLoadTestingActivitiesWorkloadArchitectures
+title: 'Cluster and workload architectures: Perform ongoing load testing activities
+ that exercise both the pod and cluster autoscaler.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: a805eb93-ffa7-4fc8-a8ce-7481da64aa1e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-ResponseWorkloadDemandsClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-ResponseWorkloadDemandsClusterArchitecture.yaml
new file mode 100644
index 000000000..714f86c36
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Performance/wafsg-ResponseWorkloadDemandsClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ResponseWorkloadDemandsClusterArchitecture
+title: 'Cluster architecture: Enable cluster autoscaler to automatically adjust the
+ number of agent nodes in response workload demands.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Performance
+severity: 1
+labels:
+ guid: d8ec7ce1-bb32-4042-93f3-ad468f9c120b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AgicAppgw.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AgicAppgw.yaml
new file mode 100644
index 000000000..9ac26f2d8
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AgicAppgw.yaml
@@ -0,0 +1,15 @@
+name: revcl-AgicAppgw
+title: If using AGIC, do not share an AppGW across clusters
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248
+links:
+- type: docs
+ url: https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AksHttpRoutingAddApplicationRouting.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AksHttpRoutingAddApplicationRouting.yaml
new file mode 100644
index 000000000..4b00dc51d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AksHttpRoutingAddApplicationRouting.yaml
@@ -0,0 +1,19 @@
+name: revcl-AksHttpRoutingAddApplicationRouting
+title: Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with
+ the application routing add-on.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 0
+labels:
+ guid: 8008ae7d-7e4b-4475-a6c8-bdbf59bce65d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/http-application-routing
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false)
+ | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AksWindowsWorkloadsHostprocessContainers.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AksWindowsWorkloadsHostprocessContainers.yaml
new file mode 100644
index 000000000..98b2d1f4d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AksWindowsWorkloadsHostprocessContainers.yaml
@@ -0,0 +1,15 @@
+name: revcl-AksWindowsWorkloadsHostprocessContainers
+title: If required for AKS Windows workloads HostProcess containers can be used
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 2
+labels:
+ guid: ab5351f6-383a-45ed-9c5e-b143b16db40a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-windows-hpc
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AzureCniIpExhaustionDynamicAllocations.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AzureCniIpExhaustionDynamicAllocations.yaml
new file mode 100644
index 000000000..c3bd6737b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AzureCniIpExhaustionDynamicAllocations.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureCniIpExhaustionDynamicAllocations
+title: Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 8ee9a69a-1b58-4b1e-9c61-476e110a160b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AzureNatGatewayEgressTraffic.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AzureNatGatewayEgressTraffic.yaml
new file mode 100644
index 000000000..2bfd14ef3
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-AzureNatGatewayEgressTraffic.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureNatGatewayEgressTraffic
+title: Use Azure NAT Gateway as outboundType for scaling egress traffic
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 2
+labels:
+ guid: ccb534e7-416e-4a1d-8e93-533b53199085
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/nat-gateway
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-BestCniNetworkPluginAzureCni.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-BestCniNetworkPluginAzureCni.yaml
new file mode 100644
index 000000000..53114b3be
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-BestCniNetworkPluginAzureCni.yaml
@@ -0,0 +1,17 @@
+name: revcl-BestCniNetworkPluginAzureCni
+title: Choose the best CNI network plugin for your requirements (Azure CNI recommended)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 0
+labels:
+ guid: a0f61565-9de5-458f-a372-49c831112dbd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-network
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-IngressControllerWebBasedApps.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-IngressControllerWebBasedApps.yaml
new file mode 100644
index 000000000..9842efa88
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-IngressControllerWebBasedApps.yaml
@@ -0,0 +1,16 @@
+name: revcl-IngressControllerWebBasedApps
+title: Use an ingress controller to expose web-based apps instead of exposing them
+ with LoadBalancer-type services
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: b3808b9f-a1cf-4204-ad01-3a923ce474db
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/concepts-network
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-ServiceIpAddressRangeClusterScalability.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-ServiceIpAddressRangeClusterScalability.yaml
new file mode 100644
index 000000000..4b0568e71
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-ServiceIpAddressRangeClusterScalability.yaml
@@ -0,0 +1,16 @@
+name: revcl-ServiceIpAddressRangeClusterScalability
+title: Size the service IP address range accordingly (it is going to limit the cluster
+ scalability)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 0
+labels:
+ guid: 43f63047-22d9-429c-8b1c-d622f54b29ba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/configure-azure-cni
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-SlaBackedAksOffering.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-SlaBackedAksOffering.yaml
new file mode 100644
index 000000000..7c76b8c51
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-SlaBackedAksOffering.yaml
@@ -0,0 +1,17 @@
+name: revcl-SlaBackedAksOffering
+title: Use the SLA-backed AKS offering
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 0
+labels:
+ guid: 71d41e36-10cc-457b-9a4b-1410d4395898
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/uptime-sla
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (sku.tier=='Paid') | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-StandardAlbBasicOne.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-StandardAlbBasicOne.yaml
new file mode 100644
index 000000000..9714591bd
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-StandardAlbBasicOne.yaml
@@ -0,0 +1,18 @@
+name: revcl-StandardAlbBasicOne
+title: Use the standard ALB (as opposed to the basic one)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 0
+labels:
+ guid: ba7da7be-9952-4914-a384-5d997cb39132
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/load-balancer-standard
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct
+ id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-UseDisruptionBudgetsDeploymentDefinitions.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-UseDisruptionBudgetsDeploymentDefinitions.yaml
new file mode 100644
index 000000000..2decc3469
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/revcl-UseDisruptionBudgetsDeploymentDefinitions.yaml
@@ -0,0 +1,15 @@
+name: revcl-UseDisruptionBudgetsDeploymentDefinitions
+title: Use Disruption Budgets in your pod and deployment definitions
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 2
+labels:
+ guid: c1288b3c-6a57-4cfc-9444-51e1a3d3453a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-AksUptimeSlaClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-AksUptimeSlaClusterArchitecture.yaml
new file mode 100644
index 000000000..110e37b65
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-AksUptimeSlaClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AksUptimeSlaClusterArchitecture
+title: 'Cluster architecture: Use the AKS Uptime SLA to meet availability targets
+ for production workloads.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 359d4a34-78c9-41e3-9fce-3a4b5fb08a2b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ApplicationDeploymentManifestsPodResourceRequests.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ApplicationDeploymentManifestsPodResourceRequests.yaml
new file mode 100644
index 000000000..0680de294
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ApplicationDeploymentManifestsPodResourceRequests.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ApplicationDeploymentManifestsPodResourceRequests
+title: 'Cluster and workload architectures: Define Pod resource requests and limits
+ in application deployment manifests, and enforce with Azure Policy.'
+description: Container CPU and memory resource limits are necessary to prevent resource
+ exhaustion in your Kubernetes cluster.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 5527c666-0096-4a1d-9022-cada9d4c77da
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ClusterArchitectureCriticalWorkloads.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ClusterArchitectureCriticalWorkloads.yaml
new file mode 100644
index 000000000..a411c6d74
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ClusterArchitectureCriticalWorkloads.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ClusterArchitectureCriticalWorkloads
+title: 'Cluster architecture: For critical workloads, use availability zones for your
+ AKS clusters.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 2e9764a8-9f04-49c8-912c-41f40b2307e3
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ContainerInsightsReliabilityImpactingEvents.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ContainerInsightsReliabilityImpactingEvents.yaml
new file mode 100644
index 000000000..02edebf6a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ContainerInsightsReliabilityImpactingEvents.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ContainerInsightsReliabilityImpactingEvents
+title: 'Cluster architecture: Enable Container insights to monitor your cluster and
+ configure alerts for reliability-impacting events.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 217d3e94-7267-4b11-bd87-928d6119a666
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-DifferentAzureRegionsInternetFacingWorkloads.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-DifferentAzureRegionsInternetFacingWorkloads.yaml
new file mode 100644
index 000000000..6103f7391
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-DifferentAzureRegionsInternetFacingWorkloads.yaml
@@ -0,0 +1,17 @@
+name: wafsg-DifferentAzureRegionsInternetFacingWorkloads
+title: 'Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters
+ deployed across different Azure regions to maximize availability and provide business
+ continuity.'
+description: Internet facing workloads should leverage Azure Front Door or Azure Traffic
+ Manager to route traffic globally across AKS clusters.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 57d11e53-f830-4930-9d74-2ce5435cd971
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ExtraManagementOverheadMemoryOptimizedVms.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ExtraManagementOverheadMemoryOptimizedVms.yaml
new file mode 100644
index 000000000..cd4d34875
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ExtraManagementOverheadMemoryOptimizedVms.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExtraManagementOverheadMemoryOptimizedVms
+title: 'Cluster and workload architectures: Separate applications to dedicated node
+ pools based on specific requirements.'
+description: Applications may share the same configuration and need GPU-enabled VMs,
+ CPU or memory optimized VMs, or the ability to scale-to-zero. Avoid large number
+ of node pools to reduce extra management overhead.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: caa13588-59c1-416a-8b81-4e1ce3d9b707
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-IpAddressSpaceFailoverTraffic.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-IpAddressSpaceFailoverTraffic.yaml
new file mode 100644
index 000000000..635d77673
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-IpAddressSpaceFailoverTraffic.yaml
@@ -0,0 +1,16 @@
+name: wafsg-IpAddressSpaceFailoverTraffic
+title: 'Cluster architecture: Plan the IP address space to ensure your cluster can
+ reliably scale, including handling of failover traffic in multi-cluster topologies.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 5e7f4600-3959-4c9c-b29d-c555c79dfd9e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ManyConcurrentOutboundConnectionsAzureLoadBalancerLimitations.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ManyConcurrentOutboundConnectionsAzureLoadBalancerLimitations.yaml
new file mode 100644
index 000000000..2606b2c9b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-ManyConcurrentOutboundConnectionsAzureLoadBalancerLimitations.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ManyConcurrentOutboundConnectionsAzureLoadBalancerLimitations
+title: 'Cluster architecture: Use a NAT gateway for clusters that run workloads that
+ make many concurrent outbound connections.'
+description: To avoid reliability issues with Azure Load Balancer limitations with
+ high concurrent outbound traffic, us a NAT Gateway instead to support reliable egress
+ traffic at scale.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: ecb8bcd9-2f8b-4394-86bb-c7ee533f7d08
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-MatchingNodeSelectorWorkloadArchitectures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-MatchingNodeSelectorWorkloadArchitectures.yaml
new file mode 100644
index 000000000..08cbbf595
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-MatchingNodeSelectorWorkloadArchitectures.yaml
@@ -0,0 +1,20 @@
+name: wafsg-MatchingNodeSelectorWorkloadArchitectures
+title: 'Cluster and workload architectures: Control pod scheduling using node selectors
+ and affinity.'
+description: Allows the Kubernetes scheduler to logically isolate workloads by hardware
+ in the node. Unlike tolerations, pods without a matching node selector can be scheduled
+ on labeled nodes, which allows unused resources on the nodes to consume, but gives
+ priority to pods that define the matching node selector. Use node affinity for more
+ flexibility, which allows you to define what happens if the pod can't be matched
+ with a node.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: dd3b6ffb-7e93-4b1a-aaf0-3cc42e6271df
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-RegularVmssBasedAksDeploymentSeparateDataCenters.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-RegularVmssBasedAksDeploymentSeparateDataCenters.yaml
new file mode 100644
index 000000000..36376de6f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-RegularVmssBasedAksDeploymentSeparateDataCenters.yaml
@@ -0,0 +1,19 @@
+name: wafsg-RegularVmssBasedAksDeploymentSeparateDataCenters
+title: 'Cluster architecture: Use availability zones to maximize resilience within
+ an Azure region by distributing AKS agent nodes across physically separate data
+ centers.'
+description: By spreading node pools across multiple zones, nodes in one node pool
+ will continue running even if another zone has gone down. If colocality requirements
+ exist, either a regular VMSS-based AKS deployment into a single zone or proximity
+ placement groups can be used to minimize internode latency.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 4834a7a7-6bf7-4a58-961b-f1b97da3c724
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-TheAksUptimeSlaGuaranteesKubernetesApiServerEndpoint.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-TheAksUptimeSlaGuaranteesKubernetesApiServerEndpoint.yaml
new file mode 100644
index 000000000..442a9329c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-TheAksUptimeSlaGuaranteesKubernetesApiServerEndpoint.yaml
@@ -0,0 +1,17 @@
+name: wafsg-TheAksUptimeSlaGuaranteesKubernetesApiServerEndpoint
+title: 'Cluster and workload architectures: Use the AKS Uptime SLA for production
+ grade clusters.'
+description: 'The AKS Uptime SLA guarantees: - `99.95%` availability of the Kubernetes
+ API server endpoint for AKS Clusters that use Azure Availability Zones, or - `99.9%`
+ availability for AKS Clusters that don''t use Azure Availability Zones.'
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 856eeb19-e8cf-4c18-8443-69a4d4a66600
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-UserNodePoolsRightSizeSku.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-UserNodePoolsRightSizeSku.yaml
new file mode 100644
index 000000000..2f9aa4a03
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-UserNodePoolsRightSizeSku.yaml
@@ -0,0 +1,17 @@
+name: wafsg-UserNodePoolsRightSizeSku
+title: 'Cluster and workload architectures: Ensure your workload is running on user
+ node pools and chose the right size SKU. At a minimum, include two nodes for user
+ node pools and three nodes for the system node pool.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 3d531a79-530b-416f-8176-d18fb151f2a0
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-UserNodePoolsSystemNodePool.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-UserNodePoolsSystemNodePool.yaml
new file mode 100644
index 000000000..215e31eb4
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-UserNodePoolsSystemNodePool.yaml
@@ -0,0 +1,17 @@
+name: wafsg-UserNodePoolsSystemNodePool
+title: 'Cluster and workload architectures: Keep the System node pool isolated from
+ application workloads.'
+description: System node pools require a VM SKU of at least 2 vCPUs and 4 GB memory,
+ but 4 vCPU or more is recommended. Reference System and user node pools for detailed
+ requirements.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 80a4d735-cacb-456d-a188-ebf3e6610e6b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WindowsBasedNodePoolsKubernetesNetworkPolicies.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WindowsBasedNodePoolsKubernetesNetworkPolicies.yaml
new file mode 100644
index 000000000..4accf0a7b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WindowsBasedNodePoolsKubernetesNetworkPolicies.yaml
@@ -0,0 +1,17 @@
+name: wafsg-WindowsBasedNodePoolsKubernetesNetworkPolicies
+title: 'Cluster architecture: Ensure proper selection of network plugin based on network
+ requirements and cluster sizing.'
+description: Azure CNI is required for specific scenarios, for example, Windows-based
+ node pools, specific networking requirements and Kubernetes Network Policies. Reference
+ Kubenet versus Azure CNI for more information.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: a2c3dd5a-7ebc-4e4e-8061-a4cb90ed1fe7
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WorkloadArchitectureHorizontalScaling.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WorkloadArchitectureHorizontalScaling.yaml
new file mode 100644
index 000000000..197637f81
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WorkloadArchitectureHorizontalScaling.yaml
@@ -0,0 +1,16 @@
+name: wafsg-WorkloadArchitectureHorizontalScaling
+title: 'Workload architecture: Ensure workloads are built to support horizontal scaling
+ and report application readiness and health.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: b07721f6-5bd8-47df-8a79-e7e3ffa4e84a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WorkloadArchitecturesContainerInsights.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WorkloadArchitecturesContainerInsights.yaml
new file mode 100644
index 000000000..760ac6fd9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Reliability/wafsg-WorkloadArchitecturesContainerInsights.yaml
@@ -0,0 +1,17 @@
+name: wafsg-WorkloadArchitecturesContainerInsights
+title: 'Cluster and workload architectures: Configure monitoring of cluster with Container
+ insights.'
+description: Container insights help monitor the health and performance of controllers,
+ nodes, and containers that are available in Kubernetes through the Metrics API.
+ Integration with Prometheus enables collection of application and workload metrics.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Reliability
+severity: 1
+labels:
+ guid: 1b92e639-a727-409c-a343-17109a2861f2
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AadConditionalAccessAks.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AadConditionalAccessAks.yaml
new file mode 100644
index 000000000..88dabf8da
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AadConditionalAccessAks.yaml
@@ -0,0 +1,15 @@
+name: revcl-AadConditionalAccessAks
+title: Configure if required AAD conditional access for AKS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: c4d7f4c6-79bf-45d0-aa05-ce8fc717e150
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AadRbacAuthorization.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AadRbacAuthorization.yaml
new file mode 100644
index 000000000..093496f73
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AadRbacAuthorization.yaml
@@ -0,0 +1,15 @@
+name: revcl-AadRbacAuthorization
+title: Integrate authorization with AAD RBAC
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: eec4962c-c3bd-421b-b77f-26e5e6b3bec3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/manage-azure-rbac
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AdvancedMicroserviceCommunicationManagementServiceMesh.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AdvancedMicroserviceCommunicationManagementServiceMesh.yaml
new file mode 100644
index 000000000..bbc00b33e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AdvancedMicroserviceCommunicationManagementServiceMesh.yaml
@@ -0,0 +1,15 @@
+name: revcl-AdvancedMicroserviceCommunicationManagementServiceMesh
+title: Consider using a service mesh for advanced microservice communication management
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: e9855d04-c3c3-49c9-a6bb-2c12159a114b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/servicemesh-about
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksLocalAccounts.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksLocalAccounts.yaml
new file mode 100644
index 000000000..bde300849
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksLocalAccounts.yaml
@@ -0,0 +1,17 @@
+name: revcl-AksLocalAccounts
+title: Disable AKS local accounts
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: b085b1f2-3119-4771-8c9a-bbf4411810ec
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (properties.disableLocalAccounts==true) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksNonInteractiveLoginsKubelogin.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksNonInteractiveLoginsKubelogin.yaml
new file mode 100644
index 000000000..21dd85b8c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksNonInteractiveLoginsKubelogin.yaml
@@ -0,0 +1,15 @@
+name: revcl-AksNonInteractiveLoginsKubelogin
+title: For AKS non-interactive logins use kubelogin (preview)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: f4dcf690-1b30-407d-abab-6f8aa780d3a3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksVirtualNetworkDdosStandard.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksVirtualNetworkDdosStandard.yaml
new file mode 100644
index 000000000..4ebb59ced
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AksVirtualNetworkDdosStandard.yaml
@@ -0,0 +1,22 @@
+name: revcl-AksVirtualNetworkDdosStandard
+title: Use DDoS Standard in the AKS Virtual Network
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 9bda4776-8f24-4c11-9775-c2ea55b46a94
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview
+queries:
+ arg: Resources | where type=~'microsoft.containerservice/managedclusters' | project
+ resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project
+ subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources
+ | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets
+ | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id))
+ on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant
+ = (enableDdosProtection == 'true')
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AppSeparationRequirementsNamespace.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AppSeparationRequirementsNamespace.yaml
new file mode 100644
index 000000000..67762f6b7
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AppSeparationRequirementsNamespace.yaml
@@ -0,0 +1,15 @@
+name: revcl-AppSeparationRequirementsNamespace
+title: Define app separation requirements (namespace/nodepool/cluster)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: d167dd18-2b0a-4c24-8b99-9a646f8389a7
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AzureCniDifferentSubnets.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AzureCniDifferentSubnets.yaml
new file mode 100644
index 000000000..621a952af
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AzureCniDifferentSubnets.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureCniDifferentSubnets
+title: If using Azure CNI, consider using different Subnets for NodePools
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 22fbe8d6-9b40-47ef-9011-25bb1a555a6b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AzurePolicyClusterCompliance.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AzurePolicyClusterCompliance.yaml
new file mode 100644
index 000000000..8c93a2e16
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-AzurePolicyClusterCompliance.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzurePolicyClusterCompliance
+title: Use Azure Policy for Kubernetes to ensure cluster compliance
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 9ca48e4a-85e2-4223-bce8-bb12307ca5f1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true)
+ | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CalicoNetworkPoliciesAksNodes.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CalicoNetworkPoliciesAksNodes.yaml
new file mode 100644
index 000000000..748a87ebb
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CalicoNetworkPoliciesAksNodes.yaml
@@ -0,0 +1,18 @@
+name: revcl-CalicoNetworkPoliciesAksNodes
+title: 'For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: ce7f2a7c-297c-47c6-adea-a6ff838db665
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-network-policies
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster)
+ | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true)
+ | distinct id, compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ClusterAccessTime.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ClusterAccessTime.yaml
new file mode 100644
index 000000000..e80d828c1
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ClusterAccessTime.yaml
@@ -0,0 +1,15 @@
+name: revcl-ClusterAccessTime
+title: Configure if required Just-in-time cluster access
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: 36abb0db-c118-4f4c-9880-3f30f9a2deb6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CniPlugin.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CniPlugin.yaml
new file mode 100644
index 000000000..2e25ab539
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CniPlugin.yaml
@@ -0,0 +1,15 @@
+name: revcl-CniPlugin
+title: If required add your own CNI plugin
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: 57bf217f-6dc8-481c-81e2-785773e9c00f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-byo-cni
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ConfidentialComputeAks.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ConfidentialComputeAks.yaml
new file mode 100644
index 000000000..ea8dcead6
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ConfidentialComputeAks.yaml
@@ -0,0 +1,15 @@
+name: revcl-ConfidentialComputeAks
+title: If required consider using Confidential Compute for AKS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: ec8e4e42-0344-41b0-b865-9123e8956d31
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CsiSecretsStoreDriverAzureKeyVault.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CsiSecretsStoreDriverAzureKeyVault.yaml
new file mode 100644
index 000000000..0c0fdc42c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-CsiSecretsStoreDriverAzureKeyVault.yaml
@@ -0,0 +1,15 @@
+name: revcl-CsiSecretsStoreDriverAzureKeyVault
+title: Store your secrets in Azure Key Vault with the CSI Secrets Store driver
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 5e3df584-eccc-4d97-a3b6-bcda3b50eb2e
+links:
+- type: docs
+ url: https://github.com/Azure/secrets-store-csi-driver-provider-azure
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-DefenderContainers.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-DefenderContainers.yaml
new file mode 100644
index 000000000..109cce6bf
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-DefenderContainers.yaml
@@ -0,0 +1,15 @@
+name: revcl-DefenderContainers
+title: Consider using Defender for Containers
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: c9e95ffe-6dd1-4a17-8c5f-110389ca9b21
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-EgressTrafficSecurityRequirements.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-EgressTrafficSecurityRequirements.yaml
new file mode 100644
index 000000000..7fed57266
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-EgressTrafficSecurityRequirements.yaml
@@ -0,0 +1,17 @@
+name: revcl-EgressTrafficSecurityRequirements
+title: Filter egress traffic with AzFW/NVA if your security requirements mandate it
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: 3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/limit-egress-traffic
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-FinerControlKubeletIdentity.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-FinerControlKubeletIdentity.yaml
new file mode 100644
index 000000000..4c3df8ecd
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-FinerControlKubeletIdentity.yaml
@@ -0,0 +1,15 @@
+name: revcl-FinerControlKubeletIdentity
+title: For finer control consider using a managed Kubelet Identity
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 1f711a74-3672-470b-b8b8-a2148d640d79
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-HttpProxyCompany.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-HttpProxyCompany.yaml
new file mode 100644
index 000000000..1f3b0e0cf
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-HttpProxyCompany.yaml
@@ -0,0 +1,22 @@
+name: revcl-HttpProxyCompany
+title: If required add company HTTP Proxy
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: 6c46b91a-1107-4485-ad66-3183e2a8c266
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/http-proxy
+queries:
+ arg: Resources | where type=~'microsoft.containerservice/managedclusters' | project
+ resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project
+ subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources
+ | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets
+ | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id))
+ on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant
+ = (enableDdosProtection == 'true')
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-InternalAppsOrganizationsPrivateIpLoadbalancerServices.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-InternalAppsOrganizationsPrivateIpLoadbalancerServices.yaml
new file mode 100644
index 000000000..a04702612
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-InternalAppsOrganizationsPrivateIpLoadbalancerServices.yaml
@@ -0,0 +1,22 @@
+name: revcl-InternalAppsOrganizationsPrivateIpLoadbalancerServices
+title: If using private-IP LoadBalancer services, use a dedicated subnet (not the
+ AKS subnet)
+description: For internal apps organizations often open the whole AKS subnet in their
+ firewalls. This opens network access to the nodes too, and potentially to the pods
+ as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only
+ this one needs to be available to the app clients. Another reason is that if the
+ IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses
+ for services will reduce the maximum scalability of the cluster .
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: 13c00567-4b1e-4945-a459-c373e7ed6162
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/internal-lb
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KeyManagementServiceEncryption.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KeyManagementServiceEncryption.yaml
new file mode 100644
index 000000000..6e4419514
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KeyManagementServiceEncryption.yaml
@@ -0,0 +1,15 @@
+name: revcl-KeyManagementServiceEncryption
+title: If required add Key Management Service etcd encryption
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: e7ba73a3-0508-4f80-806f-527db30cee96
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KubernetesNetworkPoliciesIntraClusterSecurity.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KubernetesNetworkPoliciesIntraClusterSecurity.yaml
new file mode 100644
index 000000000..404d5a26a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KubernetesNetworkPoliciesIntraClusterSecurity.yaml
@@ -0,0 +1,15 @@
+name: revcl-KubernetesNetworkPoliciesIntraClusterSecurity
+title: Use Kubernetes network policies to increase intra-cluster security
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: 85e2223e-ce8b-4b12-907c-a5f16f158e3e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-network
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KubernetesNetworkPolicyOptionCalicoAzure.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KubernetesNetworkPolicyOptionCalicoAzure.yaml
new file mode 100644
index 000000000..2223185c0
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-KubernetesNetworkPolicyOptionCalicoAzure.yaml
@@ -0,0 +1,17 @@
+name: revcl-KubernetesNetworkPolicyOptionCalicoAzure
+title: Enable a Kubernetes Network Policy option (Calico/Azure)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: 58d7c892-ddb1-407d-9769-ae669ca48e4a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-network-policies
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-LimitAccessAdminKubeconfig.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-LimitAccessAdminKubeconfig.yaml
new file mode 100644
index 000000000..2b97eb3fc
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-LimitAccessAdminKubeconfig.yaml
@@ -0,0 +1,15 @@
+name: revcl-LimitAccessAdminKubeconfig
+title: Limit access to admin kubeconfig (get-credentials --admin)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: a2fe27b2-e287-401a-8352-beedf79b488d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/control-kubeconfig-access
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ManagedIdentitiesServicePrincipals.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ManagedIdentitiesServicePrincipals.yaml
new file mode 100644
index 000000000..1989516b2
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ManagedIdentitiesServicePrincipals.yaml
@@ -0,0 +1,17 @@
+name: revcl-ManagedIdentitiesServicePrincipals
+title: Use managed identities instead of Service Principals
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: ed127dd1-42b0-46b2-8c69-99a646f3389a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-managed-identity
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ManagedIntegrationAuthentication.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ManagedIntegrationAuthentication.yaml
new file mode 100644
index 000000000..b73a922ff
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ManagedIntegrationAuthentication.yaml
@@ -0,0 +1,17 @@
+name: revcl-ManagedIntegrationAuthentication
+title: Integrate authentication with AAD (using the managed integration)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 7e42c78e-78c0-46a6-8a21-94956e698dc4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/managed-aad
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = isnotnull(properties.aadProfile) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PodIdentityAccessManagementAzureAdWorkloadIdentity.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PodIdentityAccessManagementAzureAdWorkloadIdentity.yaml
new file mode 100644
index 000000000..5e0906d4e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PodIdentityAccessManagementAzureAdWorkloadIdentity.yaml
@@ -0,0 +1,15 @@
+name: revcl-PodIdentityAccessManagementAzureAdWorkloadIdentity
+title: For Pod Identity Access Management use Azure AD Workload Identity (preview)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: d2e0d5d7-71d4-41e3-910c-c57b4a4b1410
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PrivateClustersRequirements.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PrivateClustersRequirements.yaml
new file mode 100644
index 000000000..fe2e8493c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PrivateClustersRequirements.yaml
@@ -0,0 +1,18 @@
+name: revcl-PrivateClustersRequirements
+title: Use private clusters if your requirements mandate it
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: ecccd979-3b6b-4cda-9b50-eb2eb03dda6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/private-clusters
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster)
+ | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true)
+ | distinct id, compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PrivateRegistryImages.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PrivateRegistryImages.yaml
new file mode 100644
index 000000000..501aa584a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PrivateRegistryImages.yaml
@@ -0,0 +1,15 @@
+name: revcl-PrivateRegistryImages
+title: Use a private registry for your images, such as ACR
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 55b46a94-8008-4ae7-b7e4-b475b6c8bdbf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/container-registry/
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PublicApiEndpointIpAddresses.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PublicApiEndpointIpAddresses.yaml
new file mode 100644
index 000000000..281f9ec3c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-PublicApiEndpointIpAddresses.yaml
@@ -0,0 +1,19 @@
+name: revcl-PublicApiEndpointIpAddresses
+title: If using a public API endpoint, restrict the IP addresses that can access it
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: c4581559-bb91-463e-a908-aed8c44ce3b2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | extend compliant
+ = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false)
+ and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct
+ id,compliant
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-RbacPrivilegeNamespaces.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-RbacPrivilegeNamespaces.yaml
new file mode 100644
index 000000000..667fe7260
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-RbacPrivilegeNamespaces.yaml
@@ -0,0 +1,15 @@
+name: revcl-RbacPrivilegeNamespaces
+title: Use namespaces for restricting RBAC privilege in Kubernetes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: d4f3537c-1346-4dc5-9027-a71ffe1bd05d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-identity
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ServicePrincipalsCluster.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ServicePrincipalsCluster.yaml
new file mode 100644
index 000000000..396bc27f9
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-ServicePrincipalsCluster.yaml
@@ -0,0 +1,16 @@
+name: revcl-ServicePrincipalsCluster
+title: If using Service Principals for the cluster, refresh credentials periodically
+ (like quarterly)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: b03dda6d-58d7-4c89-8ddb-107d5769ae66
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/update-credentials
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-SystemNodepoolTaint.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-SystemNodepoolTaint.yaml
new file mode 100644
index 000000000..0f41abdbd
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-SystemNodepoolTaint.yaml
@@ -0,0 +1,15 @@
+name: revcl-SystemNodepoolTaint
+title: Add taint to your system nodepool to make it dedicated
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: a7a1f893-9bda-4477-98f2-4c116775c2ea
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-system-pools
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-UserSystemNodePoolsControlPlane.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-UserSystemNodePoolsControlPlane.yaml
new file mode 100644
index 000000000..e4eb334b4
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-UserSystemNodePoolsControlPlane.yaml
@@ -0,0 +1,18 @@
+name: revcl-UserSystemNodePoolsControlPlane
+title: Separate applications from the control plane with user/system node pools
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 6f158e3e-a3a9-42c2-be7e-2165c3a87af4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-system-pools
+queries:
+ arg: where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles
+ | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant
+ = (poolcount > 1)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-VirtualNetworkServiceEndpointsPrivateEndpoints.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-VirtualNetworkServiceEndpointsPrivateEndpoints.yaml
new file mode 100644
index 000000000..3782f4a90
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-VirtualNetworkServiceEndpointsPrivateEndpoints.yaml
@@ -0,0 +1,16 @@
+name: revcl-VirtualNetworkServiceEndpointsPrivateEndpoints
+title: Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access
+ PaaS services from the cluster
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: c3c39c98-6bb2-4c12-859a-114b5e3df584
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/private-link/private-link-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-WebWorkloadsWaf.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-WebWorkloadsWaf.yaml
new file mode 100644
index 000000000..3fb716bb7
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-WebWorkloadsWaf.yaml
@@ -0,0 +1,15 @@
+name: revcl-WebWorkloadsWaf
+title: Use a WAF for web workloads (UIs or APIs)
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 0
+labels:
+ guid: a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/operator-best-practices-network
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-WindowsAksWorkloadsGmsa.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-WindowsAksWorkloadsGmsa.yaml
new file mode 100644
index 000000000..266c7faa7
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/revcl-WindowsAksWorkloadsGmsa.yaml
@@ -0,0 +1,15 @@
+name: revcl-WindowsAksWorkloadsGmsa
+title: 'If required for Windows AKS workloads configure gMSA '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 2
+labels:
+ guid: e1123a7c-a333-4eb4-a120-4ee3f293c9f3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ApiServerAuthorizedIpRangesAuthorizedIpRangeFeature.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ApiServerAuthorizedIpRangesAuthorizedIpRangeFeature.yaml
new file mode 100644
index 000000000..89c31147b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ApiServerAuthorizedIpRangesAuthorizedIpRangeFeature.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ApiServerAuthorizedIpRangesAuthorizedIpRangeFeature
+title: 'Cluster architecture: For non-private AKS clusters, use API server authorized
+ IP ranges.'
+description: When using public clusters, you can still limit the traffic that can
+ reach your clusters API server by using the authorized IP range feature. Include
+ sources like the public IPs of your deployment build agents, operations management,
+ and node pools' egress point (such as Azure Firewall).
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: f169dfc7-70ef-478d-a483-12f396742584
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-AzureNetworkPoliciesNetworkTraffic.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-AzureNetworkPoliciesNetworkTraffic.yaml
new file mode 100644
index 000000000..0565bf0c3
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-AzureNetworkPoliciesNetworkTraffic.yaml
@@ -0,0 +1,14 @@
+name: wafsg-AzureNetworkPoliciesNetworkTraffic
+title: 'Cluster architecture: Use Azure network policies or Calico.'
+description: Secure and control network traffic between pods in a cluster.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: d1008f3b-5c0d-42ff-8513-fcd6b064fc5d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-AzureWebApplicationFirewallAzureApplicationGateway.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-AzureWebApplicationFirewallAzureApplicationGateway.yaml
new file mode 100644
index 000000000..385106723
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-AzureWebApplicationFirewallAzureApplicationGateway.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureWebApplicationFirewallAzureApplicationGateway
+title: 'Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.'
+description: To scan incoming traffic for potential attacks, use a web application
+ firewall such as Azure Web Application Firewall (WAF) on Azure Application Gateway
+ or Azure Front Door.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: dc2dfc11-1574-4228-88d9-50e077b7d8d3
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-CentralizedConsistentMannerClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-CentralizedConsistentMannerClusterArchitecture.yaml
new file mode 100644
index 000000000..33f95432d
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-CentralizedConsistentMannerClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CentralizedConsistentMannerClusterArchitecture
+title: 'Cluster architecture: Secure clusters and pods with Azure Policy.'
+description: Azure Policy can help to apply at-scale enforcement and safeguards on
+ your clusters in a centralized, consistent manner. It can also control what functions
+ pods are granted and if anything is running against company policy.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: e4987bda-a67a-4407-b133-8c378788a8b8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ClusterArchitectureMicrosoftDefender.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ClusterArchitectureMicrosoftDefender.yaml
new file mode 100644
index 000000000..5d0af2cc7
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ClusterArchitectureMicrosoftDefender.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ClusterArchitectureMicrosoftDefender
+title: 'Cluster architecture: Use Microsoft Defender for Containers.'
+description: Monitor and maintain the security of your clusters, containers, and their
+ applications.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 628bfcb8-06cb-495f-a25e-5890b6f5dbba
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ClusterManagementTrafficPrivateAksCluster.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ClusterManagementTrafficPrivateAksCluster.yaml
new file mode 100644
index 000000000..fce8ebe1a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-ClusterManagementTrafficPrivateAksCluster.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ClusterManagementTrafficPrivateAksCluster
+title: 'Cluster architecture: Deploy a private AKS cluster to ensure cluster management
+ traffic to your API server remains on your private network. Or use the API server
+ allow list for non-private clusters.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: a572c855-d42a-4490-ab5e-afab4018fd8f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-KubernetesRoleBasedAccessControlMicrosoftEntraId.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-KubernetesRoleBasedAccessControlMicrosoftEntraId.yaml
new file mode 100644
index 000000000..589fb5db7
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-KubernetesRoleBasedAccessControlMicrosoftEntraId.yaml
@@ -0,0 +1,17 @@
+name: wafsg-KubernetesRoleBasedAccessControlMicrosoftEntraId
+title: 'Cluster architecture: Use Kubernetes role-based access control (RBAC) with
+ Microsoft Entra ID for least privilege access and minimize granting administrator
+ privileges to protect configuration, and secrets access.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: c90dce11-1c77-4b0e-b1c4-4aba286475af
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftBackboneNetworkPrivateAksCluster.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftBackboneNetworkPrivateAksCluster.yaml
new file mode 100644
index 000000000..3c269757b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftBackboneNetworkPrivateAksCluster.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MicrosoftBackboneNetworkPrivateAksCluster
+title: 'Cluster architecture: Secure network traffic to your API server with private
+ AKS cluster.'
+description: By default, network traffic between your node pools and the API server
+ travels the Microsoft backbone network; by using a private cluster, you can ensure
+ network traffic to your API server remains on the private network only.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 539f0f42-b505-41d0-b297-3b49cc829720
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftDefenderAzureSentinel.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftDefenderAzureSentinel.yaml
new file mode 100644
index 000000000..5b1139e26
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftDefenderAzureSentinel.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MicrosoftDefenderAzureSentinel
+title: 'Cluster architecture: Use Microsoft Defender for containers with Azure Sentinel
+ to detect and quickly respond to threats across your cluster and workloads running
+ on them.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 35a19511-d5d5-4a36-8fdc-796b8549dc4c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIdAzureContainerRegistry.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIdAzureContainerRegistry.yaml
new file mode 100644
index 000000000..2f7f9c223
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIdAzureContainerRegistry.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MicrosoftEntraIdAzureContainerRegistry
+title: 'Cluster architecture: Authenticate with Microsoft Entra ID to Azure Container
+ Registry.'
+description: AKS and Microsoft Entra ID enables authentication with Azure Container
+ Registry without the use of `imagePullSecrets` secrets. Review Authenticate with
+ Azure Container Registry from Azure Kubernetes Service for more information.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 0b153016-434a-419e-8114-530956194357
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIdBasedIdentitiesKubernetesRoleBasedAccessControl.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIdBasedIdentitiesKubernetesRoleBasedAccessControl.yaml
new file mode 100644
index 000000000..1ea6874eb
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIdBasedIdentitiesKubernetesRoleBasedAccessControl.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MicrosoftEntraIdBasedIdentitiesKubernetesRoleBasedAccessControl
+title: 'Cluster architecture: Protect the API server with Microsoft Entra RBAC.'
+description: Securing access to the Kubernetes API Server is one of the most important
+ things you can do to secure your cluster. Integrate Kubernetes role-based access
+ control (RBAC) with Microsoft Entra ID to control access to the API server. Disable
+ local accounts to enforce all cluster access using Microsoft Entra ID-based identities.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 8431face-139d-4a91-ba8c-6053f0125e74
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIntegrationMicrosoftEntraId.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIntegrationMicrosoftEntraId.yaml
new file mode 100644
index 000000000..c292cd566
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-MicrosoftEntraIntegrationMicrosoftEntraId.yaml
@@ -0,0 +1,17 @@
+name: wafsg-MicrosoftEntraIntegrationMicrosoftEntraId
+title: 'Cluster architecture: Use Microsoft Entra integration.'
+description: Using Microsoft Entra ID centralizes the identity management component.
+ Any change in user account or group status is automatically updated in access to
+ the AKS cluster. The developers and application owners of your Kubernetes cluster
+ need access to different resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: a97490b6-9e41-45a1-83bd-7d78dcaa75a6
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-NetworkSecurityPointClusterEgressTraffic.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-NetworkSecurityPointClusterEgressTraffic.yaml
new file mode 100644
index 000000000..0396322e4
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-NetworkSecurityPointClusterEgressTraffic.yaml
@@ -0,0 +1,15 @@
+name: wafsg-NetworkSecurityPointClusterEgressTraffic
+title: 'Cluster architecture: Control cluster egress traffic.'
+description: Ensure your cluster's outbound traffic is passing through a network security
+ point such as Azure Firewall or an HTTP proxy.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 267d8ee6-5cfb-471c-ac5c-d2543358525b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-OpenSourceMicrosoftEntraWorkloadIdSecretsStoreCsiDriver.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-OpenSourceMicrosoftEntraWorkloadIdSecretsStoreCsiDriver.yaml
new file mode 100644
index 000000000..d3a8b033b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-OpenSourceMicrosoftEntraWorkloadIdSecretsStoreCsiDriver.yaml
@@ -0,0 +1,17 @@
+name: wafsg-OpenSourceMicrosoftEntraWorkloadIdSecretsStoreCsiDriver
+title: 'Cluster architecture: Use the open-source Microsoft Entra Workload ID and
+ Secrets Store CSI Driver with Azure Key Vault.'
+description: Protect and rotate secrets, certificates, and connection strings in Azure
+ Key Vault with strong encryption. Provides an access audit log, and keeps core secrets
+ out of the deployment pipeline.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: f5ae12ec-66b2-43fa-844d-3be5e07b91f0
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-RotatingServicePrinciplesClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-RotatingServicePrinciplesClusterArchitecture.yaml
new file mode 100644
index 000000000..51f768c97
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-RotatingServicePrinciplesClusterArchitecture.yaml
@@ -0,0 +1,16 @@
+name: wafsg-RotatingServicePrinciplesClusterArchitecture
+title: 'Cluster architecture: Use Managed Identities to avoid managing and rotating
+ service principles.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 5f6c3708-ec93-417b-909c-4414202ff1e6
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-SecureContainerAccessClusterArchitecture.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-SecureContainerAccessClusterArchitecture.yaml
new file mode 100644
index 000000000..425cef7f1
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-SecureContainerAccessClusterArchitecture.yaml
@@ -0,0 +1,15 @@
+name: wafsg-SecureContainerAccessClusterArchitecture
+title: 'Cluster architecture: Secure container access to resources.'
+description: Limit access to actions that containers can perform. Provide the least
+ number of permissions, and avoid the use of root or privileged escalation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 6fff442f-deed-462d-90b6-7fde6ce81fae
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-WebApplicationFirewallHttpSTraffic.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-WebApplicationFirewallHttpSTraffic.yaml
new file mode 100644
index 000000000..8232b6bec
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-WebApplicationFirewallHttpSTraffic.yaml
@@ -0,0 +1,15 @@
+name: wafsg-WebApplicationFirewallHttpSTraffic
+title: 'Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: 80693bc5-79bf-4928-8887-1a77544d3bad
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-WorkloadArchitectureCiCidPipeline.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-WorkloadArchitectureCiCidPipeline.yaml
new file mode 100644
index 000000000..c3ffa824f
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/Security/wafsg-WorkloadArchitectureCiCidPipeline.yaml
@@ -0,0 +1,16 @@
+name: wafsg-WorkloadArchitectureCiCidPipeline
+title: 'Workload architecture: Ensure your CI/CID pipeline is hardened with container-aware
+ scanning.'
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-kubernetes-service.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.containerservice/managedclusters
+waf: Security
+severity: 1
+labels:
+ guid: ab5dd3a3-2d8f-4a82-b209-05715fba7e61
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-APodDisruptionBudgetPodDisruptionBudgets.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-APodDisruptionBudgetPodDisruptionBudgets.yaml
new file mode 100644
index 000000000..3dc1783a2
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-APodDisruptionBudgetPodDisruptionBudgets.yaml
@@ -0,0 +1,18 @@
+name: aprl-APodDisruptionBudgetPodDisruptionBudgets
+title: Configure pod disruption budgets (PDBs)
+description: |-
+ A Pod Disruption Budget is a Kubernetes resource configuring the minimum number or percentage of pods that should remain available during disruptions like maintenance or scaling, ensuring a minimum number of pods are always available in the cluster.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 1
+labels:
+ guid: a08a06a0-e41a-4b99-83bb-69ce8bca54cb
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AResourcequotaObjectImplementResourceQuota.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AResourcequotaObjectImplementResourceQuota.yaml
new file mode 100644
index 000000000..b9b149349
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AResourcequotaObjectImplementResourceQuota.yaml
@@ -0,0 +1,19 @@
+name: aprl-AResourcequotaObjectImplementResourceQuota
+title: Implement Resource Quota to ensure that Kubernetes resources do not exceed
+ hard resource limits
+description: |-
+ A ResourceQuota object sets limits on resource use per namespace, controlling the number and type of objects created, and the total compute resources available.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 2
+labels:
+ guid: 9a1c17e5-c9a0-43db-b920-adaf54d1bcb7
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AksKubeletControllerStartupProbes.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AksKubeletControllerStartupProbes.yaml
new file mode 100644
index 000000000..a4121ba60
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AksKubeletControllerStartupProbes.yaml
@@ -0,0 +1,18 @@
+name: aprl-AksKubeletControllerStartupProbes
+title: Configures Pods Liveness, Readiness, and Startup Probes
+description: |-
+ AKS kubelet controller uses liveness probes to validate containers and applications health, ensuring the system knows when to restart a container based on its health status.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: cd6791b1-c60e-4b37-ac98-9897b1e6f4b8
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AutoScalerPodCreationFailuresQuickPodProvisioning.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AutoScalerPodCreationFailuresQuickPodProvisioning.yaml
new file mode 100644
index 000000000..be70776df
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AutoScalerPodCreationFailuresQuickPodProvisioning.yaml
@@ -0,0 +1,18 @@
+name: aprl-AutoScalerPodCreationFailuresQuickPodProvisioning
+title: Attach Virtual Nodes (ACI) to the AKS cluster
+description: |-
+ To rapidly scale AKS workloads, utilize virtual nodes for quick pod provisioning, unlike Kubernetes auto-scaler. For clusters with availability zones, ensure one nodepool per AZ due to persistent volumes not working across AZs, preventing auto-scaler pod creation failures if lacking access.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 2
+labels:
+ guid: b4639ca7-6308-429a-8b98-92f0bf9bf813
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureAvailabilityZonesHighAvailability.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureAvailabilityZonesHighAvailability.yaml
new file mode 100644
index 000000000..b8001f695
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureAvailabilityZonesHighAvailability.yaml
@@ -0,0 +1,35 @@
+name: aprl-AzureAvailabilityZonesHighAvailability
+title: Deploy AKS cluster across availability zones
+description: |-
+ Azure Availability Zones ensure high availability by offering independent locations within regions, equipped with their own power, cooling, and networking to ensure applications and data are protected from datacenter-level failures.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 4f63619f-5001-439c-bacb-8de891287727
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Returns AKS clusters that do not have any availability zones enabled or only use a single zone
+ resources
+ | where type =~ "Microsoft.ContainerService/managedClusters"
+ | project id, name, tags, location, pools = properties.agentPoolProfiles
+ | mv-expand pool = pools
+ | extend
+ numOfAvailabilityZones = iif(isnull(pool.availabilityZones), 0, array_length(pool.availabilityZones))
+ | where numOfAvailabilityZones < 2
+ | project
+ recommendationId = "4f63619f-5001-439c-bacb-8de891287727",
+ id,
+ name,
+ tags,
+ param1 = strcat("NodePoolName: ", pool.name),
+ param2 = strcat("Mode: ", pool.mode),
+ param3 = strcat("AvailabilityZones: ", iif(numOfAvailabilityZones == 0, "None", strcat("Zone ", strcat_array(pool.availabilityZones, ", ")))),
+ param4 = strcat("Location: ", location)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureCsiDriversAzureDisk.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureCsiDriversAzureDisk.yaml
new file mode 100644
index 000000000..758eb24b7
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureCsiDriversAzureDisk.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureCsiDriversAzureDisk
+title: Upgrade Persistent Volumes using in-tree drivers to Azure CSI drivers
+description: |-
+ From Kubernetes 1.26, Azure Disk and Azure File in-tree drivers are deprecated in favor of CSI drivers. Existing deployments remain operational but untested; users should switch to CSI drivers for new features and SKUs.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: b002c030-72e6-4a37-8217-1cb276c43169
+ area: Governance
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureKubernetesServiceAzureBackup.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureKubernetesServiceAzureBackup.yaml
new file mode 100644
index 000000000..6be5dbe5b
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureKubernetesServiceAzureBackup.yaml
@@ -0,0 +1,31 @@
+name: aprl-AzureKubernetesServiceAzureBackup
+title: Back up Azure Kubernetes Service
+description: |-
+ AKS, popular for stateful apps needing backups, can now use Azure Backup to secure clusters and attached volumes through an installed Backup Extension, enabling backup and restore operations via a Backup Vault.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 2
+labels:
+ guid: 269a9f1a-6675-460a-831e-b05a887a8c4b
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find AKS clusters that do not have backup enabled
+
+ resources
+ | where type =~ 'Microsoft.ContainerService/managedClusters'
+ | extend lname = tolower(name)
+ | join kind=leftouter(recoveryservicesresources
+ | where type =~ 'microsoft.dataprotection/backupvaults/backupinstances'
+ | extend lname = tolower(tostring(split(properties.dataSourceInfo.resourceID, '/')[8]))
+ | extend protectionState = properties.currentProtectionState
+ | project lname, protectionState) on lname
+ | where protectionState != 'ProtectionConfigured'
+ | extend param1 = iif(isnull(protectionState), 'Protection Not Configured', strcat('Protection State: ', protectionState))
+ | project recommendationId = "269a9f1a-6675-460a-831e-b05a887a8c4b", name, id, tags, param1
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureMonitorContainerInsightsPerformanceInsights.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureMonitorContainerInsightsPerformanceInsights.yaml
new file mode 100644
index 000000000..6fc59e985
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzureMonitorContainerInsightsPerformanceInsights.yaml
@@ -0,0 +1,25 @@
+name: aprl-AzureMonitorContainerInsightsPerformanceInsights
+title: Enable AKS Monitoring
+description: |-
+ Azure Monitor enables real-time health and performance insights for AKS by collecting events, capturing container logs, and gathering CPU/Memory data from the Metrics API. It allows data visualization using Azure Monitor Container Insights, Prometheus, Grafana, or others.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: dcaf8128-94bd-4d53-9235-3a0371df6b74
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns AKS clusters where either Azure Monitor is not enabled and/or Container Insights is not enabled
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | extend azureMonitor = tostring(parse_json(properties.azureMonitorProfile.metrics.enabled))
+ | extend insights = tostring(parse_json(properties.addonProfiles.omsagent.enabled))
+ | where isempty(azureMonitor) or isempty(insights)
+ | project recommendationId="dcaf8128-94bd-4d53-9235-3a0371df6b74",id, name, tags, param1=strcat("azureMonitorProfileEnabled: ", iff(isempty(azureMonitor), "false", azureMonitor)), param2=strcat("containerInsightsEnabled: ", iff(isempty(insights), "false", insights))
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzurePoliciesBestPractices.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzurePoliciesBestPractices.yaml
new file mode 100644
index 000000000..ff41f9d4e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-AzurePoliciesBestPractices.yaml
@@ -0,0 +1,33 @@
+name: aprl-AzurePoliciesBestPractices
+title: Enable and remediate Azure Policies configured for AKS
+description: |-
+ Azure Policies in AKS clusters help enforce governance best practices concerning security, authentication, provisioning, networking, and more, ensuring a robust and secure environment for operations.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 2
+labels:
+ guid: 26ebaf1f-c70d-4ebd-8641-4b60a0ce0094
+ area: Governance
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Returns a count of non-compliant policy items per AKS cluster
+ PolicyResources
+ | where type =~ 'Microsoft.PolicyInsights/PolicyStates'
+ | extend complianceState = tostring(properties.complianceState)
+ | where complianceState == 'NonCompliant'
+ | where properties.resourceType =~ 'Microsoft.ContainerService/managedClusters'
+ | extend
+ id = tostring(properties.resourceId)
+ | summarize count() by id
+ | join kind=inner (
+ resources
+ | where type =~ 'Microsoft.ContainerService/managedClusters'
+ | project id, name
+ ) on id
+ | project recommendationId="26ebaf1f-c70d-4ebd-8641-4b60a0ce0094", id, name, param1=strcat("numNonCompliantAlerts: ", count_)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-DevopsFrameworksOperatingModel.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-DevopsFrameworksOperatingModel.yaml
new file mode 100644
index 000000000..f824bae1c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-DevopsFrameworksOperatingModel.yaml
@@ -0,0 +1,24 @@
+name: aprl-DevopsFrameworksOperatingModel
+title: Enable GitOps when using DevOps frameworks
+description: |-
+ GitOps, an operating model for cloud-native apps, uses Git for storing application and infrastructure code as a source of truth for continuous delivery.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 2
+labels:
+ guid: 5f3cbd68-692a-4121-988c-9770914859a9
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns AKS clusters where GitOps is not enabled
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | extend gitops = tostring (parse_json(properties.addOnProfiles.gitops.enabled))
+ | where isempty(gitops)
+ | project recommendationId="5f3cbd68-692a-4121-988c-9770914859a9", id, name, tags, param1=strcat("gitopsEnabled: ", "false")
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-DirectPodVnetConnectivityDiverseNetworkPolicies.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-DirectPodVnetConnectivityDiverseNetworkPolicies.yaml
new file mode 100644
index 000000000..ebb4d1c22
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-DirectPodVnetConnectivityDiverseNetworkPolicies.yaml
@@ -0,0 +1,24 @@
+name: aprl-DirectPodVnetConnectivityDiverseNetworkPolicies
+title: Configure Azure CNI networking for dynamic allocation of IPs
+description: |-
+ Azure CNI enhances cluster IP and network management, allowing dynamic IP allocation, scalable subnets, direct pod-VNET connectivity, and supports diverse network policies for pods and nodes with Azure Network Policies and Calico, optimizing network efficiency and security
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 1
+labels:
+ guid: c22db132-399b-4e7c-995d-577a60881be8
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Check AKS Clusters using kubenet network profile
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | extend networkProfile = tostring (parse_json(properties.networkProfile.networkPlugin))
+ | where networkProfile =="kubenet"
+ | project recommendationId="c22db132-399b-4e7c-995d-577a60881be8", name, id, tags, param1=strcat("networkProfile :",networkProfile)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-LowerReadWriteLatencyEphemeralOsDisks.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-LowerReadWriteLatencyEphemeralOsDisks.yaml
new file mode 100644
index 000000000..cab796d72
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-LowerReadWriteLatencyEphemeralOsDisks.yaml
@@ -0,0 +1,25 @@
+name: aprl-LowerReadWriteLatencyEphemeralOsDisks
+title: Use Ephemeral OS disks on AKS clusters
+description: |-
+ Ephemeral OS disks on AKS offer lower read/write latency due to local attachment, eliminating the need for replication seen with managed disks. This enhances performance and speeds up cluster operations such as scaling or upgrading due to quicker re-imaging and boot times.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 1
+labels:
+ guid: a7bfcc18-b0d8-4d37-81f3-8131ed8bead5
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Returns any AKS cluster nodepools that do not have Ephemeral Disks
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | mv-expand agentPoolProfile = properties.agentPoolProfiles
+ | extend type = tostring(agentPoolProfile.osDiskType)
+ | where type != 'Ephemeral'
+ | project recommendationId="a7bfcc18-b0d8-4d37-81f3-8131ed8bead5", name, id, param1=strcat("osDiskType: ", type)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MaximumAutoScaleSettingsMaxAutoScaleSettings.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MaximumAutoScaleSettingsMaxAutoScaleSettings.yaml
new file mode 100644
index 000000000..903c7c774
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MaximumAutoScaleSettingsMaxAutoScaleSettings.yaml
@@ -0,0 +1,42 @@
+name: aprl-MaximumAutoScaleSettingsMaxAutoScaleSettings
+title: Nodepool subnet size needs to accommodate maximum auto-scale settings
+description: |-
+ Nodepool subnets sized for max auto-scale settings enable AKS to efficiently scale out nodes, meeting increased demand while reducing resource constraints and potential service disruptions.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: e620fa98-7a40-41a0-bfc9-b4407297fb58
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns each AKS cluster with nodepools that have user nodepools with a subnetmask that does not match autoscale configured max-nodes
+ // Subtracting the network address, broadcast address, and default 3 addresses Azure reserves within each subnet
+
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | extend nodePools = properties['agentPoolProfiles']
+ | mv-expand nodePools = properties.agentPoolProfiles
+ | where nodePools.enableAutoScaling == true
+ | extend nodePoolName=nodePools.name, maxNodes = nodePools.maxCount, subnetId = tostring(nodePools.vnetSubnetID)
+ | project clusterId = id, clusterName=name, nodePoolName=nodePools.name, toint(maxNodes), subnetId
+ | join kind = leftouter (
+ resources
+ | where type == 'microsoft.network/virtualnetworks'
+ | extend subnets = properties.subnets
+ | mv-expand subnets
+ | project id = tostring(subnets.id), addressPrefix = tostring(subnets.properties['addressPrefix'])
+ | extend subnetmask = toint(substring(addressPrefix, indexof(addressPrefix, '/')+1, string_size(addressPrefix)))
+ | extend possibleMaxNodeCount = toint(exp2(32-subnetmask) - 5)
+ ) on $left.subnetId == $right.id
+ | project-away id, subnetmask
+ | where possibleMaxNodeCount <= maxNodes
+ | extend param1 = strcat(nodePoolName, " autoscaler upper limit: ", maxNodes)
+ | extend param2 = strcat("ip addresses on subnet: ", possibleMaxNodeCount)
+ | project recommendationId="e620fa98-7a40-41a0-bfc9-b4407297fb58", name=clusterName, id=clusterId, param1, param2
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MultiZoneAksClustersZoneRedundantStorage.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MultiZoneAksClustersZoneRedundantStorage.yaml
new file mode 100644
index 000000000..6cd8f3a0c
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MultiZoneAksClustersZoneRedundantStorage.yaml
@@ -0,0 +1,18 @@
+name: aprl-MultiZoneAksClustersZoneRedundantStorage
+title: Use zone-redundant storage for persistent volumes when running multi-zone AKS
+description: |-
+ ZRS ensures data replication across three zones, protecting against zonal outages. It's available for Azure Disks, Container Storage, Files, and Blob by setting the SKU to ZRS in storage classes, enhancing multi-zone AKS clusters from v1.29.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 1
+labels:
+ guid: d3111036-355d-431b-ab49-8ddad042800b
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MultipleReplicasProductionApplications.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MultipleReplicasProductionApplications.yaml
new file mode 100644
index 000000000..2450850a5
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-MultipleReplicasProductionApplications.yaml
@@ -0,0 +1,19 @@
+name: aprl-MultipleReplicasProductionApplications
+title: Use deployments with multiple replicas in production applications to guarantee
+ availability
+description: |-
+ Configuring multiple replicas in Pod or Deployment manifests stabilizes the number of replica Pods, ensuring that a specified number of identical Pods are always available, thereby guaranteeing their availability.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: bcfe71f1-ebed-49e5-a84a-193b81ad5d27
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-NodePoolAutoScaleSettingsNodePoolSettings.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-NodePoolAutoScaleSettingsNodePoolSettings.yaml
new file mode 100644
index 000000000..c68b50edd
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-NodePoolAutoScaleSettingsNodePoolSettings.yaml
@@ -0,0 +1,18 @@
+name: aprl-NodePoolAutoScaleSettingsNodePoolSettings
+title: Node pool auto-scale settings should not exceed subscription core quota
+description: |-
+ Node pool settings should not exceed the subscription core quota to ensure AKS can scale out nodes efficiently, meeting increased demand while reducing resource constraints and potential service disruptions.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: a01afc4c-7439-4919-b2da-3565992ea2a7
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-PodResourceNeedsClusterAutoScaler.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-PodResourceNeedsClusterAutoScaler.yaml
new file mode 100644
index 000000000..c5e395c0a
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-PodResourceNeedsClusterAutoScaler.yaml
@@ -0,0 +1,24 @@
+name: aprl-PodResourceNeedsClusterAutoScaler
+title: Enable the cluster auto-scaler on an existing cluster
+description: |-
+ The cluster auto-scaler in AKS adjusts node counts based on pod resource needs and available capacity, enabling scaling as per demand to prevent outages.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 902c82ff-4910-4b61-942d-0d6ef7f39b67
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find AKS clusters with auto-scaling disabled
+ Resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | extend autoScaling = tostring (parse_json(properties.agentPoolProfiles.[0].enableAutoScaling))
+ | where autoScaling == "false"
+ | project recommendationId="902c82ff-4910-4b61-942d-0d6ef7f39b67", name, id, tags, param1=strcat("autoScaling :", autoScaling)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-PodTopologySpreadConstraintsZoneTopology.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-PodTopologySpreadConstraintsZoneTopology.yaml
new file mode 100644
index 000000000..c93c1158e
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-PodTopologySpreadConstraintsZoneTopology.yaml
@@ -0,0 +1,19 @@
+name: aprl-PodTopologySpreadConstraintsZoneTopology
+title: Use pod topology spread constraints to ensure that pods are spread across different
+ nodes or zones
+description: |-
+ Enhance availability and reliability by using pod topology spread constraints to control pod distribution based on node or zone topology, ensuring pods are spread across your cluster.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 928fcc6f-5e9a-42d9-9bd4-260af42de2e5
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-ProductionAksClustersAksTier.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-ProductionAksClustersAksTier.yaml
new file mode 100644
index 000000000..8395e8d78
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-ProductionAksClustersAksTier.yaml
@@ -0,0 +1,23 @@
+name: aprl-ProductionAksClustersAksTier
+title: Update AKS tier to Standard
+description: |-
+ Production AKS clusters require the Standard tier for a financially backed SLA and enhanced node scalability, as the free service lacks these features.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 0611251f-e70f-4243-8ddd-cfe894bec2e7
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns all AKS clusters not running on the Standard tier
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | where sku.tier != "Standard"
+ | project recommendationId="0611251f-e70f-4243-8ddd-cfe894bec2e7", id, name, tags, param1=strcat("skuName: ", sku.name), param2=strcat("skuTier: ", sku.tier)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SecureScalableAuthenticationSystemExternalIdentityProviders.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SecureScalableAuthenticationSystemExternalIdentityProviders.yaml
new file mode 100644
index 000000000..e885ac825
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SecureScalableAuthenticationSystemExternalIdentityProviders.yaml
@@ -0,0 +1,26 @@
+name: aprl-SecureScalableAuthenticationSystemExternalIdentityProviders
+title: Disable local accounts
+description: |-
+ Local Kubernetes accounts in AKS, being non-auditable and legacy, are discouraged. Microsoft Entra's integration offers centralized management, multi-factor authentication, RBAC for detailed access, and a secure, scalable authentication system compatible with Azure and external identity providers.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: ca324d71-54b0-4a3e-b9e4-10e767daa9fc
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns a list of AKS clusters not using AAD enabled
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | extend aadProfile = tostring (parse_json(properties.aadProfile))
+ | extend disablelocalAdmin = tostring(parse_json(properties.disableLocalAccounts))
+ | extend RBAC = tostring(parse_json(properties.enableRBAC))
+ | where RBAC == "false"
+ | project recommendationId="ca324d71-54b0-4a3e-b9e4-10e767daa9fc", name, id, tags, param1=strcat("aadProfile: ", aadProfile), param2=strcat("disablelocalAdmin: ",disablelocalAdmin), param3=strcat("RBAC: ", RBAC)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SystemNodePoolsIsolateSystem.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SystemNodePoolsIsolateSystem.yaml
new file mode 100644
index 000000000..73ab55953
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SystemNodePoolsIsolateSystem.yaml
@@ -0,0 +1,35 @@
+name: aprl-SystemNodePoolsIsolateSystem
+title: Isolate system and application pods
+description: |-
+ AKS assigns the kubernetes.azure.com/mode: system label to nodes in system node pools signaling the preference for system pods should be scheduled there. The CriticalAddonsOnly=true:NoSchedule taint can be added to your system nodes to prohibit application pods from being scheduled on them.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 5ee083cd-6ac3-4a83-8913-9549dd36cf56
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Returns each AKS cluster with nodepools that do not have system pods labelled with CriticalAddonsOnly
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | mv-expand agentPoolProfile = properties.agentPoolProfiles
+ | where agentPoolProfile.mode =~ 'System' // system node pools
+ | extend taint = tostring(parse_json(agentPoolProfile.nodeTaints))
+ | extend hasCriticalAddonsTaint = agentPoolProfile.kubeletConfig has 'CriticalAddonsOnly'
+ | extend hasNodeLabel = agentPoolProfile.customNodeLabels has 'CriticalAddonsOnly'
+ | extend hasCriticalAddonsOnly = hasCriticalAddonsTaint or hasNodeLabel or isempty(taint)
+ | extend nodePool = tostring(parse_json(agentPoolProfile.name))
+ | where hasCriticalAddonsOnly
+ | project
+ recommendationId="5ee083cd-6ac3-4a83-8913-9549dd36cf56",
+ id,
+ name,
+ tags,
+ param1=strcat("nodepoolName: ", nodePool)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SystemNodepoolCountCriticalSystemPods.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SystemNodepoolCountCriticalSystemPods.yaml
new file mode 100644
index 000000000..23afc2f94
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-SystemNodepoolCountCriticalSystemPods.yaml
@@ -0,0 +1,26 @@
+name: aprl-SystemNodepoolCountCriticalSystemPods
+title: Configure system nodepool count
+description: |-
+ The system node pool should be configured with a minimum node count of two to ensure critical system pods are resilient to node outages.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 7f7ae535-a5ba-4665-b7e0-c451dbdda01f
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns each AKS cluster with nodepools that have system nodepools with less than 2 nodes
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | mv-expand agentPoolProfile = properties.agentPoolProfiles
+ | extend taints = tostring(parse_json(agentPoolProfile.nodeTaints))
+ | extend nodePool = tostring(parse_json(agentPoolProfile.name))
+ | where taints has "CriticalAddonsOnly=true:NoSchedule" and agentPoolProfile.minCount < 2
+ | project recommendationId="7f7ae535-a5ba-4665-b7e0-c451dbdda01f", id, name, param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-TwoReplicasNodeFailures.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-TwoReplicasNodeFailures.yaml
new file mode 100644
index 000000000..9627114e4
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-TwoReplicasNodeFailures.yaml
@@ -0,0 +1,18 @@
+name: aprl-TwoReplicasNodeFailures
+title: Deploy at least two replicas of your application
+description: |-
+ Deploying at least two replicas of your application ensures that your application is highly available and can tolerate node failures.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 9200aca6-0e83-4749-a5eb-e3939367bdc2
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-UserNodepoolCountUserNodePool.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-UserNodepoolCountUserNodePool.yaml
new file mode 100644
index 000000000..386295e91
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-UserNodepoolCountUserNodePool.yaml
@@ -0,0 +1,26 @@
+name: aprl-UserNodepoolCountUserNodePool
+title: Configure user nodepool count
+description: |-
+ Configuring the user node pool with at least two nodes is essential for applications needing high availability, ensuring they remain operational and accessible without interruption.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: 005ccbbd-aeab-46ef-80bd-9bd4479412ec
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Returns each AKS cluster with nodepools that have user nodepools with less than 2 nodes
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | mv-expand agentPoolProfile = properties.agentPoolProfiles
+ | extend taints = tostring(parse_json(agentPoolProfile.nodeTaints))
+ | extend nodePool = tostring(parse_json(agentPoolProfile.name))
+ | where taints !has "CriticalAddonsOnly=true:NoSchedule" and agentPoolProfile.minCount < 2
+ | project recommendationId="005ccbbd-aeab-46ef-80bd-9bd4479412ec", id, name, param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount)
diff --git a/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-ValidatedSourceBuiltComponentsLinuxNodepools.yaml b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-ValidatedSourceBuiltComponentsLinuxNodepools.yaml
new file mode 100644
index 000000000..3d03a2701
--- /dev/null
+++ b/v2/recos/Services/microsoftcontainerservice-managedClusters/aprl-ValidatedSourceBuiltComponentsLinuxNodepools.yaml
@@ -0,0 +1,24 @@
+name: aprl-ValidatedSourceBuiltComponentsLinuxNodepools
+title: Use Azure Linux for Linux nodepools
+description: |-
+ Azure Linux on AKS boosts resiliency with a native image using validated, source-built components. It's lightweight, reducing the attack surface and maintenance. A Microsoft-hardened kernel, optimized for Azure, enhances stability and security for container workloads.
+source:
+ type: aprl
+ file: azure-resources/ContainerService/managedClusters/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.ContainerService/managedClusters
+severity: 0
+labels:
+ guid: f46b0d1d-56ef-4795-b98a-f6ee00cb341a
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Returns each AKS cluster with nodepools that have Linux nodepools not using Azure Linux
+ resources
+ | where type == "microsoft.containerservice/managedclusters"
+ | mv-expand agentPoolProfile = properties.agentPoolProfiles
+ | where agentPoolProfile.osType == 'Linux' and agentPoolProfile.osSKU != 'AzureLinux'
+ | project recommendationid="f46b0d1d-56ef-4795-b98a-f6ee00cb341a", name, id, param1=strcat("nodePoolName: ", agentPoolProfile.name)
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-AzureCosmosDbExtraProvisionedThroughput.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-AzureCosmosDbExtraProvisionedThroughput.yaml
new file mode 100644
index 000000000..88557044f
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-AzureCosmosDbExtraProvisionedThroughput.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureCosmosDbExtraProvisionedThroughput
+title: Continous Backup with point-in-time restore in Azure Cosmos DB
+description: Continous 7 day retention and 30 day retention backups. Azure Cosmos
+ DB performs data backup in the background without consuming any extra provisioned
+ throughput (RUs) or affecting the performance and availability of your database.
+ Continuous backups are taken in every region where the account exists.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: d43918a8-cd28-49be-b6b1-7cb8245461e1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-AzureCosmosDbRegularIntervals.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-AzureCosmosDbRegularIntervals.yaml
new file mode 100644
index 000000000..2bd2e3648
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-AzureCosmosDbRegularIntervals.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureCosmosDbRegularIntervals
+title: Enable Automatic Backups
+description: Azure Cosmos DB automatically takes backups of your data at regular intervals.
+ The automatic backups are taken without affecting the performance or availability
+ of the database operations. All the backups are stored separately in a storage service.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 3499c9c1-133d-42f7-a4b1-a5bd06ff1a90
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-FtaResiliencyPlaybook.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-FtaResiliencyPlaybook.yaml
new file mode 100644
index 000000000..6752cb700
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-FtaResiliencyPlaybook.yaml
@@ -0,0 +1,15 @@
+name: revcl-FtaResiliencyPlaybook
+title: FTA Resiliency Playbook
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 43e52f47-22d9-428c-8b1c-d521e54a29a9
+links:
+- type: docs
+ url: https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-LeverageAvailablityZonesOfcourse.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-LeverageAvailablityZonesOfcourse.yaml
new file mode 100644
index 000000000..efd28c7c0
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-LeverageAvailablityZonesOfcourse.yaml
@@ -0,0 +1,16 @@
+name: revcl-LeverageAvailablityZonesOfcourse
+title: Leverage Availablity Zones where regionally applicable and ofcourse if the
+ service offers it
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 0
+labels:
+ guid: de39ac0e-7c28-4dc9-9565-7202bff4564b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/high-availability#slas
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-LeverageMultiRegionWritesMultiRegionWritesCapability.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-LeverageMultiRegionWritesMultiRegionWritesCapability.yaml
new file mode 100644
index 000000000..48f5f4e0f
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-LeverageMultiRegionWritesMultiRegionWritesCapability.yaml
@@ -0,0 +1,17 @@
+name: revcl-LeverageMultiRegionWritesMultiRegionWritesCapability
+title: Leverage Multi-Region Writes
+description: Multi-region writes capability allows you to take advantage of the provisioned
+ throughput for your databases and containers across the globe
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: bad38ead-53cc-47de-8d8a-aab3571449ab
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-MaximumRetentionPeriodMinimumBackupInterval.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-MaximumRetentionPeriodMinimumBackupInterval.yaml
new file mode 100644
index 000000000..1f77f346f
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-MaximumRetentionPeriodMinimumBackupInterval.yaml
@@ -0,0 +1,22 @@
+name: revcl-MaximumRetentionPeriodMinimumBackupInterval
+title: Perform Periodic Backups
+description: This mode is the default backup mode for all existing accounts. In this
+ mode, backup is taken at a periodic interval and the data is restored by creating
+ a request with the support team. In this mode, you configure a backup interval and
+ retention for your account. The maximum retention period extends to a month. The
+ minimum backup interval can be one hour.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: a6eb33f6-005c-4d92-9286-7655672d6121
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/manage-identity-and-access/
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-MultipleReplicasDatabase.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-MultipleReplicasDatabase.yaml
new file mode 100644
index 000000000..b088998db
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-MultipleReplicasDatabase.yaml
@@ -0,0 +1,15 @@
+name: revcl-MultipleReplicasDatabase
+title: Run multiple replicas of the database (>1 ) in Prod
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 0d934a34-8b26-43e7-bd60-513a3649906e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-RegularBusinessContinuityDrillsAzureCosmosDb.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-RegularBusinessContinuityDrillsAzureCosmosDb.yaml
new file mode 100644
index 000000000..4102785a8
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-RegularBusinessContinuityDrillsAzureCosmosDb.yaml
@@ -0,0 +1,21 @@
+name: revcl-RegularBusinessContinuityDrillsAzureCosmosDb
+title: Enable Service managed failover
+description: Maintain business continuity during regional outages. Azure Cosmos DB
+ supports service-managed failover during a regional outage. During a regional outage,
+ Azure Cosmos DB continues to maintain its latency, availability, consistency, and
+ throughput SLAs. To help make sure that your entire application is highly available,
+ Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using
+ this API, you can carry out regular business continuity drills.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: a47e4d1e-bb79-43f9-bf87-69e1032b72fe
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-SeveralWellDefinedConsistencyModelsVariousConsistencyLevels.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-SeveralWellDefinedConsistencyModelsVariousConsistencyLevels.yaml
new file mode 100644
index 000000000..b916d5bfd
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-SeveralWellDefinedConsistencyModelsVariousConsistencyLevels.yaml
@@ -0,0 +1,17 @@
+name: revcl-SeveralWellDefinedConsistencyModelsVariousConsistencyLevels
+title: Choose from several well-defined consistency models
+description: Choose from various consistency levels such as Eventual, Consistent Prefix,
+ Session, Bounded Staleness and strong
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 0
+labels:
+ guid: 9f8ea848-25ec-4140-bc32-2758e6ee9ac0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/consistency-levels
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-SpanCosmosAccountData.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-SpanCosmosAccountData.yaml
new file mode 100644
index 000000000..17e7367bc
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/Reliability/revcl-SpanCosmosAccountData.yaml
@@ -0,0 +1,16 @@
+name: revcl-SpanCosmosAccountData
+title: Distribute your data globally
+description: Span Cosmos account across two or more regions with multi-region writes
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.documentdb/databaseaccounts
+waf: Reliability
+severity: 1
+labels:
+ guid: 8153d89f-89dc-47b3-9be2-b1a27f7b9e91
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cosmos-db/high-availability#slas
+queries: {}
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-AzureCosmosDbResourcesCosmosDbHealth.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-AzureCosmosDbResourcesCosmosDbHealth.yaml
new file mode 100644
index 000000000..f2a0bf022
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-AzureCosmosDbResourcesCosmosDbHealth.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureCosmosDbResourcesCosmosDbHealth
+title: Monitor Cosmos DB health and set up alerts
+description: |-
+ Monitoring the availability and responsiveness of Azure Cosmos DB resources and having alerts set up for your workload is a good practice. This ensures you stay proactive in handling unforeseen events.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 1
+labels:
+ guid: deaea200-013c-414b-ac9f-bfa7a7fb13f0
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-ContinuousBackupModeContinuousMode.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-ContinuousBackupModeContinuousMode.yaml
new file mode 100644
index 000000000..a11990963
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-ContinuousBackupModeContinuousMode.yaml
@@ -0,0 +1,26 @@
+name: aprl-ContinuousBackupModeContinuousMode
+title: Configure continuous backup mode
+description: |-
+ Cosmos DB's backup is always on, offering protection against data mishaps. Continuous mode allows for self-serve restoration to a pre-mishap point, unlike periodic mode which requires contacting Microsoft support, leading to longer restore times.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 0
+labels:
+ guid: e544520b-8505-7841-9e77-1f1974ee86ec
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Query all Azure Cosmos DB accounts that do not have continuous backup mode configured
+ Resources
+ | where type =~ 'Microsoft.DocumentDb/databaseAccounts'
+ | where
+ properties.backupPolicy.type == 'Periodic' and
+ properties.enableMultipleWriteLocations == false and
+ properties.enableAnalyticalStorage == false
+ | project recommendationId='e544520b-8505-7841-9e77-1f1974ee86ec', name, id, tags
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-ManyTransientErrorsRobustErrorHandling.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-ManyTransientErrorsRobustErrorHandling.yaml
new file mode 100644
index 000000000..a5ef1adf5
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-ManyTransientErrorsRobustErrorHandling.yaml
@@ -0,0 +1,18 @@
+name: aprl-ManyTransientErrorsRobustErrorHandling
+title: Implement retry logic in your client
+description: |-
+ Cosmos DB SDKs automatically manage many transient errors through retries. Despite this, it's crucial for applications to implement additional retry policies targeting specific cases that the SDKs can't generically address, ensuring more robust error handling.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 1
+labels:
+ guid: fa6ac22f-0584-bb4b-80e4-80f4755d1a97
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-MbResponseLimitCosmosDb.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-MbResponseLimitCosmosDb.yaml
new file mode 100644
index 000000000..4de26f5ad
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-MbResponseLimitCosmosDb.yaml
@@ -0,0 +1,18 @@
+name: aprl-MbResponseLimitCosmosDb
+title: Ensure query results are fully drained
+description: |-
+ Cosmos DB has a 4 MB response limit, leading to paginated results for large or partition-spanning queries. Each page shows availability and provides a continuation token for the next. A while loop in code is necessary to traverse all pages until completion.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 0
+labels:
+ guid: c006604a-0d29-684c-99f0-9729cb40dac5
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-MultiRegionWriteCapabilityMultipleRegions.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-MultiRegionWriteCapabilityMultipleRegions.yaml
new file mode 100644
index 000000000..adfe4cf64
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-MultiRegionWriteCapabilityMultipleRegions.yaml
@@ -0,0 +1,25 @@
+name: aprl-MultiRegionWriteCapabilityMultipleRegions
+title: Evaluate multi-region write capability
+description: |-
+ Multi-region write capability allows for designing applications that are highly available across multiple regions, though it demands careful attention to consistency requirements and conflict resolution. Improper setup may decrease availability and cause data corruption due to unhandled conflicts.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 0
+labels:
+ guid: 9ce78192-74a0-104c-b5bb-9a443f941649
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Query to find Azure Cosmos DB accounts that have multiple read locations but do not have multiple write locations enabled
+ Resources
+ | where type =~ 'Microsoft.DocumentDb/databaseAccounts'
+ | where
+ array_length(properties.locations) > 1 and
+ properties.enableMultipleWriteLocations == false
+ | project recommendationId='9ce78192-74a0-104c-b5bb-9a443f941649', name, id, tags
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-SingleWriteRegionNextAvailableRegion.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-SingleWriteRegionNextAvailableRegion.yaml
new file mode 100644
index 000000000..4c1a96477
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-SingleWriteRegionNextAvailableRegion.yaml
@@ -0,0 +1,27 @@
+name: aprl-SingleWriteRegionNextAvailableRegion
+title: Enable service-managed failover for multi-region accounts with single write
+ region
+description: |-
+ Cosmos DB boasts high uptime and resiliency. Even so, issues may arise. With Service-Managed failover, if a region is down, Cosmos DB automatically switches to the next available region, requiring no user action.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 0
+labels:
+ guid: 9cabded7-a1fc-6e4a-944b-d7dd98ea31a2
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Query to list all Azure Cosmos DB accounts that do not have multiple write locations or automatic failover enabled
+ Resources
+ | where type =~ 'Microsoft.DocumentDb/databaseAccounts'
+ | where
+ array_length(properties.locations) > 1 and
+ tobool(properties.enableAutomaticFailover) == false and
+ tobool(properties.enableMultipleWriteLocations) == false
+ | project recommendationId='9cabded7-a1fc-6e4a-944b-d7dd98ea31a2', name, id, tags
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-SingletonPatternSingleInstance.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-SingletonPatternSingleInstance.yaml
new file mode 100644
index 000000000..8a99c00c1
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-SingletonPatternSingleInstance.yaml
@@ -0,0 +1,18 @@
+name: aprl-SingletonPatternSingleInstance
+title: Maintain singleton pattern in your client
+description: |-
+ Using a single instance of the SDK client for each account and application is crucial as connections are tied to the client. Compute environments have a limit on open connections, affecting connectivity when exceeded.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 1
+labels:
+ guid: 7eb32cf9-9a42-1540-acf8-597cbba8a418
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-TwoRegionsSecondaryRegion.yaml b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-TwoRegionsSecondaryRegion.yaml
new file mode 100644
index 000000000..896304962
--- /dev/null
+++ b/v2/recos/Services/microsoftdocumentdb-databaseAccounts/aprl-TwoRegionsSecondaryRegion.yaml
@@ -0,0 +1,25 @@
+name: aprl-TwoRegionsSecondaryRegion
+title: Configure at least two regions for high availability
+description: |-
+ Enable a secondary region in Cosmos DB for higher SLA without downtime. Simple as pinning a location on a map. For Strong consistency, configure at least three regions for write availability in case of failure.
+source:
+ type: aprl
+ file: azure-resources/DocumentDB/databaseAccounts/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.DocumentDB/databaseAccounts
+severity: 0
+labels:
+ guid: 43663217-a1d3-844b-80ea-571a2ce37c6c
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Query to find Azure Cosmos DB accounts that have less than 2 regions or less than 3 regions with strong consistency level
+ Resources
+ | where type =~ 'Microsoft.DocumentDb/databaseAccounts'
+ | where
+ array_length(properties.locations) < 2 or
+ (array_length(properties.locations) < 3 and properties.consistencyPolicy.defaultConsistencyLevel == 'Strong')
+ | project recommendationId='43663217-a1d3-844b-80ea-571a2ce37c6c', name, id, tags
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-BusinessCriticalApplicationsActiveActiveConfiguration.yaml b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-BusinessCriticalApplicationsActiveActiveConfiguration.yaml
new file mode 100644
index 000000000..c36a7d3f7
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-BusinessCriticalApplicationsActiveActiveConfiguration.yaml
@@ -0,0 +1,20 @@
+name: revcl-BusinessCriticalApplicationsActiveActiveConfiguration
+title: For Business Critical Applications, use Active Active configuration
+description: Should be used for DR configurations where an outage or loss of event
+ data in the downed region cannot be tolerated. For these cases, follow the replication
+ guidance and do not use the built-in geo-disaster recovery capability (active/passive).
+ With Active/Active, Maintain multiple Event Hubs in different regions and namespaces,
+ and events will be replicated between the hubs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 6e31b67d-67ba-4591-89c0-9e805d597c7e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-DedicatedSkusPredicablePerformance.yaml b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-DedicatedSkusPredicablePerformance.yaml
new file mode 100644
index 000000000..c4b903213
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-DedicatedSkusPredicablePerformance.yaml
@@ -0,0 +1,15 @@
+name: revcl-DedicatedSkusPredicablePerformance
+title: Use the Premium or Dedicated SKUs for predicable performance
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 20b56c56-ad58-4519-8f82-735c586bb281
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/compare-tiers
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-DesignResilientEventHubs.yaml b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-DesignResilientEventHubs.yaml
new file mode 100644
index 000000000..751d37a3f
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-DesignResilientEventHubs.yaml
@@ -0,0 +1,15 @@
+name: revcl-DesignResilientEventHubs
+title: Design Resilient Event Hubs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 9ced16ad-d186-4f0a-a241-a999a68af77c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-GeoDisasterRecoveryActivePassiveConfiguration.yaml b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-GeoDisasterRecoveryActivePassiveConfiguration.yaml
new file mode 100644
index 000000000..f1c3b3e7e
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-GeoDisasterRecoveryActivePassiveConfiguration.yaml
@@ -0,0 +1,21 @@
+name: revcl-GeoDisasterRecoveryActivePassiveConfiguration
+title: Plan for Geo Disaster Recovery using Active Passive configuration
+description: The built-in geo-disaster recovery feature, when enabled, ensures that
+ the entire configuration of anamespace (Event Hubs, Consumer Groups and settings)
+ is continuously replicated from a primary namespace to a secondary namespace, and
+ it allows a once-only failover move from the primary to the secondary at any time.
+ Active/Passive feature is designed to make it easier to recover from and abandon
+ a failed Azure region without having to change application configurations
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Reliability
+severity: 0
+labels:
+ guid: dc15a1c0-75ee-49f1-90ac-ccd579376bcd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-LeverageFtaResillencyHandbook.yaml b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-LeverageFtaResillencyHandbook.yaml
new file mode 100644
index 000000000..6ca347b3b
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-LeverageFtaResillencyHandbook.yaml
@@ -0,0 +1,15 @@
+name: revcl-LeverageFtaResillencyHandbook
+title: Leverage FTA Resillency HandBook
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Reliability
+severity: 1
+labels:
+ guid: 31d41e36-11c8-417b-8afb-c410d4391898
+links:
+- type: docs
+ url: https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-NewEhNamespaceLeverageAvailabilityZones.yaml b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-NewEhNamespaceLeverageAvailabilityZones.yaml
new file mode 100644
index 000000000..069d097d2
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Reliability/revcl-NewEhNamespaceLeverageAvailabilityZones.yaml
@@ -0,0 +1,18 @@
+name: revcl-NewEhNamespaceLeverageAvailabilityZones
+title: Leverage Availability Zones if regionally applicable
+description: ' This will be turned on automatically for a new EH namespace created
+ from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region.
+ Both the EH metadata and the event data itself are replicated across zones'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Reliability
+severity: 0
+labels:
+ guid: f15bce21-9e4a-40eb-9787-9424d226786d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubCustomerManagedKeyOption.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubCustomerManagedKeyOption.yaml
new file mode 100644
index 000000000..8e569ac2a
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubCustomerManagedKeyOption.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureEventHubCustomerManagedKeyOption
+title: Use customer-managed key option in data at rest encryption when required
+description: 'Azure Event Hub provides encryption of data at rest. If you use your
+ own key, the data is still encrypted using the Microsoft-managed key, but in addition
+ the Microsoft-managed key will be encrypted using the customer-managed key. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 2
+labels:
+ guid: 7aaf12e7-b94e-4f6e-847d-2d92981b1cd6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubNamespaceClasslessInterDomainRoutingNotation.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubNamespaceClasslessInterDomainRoutingNotation.yaml
new file mode 100644
index 000000000..8d8d809be
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubNamespaceClasslessInterDomainRoutingNotation.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureEventHubNamespaceClasslessInterDomainRoutingNotation
+title: Consider only allowing access to Azure Event Hub namespace from specific IP
+ addresses or ranges
+description: 'With IP firewall, you can restrict public endpoint further to only a
+ set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing)
+ notation. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: a0e6c465-89e5-458b-a37d-3974d1112dbd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubPublicIpAddress.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubPublicIpAddress.yaml
new file mode 100644
index 000000000..896c7f775
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubPublicIpAddress.yaml
@@ -0,0 +1,22 @@
+name: revcl-AzureEventHubPublicIpAddress
+title: Consider using private endpoints to access Azure Event Hub and disable public
+ network access when applicable.
+description: 'Azure Event Hub by default has a public IP address and is Internet-reachable.
+ Private endpoints allow traffic between your virtual network and Azure Event Hub
+ traverses over the Microsoft backbone network. In addition to that, you should disable
+ public endpoints if those are not used. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: 5abca2a4-eda1-4dae-8cc9-5d48c6b791dc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/private-link-service
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubResourceLogsDataPlaneAccessOperations.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubResourceLogsDataPlaneAccessOperations.yaml
new file mode 100644
index 000000000..7fe91b236
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubResourceLogsDataPlaneAccessOperations.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureEventHubResourceLogsDataPlaneAccessOperations
+title: Enable logging for security investigation. Use Azure Monitor to captured metrics
+ and logs such as resource logs, runtime audit logs and Kafka logs
+description: Azure Event Hub resource logs include operational logs, virtual network
+ and Kafka logs. Runtime audit logs capture aggregated diagnostic information for
+ all data plane access operations (such as send or receive events) in Event Hubs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: b38b875b-a1cf-4104-a900-3a4d3ce474db
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/manage-identity-and-access/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubsNamespacesTransportLayerSecurity.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubsNamespacesTransportLayerSecurity.yaml
new file mode 100644
index 000000000..07c847d42
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-AzureEventHubsNamespacesTransportLayerSecurity.yaml
@@ -0,0 +1,22 @@
+name: revcl-AzureEventHubsNamespacesTransportLayerSecurity
+title: 'Enforce a minimum required version of Transport Layer Security (TLS) for requests '
+description: 'Azure Event Hubs namespaces permit clients to send and receive data
+ with TLS 1.0 and above. To enforce stricter security measures, you can configure
+ your Event Hubs namespace to require that clients send and receive data with a newer
+ version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then
+ any requests made with an older version will fail. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: d2f54b29-769e-43a6-a0e7-828ac936657e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-EventHubsNamespaceAdministrativeRootAccount.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-EventHubsNamespaceAdministrativeRootAccount.yaml
new file mode 100644
index 000000000..7c0daa174
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-EventHubsNamespaceAdministrativeRootAccount.yaml
@@ -0,0 +1,22 @@
+name: revcl-EventHubsNamespaceAdministrativeRootAccount
+title: Avoid using root account when it is not necessary
+description: "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey\
+ \ is automatically created for the namespace. This policy has manage permissions\
+ \ for the entire namespace. It\xEF\xBF\xBDs recommended that you treat this rule\
+ \ like an administrative root account and don\xEF\xBF\xBDt use it in your application.\
+ \ Using AAD as an authentication provider with RBAC is recommended. "
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: 13b0f566-4b1e-4944-a459-837ee79d6c6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-LeastPrivilegeDataPlaneRbacAzureEventHub.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-LeastPrivilegeDataPlaneRbacAzureEventHub.yaml
new file mode 100644
index 000000000..8fef7148d
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-LeastPrivilegeDataPlaneRbacAzureEventHub.yaml
@@ -0,0 +1,21 @@
+name: revcl-LeastPrivilegeDataPlaneRbacAzureEventHub
+title: Use least privilege data plane RBAC
+description: When creating permissions, provide fine-grained control over a client's
+ access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped
+ to the individual resource level e.g. consumer group, event hub entity, event hub
+ namespaces, etc.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 0
+labels:
+ guid: 8357c559-675c-45ee-a5b8-6ad8844ce3b2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-VirtualMachineScaleSetsAzureVirtualMachines.yaml b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-VirtualMachineScaleSetsAzureVirtualMachines.yaml
new file mode 100644
index 000000000..7cf8d5f61
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/Security/revcl-VirtualMachineScaleSetsAzureVirtualMachines.yaml
@@ -0,0 +1,24 @@
+name: revcl-VirtualMachineScaleSetsAzureVirtualMachines
+title: When possible, your application should be using a managed identity to authenticate
+ to Azure Event Hub. If not, consider having the storage credential (SAS, service
+ principal credential) in Azure Key Vault or an equivalent service
+description: 'Managed identities for Azure resources can authorize access to Event
+ Hubs resources using Azure AD credentials from applications running in Azure Virtual
+ Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By
+ using managed identities for Azure resources together with Azure AD authentication,
+ you can avoid storing credentials with your applications that run in the cloud. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.eventhub/namespaces
+waf: Security
+severity: 1
+labels:
+ guid: 3a365a5c-7acb-4e48-abd5-4cd79f2e8776
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/
+queries: {}
diff --git a/v2/recos/Services/microsofteventhub-namespaces/aprl-EventHubStandardTierNamespacesEgressThrottleScenarios.yaml b/v2/recos/Services/microsofteventhub-namespaces/aprl-EventHubStandardTierNamespacesEgressThrottleScenarios.yaml
new file mode 100644
index 000000000..1ac4859f9
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/aprl-EventHubStandardTierNamespacesEgressThrottleScenarios.yaml
@@ -0,0 +1,24 @@
+name: aprl-EventHubStandardTierNamespacesEgressThrottleScenarios
+title: Enable auto-inflate on Event Hub Standard tier
+description: |-
+ Enable auto-inflate on Event Hub Standard tier namespaces to automatically scale up TUs, meeting usage needs and preventing data ingress or egress throttle scenarios by adjusting to allowed rates.
+source:
+ type: aprl
+ file: azure-resources/EventHub/namespaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.EventHub/namespaces
+severity: 0
+labels:
+ guid: fbfef3df-04a5-41b2-a8fd-b8541eb04956
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find Event Hub namespace instances that are Standard tier and do not have Auto Inflate enabled
+ resources
+ | where type == "microsoft.eventhub/namespaces"
+ | where sku.tier == "Standard"
+ | where properties.isAutoInflateEnabled == "false"
+ | project recommendationId = "fbfef3df-04a5-41b2-a8fd-b8541eb04956", name, id, tags, param1 = "AutoInflateEnabled: False"
diff --git a/v2/recos/Services/microsofteventhub-namespaces/aprl-ZoneRedundancyAzurePortal.yaml b/v2/recos/Services/microsofteventhub-namespaces/aprl-ZoneRedundancyAzurePortal.yaml
new file mode 100644
index 000000000..6f7d5f8eb
--- /dev/null
+++ b/v2/recos/Services/microsofteventhub-namespaces/aprl-ZoneRedundancyAzurePortal.yaml
@@ -0,0 +1,16 @@
+name: aprl-ZoneRedundancyAzurePortal
+title: Ensure zone redundancy is enabled in supported regions
+description: |-
+ When using the Azure portal, zone redundancy is automatically enabled. However, some Infrastructure as Code (IaC) tools may default this to false. To ensure replication of metadata and events across data centers in an availability zone, always verify that zone redundancy is enabled.
+source:
+ type: aprl
+ file: azure-resources/EventHub/namespaces/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.EventHub/namespaces
+severity: 0
+labels:
+ guid: 84636c6c-b317-4722-b603-7b1ffc16384b
+ area: High Availability
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstanceCountAzureApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstanceCountAzureApplicationGateway.yaml
new file mode 100644
index 000000000..9c1e24508
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstanceCountAzureApplicationGateway.yaml
@@ -0,0 +1,19 @@
+name: wafsg-ApplicationGatewayInstanceCountAzureApplicationGateway
+title: Have a scale-in and scale-out policy
+description: A scale-out policy ensures that there will be enough instances to handle
+ incoming traffic and spikes. Also, have a scale-in policy that makes sure the number
+ of instances are reduced when demand drops. Consider the choice of instance size.
+ The size can significantly impact the cost. Some considerations are described in
+ the Estimate the Application Gateway instance count.For more information, see What
+ is Azure Application Gateway v2?
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: d0c4b44f-7b43-428c-93f2-dedd7bf00799
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesEmptyBackendPools.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesEmptyBackendPools.yaml
new file mode 100644
index 000000000..81b006a07
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesEmptyBackendPools.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ApplicationGatewayInstancesEmptyBackendPools
+title: Review underutilized resources
+description: Identify and delete Application Gateway instances with empty backend
+ pools to avoid unnecessary costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: 7947e534-c9a8-435b-9e03-d300143b5f74
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesExtraneousCosts.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesExtraneousCosts.yaml
new file mode 100644
index 000000000..0710dfd4b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesExtraneousCosts.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ApplicationGatewayInstancesExtraneousCosts
+title: Stop Application Gateway instances when not in use
+description: You aren't billed when Application Gateway is in the stopped state. Continuously
+ running Application Gateway instances can incur extraneous costs. Evaluate usage
+ patterns and stop instances when you don't need them. For example, usage after business
+ hours in Dev/Test environments is expected to be low.See these articles for information
+ about how to stop and start instances.- Stop-AzApplicationGateway- Start-AzApplicationGateway
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: 3c5f0966-3c57-4e15-a6b0-6cb73405bbf1
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesUse.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesUse.yaml
new file mode 100644
index 000000000..585455127
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayInstancesUse.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ApplicationGatewayInstancesUse
+title: Stop Application Gateway instances that are not in use
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: a36bac4f-bf10-44c6-a51e-0d845162b3af
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayPricing.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayPricing.yaml
new file mode 100644
index 000000000..c9bf67f70
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ApplicationGatewayPricing.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ApplicationGatewayPricing
+title: Familiarize yourself with Application Gateway pricing
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: 30cbe437-b17d-45ad-a42e-a26bef6f4b77
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-AzureApplicationGatewayWebApplicationFirewall.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-AzureApplicationGatewayWebApplicationFirewall.yaml
new file mode 100644
index 000000000..65ef0e568
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-AzureApplicationGatewayWebApplicationFirewall.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureApplicationGatewayWebApplicationFirewall
+title: Familiarize yourself with Application Gateway pricing
+description: For information about Application Gateway pricing, see Understanding
+ Pricing for Azure Application Gateway and Web Application Firewall. You can also
+ leverage the Pricing calculator.Ensure that the options are adequately sized to
+ meet the capacity demand and deliver expected performance without wasting resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: 6f1432ef-61d2-4037-8f85-58e005d16b8c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ConsumptionMetricsDifferentParameters.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ConsumptionMetricsDifferentParameters.yaml
new file mode 100644
index 000000000..5d75e5e4d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ConsumptionMetricsDifferentParameters.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ConsumptionMetricsDifferentParameters
+title: Review consumption metrics across different parameters
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: 0ce550b6-f2ed-428c-b8c2-b224c065a0db
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-CurrentCapacityUnitsforMicrosoftCostManagement.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-CurrentCapacityUnitsforMicrosoftCostManagement.yaml
new file mode 100644
index 000000000..96c7d2f60
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-CurrentCapacityUnitsforMicrosoftCostManagement.yaml
@@ -0,0 +1,21 @@
+name: wafsg-CurrentCapacityUnitsforMicrosoftCostManagement
+title: Review consumption metrics across different parameters
+description: You're billed based on metered instances of Application Gateway based
+ on the metrics tracked by Azure. Evaluate the various metrics and capacity units
+ and determine the cost drivers. For more information, see Microsoft Cost Management
+ and Billing. The following metrics are key for Application Gateway. This information
+ can be used to validate that the provisioned instance count matches the amount of
+ incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units-
+ Current Capacity UnitsFor more information, see Application Gateway metrics.Make
+ sure you account for bandwidth costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: ac8bb190-71ba-48ec-9fef-351c1cd5501f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ScalePolicy.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ScalePolicy.yaml
new file mode 100644
index 000000000..d161e98d5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-ScalePolicy.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ScalePolicy
+title: Have a scale-in and scale-out policy
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: 96bcda1b-240a-4d4b-93fa-6872b549d711
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-UnderutilizedResources.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-UnderutilizedResources.yaml
new file mode 100644
index 000000000..4a55d5a9a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Cost/wafsg-UnderutilizedResources.yaml
@@ -0,0 +1,15 @@
+name: wafsg-UnderutilizedResources
+title: Review underutilized resources
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Cost
+severity: 1
+labels:
+ guid: 74ad737c-cbb8-4e91-84b7-2aa937b37ede
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafConfigurationNewRuleSetVersion.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafConfigurationNewRuleSetVersion.yaml
new file mode 100644
index 000000000..48de3eb62
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafConfigurationNewRuleSetVersion.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureApplicationGatewayWafConfigurationNewRuleSetVersion
+title: Define your Azure Application Gateway WAF configuration as code. By using code,
+ you can more easily adopt new rule set version and gain additional protection.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: ba0e9b26-6e0d-4ec8-8541-023c00afd5b7
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafLogsDiagnosticSettings.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafLogsDiagnosticSettings.yaml
new file mode 100644
index 000000000..3449e9783
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafLogsDiagnosticSettings.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureApplicationGatewayWafLogsDiagnosticSettings
+title: Add diagnostic settings to save your Azure Application Gateway WAF logs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: f84106a2-2e9e-42ac-add6-d3416ecfed53
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafLogsMicrosoftSentinel.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafLogsMicrosoftSentinel.yaml
new file mode 100644
index 000000000..7c190088f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-AzureApplicationGatewayWafLogsMicrosoftSentinel.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureApplicationGatewayWafLogsMicrosoftSentinel
+title: Send Azure Application Gateway WAF logs to Microsoft Sentinel.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 92664c60-47e3-4591-8b1b-8d557656e686
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-CustomErrorPagesPersonalizedUserExperience.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-CustomErrorPagesPersonalizedUserExperience.yaml
new file mode 100644
index 000000000..87ee273a1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-CustomErrorPagesPersonalizedUserExperience.yaml
@@ -0,0 +1,15 @@
+name: revcl-CustomErrorPagesPersonalizedUserExperience
+title: Create custom error pages to display a personalized user experience
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 2
+labels:
+ guid: c8741f03-45a4-4183-a6b8-139e0773b8b5
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/custom-error
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-GatewayManagedCookiesUserSession.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-GatewayManagedCookiesUserSession.yaml
new file mode 100644
index 000000000..a3476355c
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-GatewayManagedCookiesUserSession.yaml
@@ -0,0 +1,16 @@
+name: revcl-GatewayManagedCookiesUserSession
+title: Use gateway-managed cookies to direct traffic from a user session to the same
+ server for processing
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: bb697864-1b4c-43af-8667-90cc69aaed5f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-LegacyWafConfigurationWafPolicies.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-LegacyWafConfigurationWafPolicies.yaml
new file mode 100644
index 000000000..2d3f2d517
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/revcl-LegacyWafConfigurationWafPolicies.yaml
@@ -0,0 +1,15 @@
+name: revcl-LegacyWafConfigurationWafPolicies
+title: Use WAF Policies instead of the legacy WAF configuration.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: f17ec301-8470-4afd-aabc-c1fdfe47dcc0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-ApplicationGatewayHighTrafficSupportApplicationGatewayCapacity.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-ApplicationGatewayHighTrafficSupportApplicationGatewayCapacity.yaml
new file mode 100644
index 000000000..542739741
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-ApplicationGatewayHighTrafficSupportApplicationGatewayCapacity.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ApplicationGatewayHighTrafficSupportApplicationGatewayCapacity
+title: Monitor capacity metrics
+description: Use these metrics as indicators of utilization of the provisioned Application
+ Gateway capacity. We strongly recommend setting up alerts on capacity. For details,
+ see Application Gateway high traffic support.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 14cdf40e-36a1-4947-90a3-3b833e2df9d3
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-AzureMonitorNetworkInsights.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-AzureMonitorNetworkInsights.yaml
new file mode 100644
index 000000000..7aea622df
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-AzureMonitorNetworkInsights.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureMonitorNetworkInsights
+title: Use Azure Monitor Network Insights
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 3b24c03f-1fab-436e-b45c-4b4838f9f01a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-AzureMonitorNetworkInsightsNetworkResources.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-AzureMonitorNetworkInsightsNetworkResources.yaml
new file mode 100644
index 000000000..980ab0514
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-AzureMonitorNetworkInsightsNetworkResources.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureMonitorNetworkInsightsNetworkResources
+title: Use Azure Monitor Network Insights
+description: Azure Monitor Network Insights provides a comprehensive view of health
+ and metrics for network resources, including Application Gateway. For additional
+ details and supported capabilities for Application Gateway, see Azure Monitor Network
+ insights.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 98530e65-c941-48d2-8ce7-55649e17a701
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-CapacityMetrics.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-CapacityMetrics.yaml
new file mode 100644
index 000000000..b90eb574a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-CapacityMetrics.yaml
@@ -0,0 +1,15 @@
+name: wafsg-CapacityMetrics
+title: Monitor capacity metrics
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 188b768d-c65f-46c8-b0a7-e7b288b0c15d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-DataPlaneRelatedProblemsIncorrectKeyVaultConfiguration.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-DataPlaneRelatedProblemsIncorrectKeyVaultConfiguration.yaml
new file mode 100644
index 000000000..48e1c4386
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-DataPlaneRelatedProblemsIncorrectKeyVaultConfiguration.yaml
@@ -0,0 +1,20 @@
+name: wafsg-DataPlaneRelatedProblemsIncorrectKeyVaultConfiguration
+title: Monitor Key Vault configuration issues using Azure Advisor
+description: Application Gateway checks for the renewed certificate version in the
+ linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect
+ Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation.
+ You must configure the Advisor alerts to stay updated and fix such issues immediately
+ to avoid any Control or Data plane related problems. For more information, see Investigating
+ and resolving key vault errors. To set an alert for this specific case, use the
+ Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 91366299-47be-4ee6-a9c1-adfa6b11beff
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-KeyVaultConfigurationIssuesAzureAdvisor.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-KeyVaultConfigurationIssuesAzureAdvisor.yaml
new file mode 100644
index 000000000..d3f5b9dc1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-KeyVaultConfigurationIssuesAzureAdvisor.yaml
@@ -0,0 +1,15 @@
+name: wafsg-KeyVaultConfigurationIssuesAzureAdvisor
+title: Monitor Key Vault configuration issues using Azure Advisor
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: b53da374-3be5-405b-b543-b104491fc2e5
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-LoadBalancerTcpResetMatchTimeoutSettings.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-LoadBalancerTcpResetMatchTimeoutSettings.yaml
new file mode 100644
index 000000000..bd4582bff
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-LoadBalancerTcpResetMatchTimeoutSettings.yaml
@@ -0,0 +1,18 @@
+name: wafsg-LoadBalancerTcpResetMatchTimeoutSettings
+title: Match timeout settings with the backend application
+description: Ensure you have configured the IdleTimeout settings to match the listener
+ and traffic characteristics of the backend application. The default value is set
+ to four minutes and can be configured to a maximum of 30. For more information,
+ see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring
+ application health for reliability.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 9dd45a04-f63b-4ba8-bb19-0fa074b57dcc
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-MatchTimeoutSettingsBackendApplication.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-MatchTimeoutSettingsBackendApplication.yaml
new file mode 100644
index 000000000..f5cc66c2a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-MatchTimeoutSettingsBackendApplication.yaml
@@ -0,0 +1,15 @@
+name: wafsg-MatchTimeoutSettingsBackendApplication
+title: Match timeout settings with the backend application
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 02610076-047b-4f48-9c50-0172c4bac957
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SameVirtualNetworkSnatPortLimitations.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SameVirtualNetworkSnatPortLimitations.yaml
new file mode 100644
index 000000000..58a274740
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SameVirtualNetworkSnatPortLimitations.yaml
@@ -0,0 +1,23 @@
+name: wafsg-SameVirtualNetworkSnatPortLimitations
+title: Consider SNAT port limitations in your design
+description: SNAT port limitations are important for backend connections on the Application
+ Gateway. There are separate factors that affect how Application Gateway reaches
+ the SNAT port limit. For example, if the backend is a public IP address, it will
+ require its own SNAT port. In order to avoid SNAT port limitations, you can increase
+ the number of instances per Application Gateway, scale out the backends to have
+ more IP addresses, or move your backends into the same virtual network and use private
+ IP addresses for the backends.Requests per second (RPS) on the Application Gateway
+ will be affected if the SNAT port limit is reached. For example, if an Application
+ Gateway reaches the SNAT port limit, then it won't be able to open a new connection
+ to the backend, and the request will fail.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 9bb30e02-43fd-4ed2-9189-c9a23ae9933f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SnatPortLimitations.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SnatPortLimitations.yaml
new file mode 100644
index 000000000..749414f9f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SnatPortLimitations.yaml
@@ -0,0 +1,15 @@
+name: wafsg-SnatPortLimitations
+title: Configure and monitor SNAT port limitations
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: d32ea6dc-3993-4536-b570-bc4d0236a136
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SnatPortLimitationsDesign.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SnatPortLimitationsDesign.yaml
new file mode 100644
index 000000000..e4cbca03f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-SnatPortLimitationsDesign.yaml
@@ -0,0 +1,15 @@
+name: wafsg-SnatPortLimitationsDesign
+title: Consider SNAT port limitations in your design
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: fa9b6a56-3144-4d79-b409-8fc896c4ba76
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-UnhealthyHostCountResponseStatusBackendLastByteResponseTime.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-UnhealthyHostCountResponseStatusBackendLastByteResponseTime.yaml
new file mode 100644
index 000000000..1afbfaa13
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-UnhealthyHostCountResponseStatusBackendLastByteResponseTime.yaml
@@ -0,0 +1,18 @@
+name: wafsg-UnhealthyHostCountResponseStatusBackendLastByteResponseTime
+title: Troubleshoot using metrics
+description: There are other metrics that can indicate issues either at Application
+ Gateway or the backend. We recommend evaluating the following alerts:- Unhealthy
+ Host Count- Response Status (dimension 4xx and 5xx)- Backend Response Status (dimension
+ 4xx and 5xx)- Backend Last Byte Response Time- Application Gateway Total TimeFor
+ more information, see Metrics for Application Gateway.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 00ddc7ab-c60b-4249-92e0-939a99ac890c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-WebApplicationFirewallApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-WebApplicationFirewallApplicationGateway.yaml
new file mode 100644
index 000000000..92ffa1f7e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-WebApplicationFirewallApplicationGateway.yaml
@@ -0,0 +1,15 @@
+name: wafsg-WebApplicationFirewallApplicationGateway
+title: Enable diagnostics on Application Gateway and Web Application Firewall (WAF)
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: 63eb295f-ef20-4749-a576-fbbdd528d093
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-WebApplicationFirewallApplicationGatewayInstances.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-WebApplicationFirewallApplicationGatewayInstances.yaml
new file mode 100644
index 000000000..7567a5450
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Operations/wafsg-WebApplicationFirewallApplicationGatewayInstances.yaml
@@ -0,0 +1,17 @@
+name: wafsg-WebApplicationFirewallApplicationGatewayInstances
+title: Enable diagnostics on Application Gateway and Web Application Firewall (WAF)
+description: Diagnostic logs allow you to view firewall logs, performance logs, and
+ access logs. Use these logs to manage and troubleshoot issues with Application Gateway
+ instances. For more information, see Back-end health and diagnostic logs for Application
+ Gateway.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Operations
+severity: 1
+labels:
+ guid: ee3b1f28-7d23-484a-a721-a0e0da65aed8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/revcl-GlobalWebTrafficRoutingQuickGlobalFailover.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/revcl-GlobalWebTrafficRoutingQuickGlobalFailover.yaml
new file mode 100644
index 000000000..3ca1fe2b2
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/revcl-GlobalWebTrafficRoutingQuickGlobalFailover.yaml
@@ -0,0 +1,16 @@
+name: revcl-GlobalWebTrafficRoutingQuickGlobalFailover
+title: Configure Front Door to optimize global web traffic routing and top-tier end-user
+ performance, and reliability through quick global failover
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: eadc3164-4a0f-461c-85f1-1a372c04dfd1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/front-door-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/revcl-TransportLayerLoadBalancing.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/revcl-TransportLayerLoadBalancing.yaml
new file mode 100644
index 000000000..eb9f1eda6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/revcl-TransportLayerLoadBalancing.yaml
@@ -0,0 +1,15 @@
+name: revcl-TransportLayerLoadBalancing
+title: Use transport layer load balancing
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: 29dcc19f-a8fa-4c35-8281-290577538793
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/load-balancer/load-balancer-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewayInstanceCount.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewayInstanceCount.yaml
new file mode 100644
index 000000000..bb9a725bf
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewayInstanceCount.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ApplicationGatewayInstanceCount
+title: Estimate the Application Gateway instance count
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: 63dd2b1b-6076-46c9-8b80-54a255b77f49
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewaySubnetSize.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewaySubnetSize.yaml
new file mode 100644
index 000000000..2a3e70860
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewaySubnetSize.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ApplicationGatewaySubnetSize
+title: Define Application Gateway subnet size
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: 0e38111f-c642-46ca-a2a0-72d5eb520cab
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewayVFeaturesPerformanceBenefits.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewayVFeaturesPerformanceBenefits.yaml
new file mode 100644
index 000000000..94f489065
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-ApplicationGatewayVFeaturesPerformanceBenefits.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ApplicationGatewayVFeaturesPerformanceBenefits
+title: Take advantage of Application Gateway V2 features for autoscaling and performance
+ benefits
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: 66695955-0890-4f69-ab88-292a6c641558
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-AverageCurrentComputeUnitsApplicationGatewayVSku.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-AverageCurrentComputeUnitsApplicationGatewayVSku.yaml
new file mode 100644
index 000000000..8c0144553
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-AverageCurrentComputeUnitsApplicationGatewayVSku.yaml
@@ -0,0 +1,24 @@
+name: wafsg-AverageCurrentComputeUnitsApplicationGatewayVSku
+title: Define the minimum instance count
+description: For Application Gateway v2 SKU, autoscaling takes some time (approximately
+ six to seven minutes) before the additional set of instances is ready to serve traffic.
+ During that time, if there are short spikes in traffic, expect transient latency
+ or loss of traffic.We recommend that you set your minimum instance count to an optimal
+ level. After you estimate the average instance count and determine your Application
+ Gateway autoscaling trends, define the minimum instance count based on your application
+ patterns. For information, see Application Gateway high traffic support.Check the
+ Current Compute Units for the past one month. This metric represents the gateway's
+ CPU utilization. To define the minimum instance count, divide the peak usage by
+ 10. For example, if your average Current Compute Units in the past month is 50,
+ set the minimum instance count to five.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: af6f1096-14f3-465c-8691-b15cf5361942
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-MaximumInstanceCount.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-MaximumInstanceCount.yaml
new file mode 100644
index 000000000..274764fec
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-MaximumInstanceCount.yaml
@@ -0,0 +1,15 @@
+name: wafsg-MaximumInstanceCount
+title: Define the maximum instance count
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: adb085fc-433d-4bde-815d-77486524d8a3
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-MinimumInstanceCount.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-MinimumInstanceCount.yaml
new file mode 100644
index 000000000..111f2cb83
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-MinimumInstanceCount.yaml
@@ -0,0 +1,15 @@
+name: wafsg-MinimumInstanceCount
+title: Define the minimum instance count
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: 33ae0084-c64e-471f-aef1-c84a5cf77d5d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-OtherApplicationGatewayResourcesOnePrivateIpAddress.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-OtherApplicationGatewayResourcesOnePrivateIpAddress.yaml
new file mode 100644
index 000000000..a04d7f7a0
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-OtherApplicationGatewayResourcesOnePrivateIpAddress.yaml
@@ -0,0 +1,26 @@
+name: wafsg-OtherApplicationGatewayResourcesOnePrivateIpAddress
+title: Define Application Gateway subnet size
+description: Application Gateway needs a dedicated subnet within a virtual network.
+ The subnet can have multiple instances of the deployed Application Gateway resource.
+ You can also deploy other Application Gateway resources in that subnet, v1 or v2
+ SKU.Here are some considerations for defining the subnet size:- Application Gateway
+ uses one private IP address per instance and another private IP address if a private
+ front-end IP is configured.- Azure reserves five IP addresses in each subnet for
+ internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances.
+ Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum
+ subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support
+ up to 125 instances, using the same calculation, a subnet size of /24 is recommended.-
+ If you want to deploy additional Application Gateway resources in the same subnet,
+ consider the additional IP addresses that will be required for their maximum instance
+ count for both, Standard and Standard v2.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: 6d9985b2-103c-4b47-82b9-148e22af311b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-SufficientAvailableIpAddressesMaximumAutoscaleInstanceCount.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-SufficientAvailableIpAddressesMaximumAutoscaleInstanceCount.yaml
new file mode 100644
index 000000000..9603ed2e9
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-SufficientAvailableIpAddressesMaximumAutoscaleInstanceCount.yaml
@@ -0,0 +1,17 @@
+name: wafsg-SufficientAvailableIpAddressesMaximumAutoscaleInstanceCount
+title: Define the maximum instance count
+description: We recommend 125 as the maximum autoscale instance count. Make sure the
+ subnet that has the Application Gateway has sufficient available IP addresses to
+ support the scale-up set of instances.Setting the maximum instance count to 125
+ has no cost implications because you're billed only for the consumed capacity.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: e1a91738-8def-4c1e-83ce-cd7dac9c986a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-VSkuApplicationGatewayWebApplicationFirewall.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-VSkuApplicationGatewayWebApplicationFirewall.yaml
new file mode 100644
index 000000000..626ed4707
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Performance/wafsg-VSkuApplicationGatewayWebApplicationFirewall.yaml
@@ -0,0 +1,21 @@
+name: wafsg-VSkuApplicationGatewayWebApplicationFirewall
+title: Take advantage of features for autoscaling and performance benefits
+description: The v2 SKU offers autoscaling to ensure that your Application Gateway
+ can scale up as traffic increases. When compared to v1 SKU, v2 has capabilities
+ that enhance the performance of the workload. For example, better TLS offload performance,
+ quicker deployment and update times, zone redundancy, and more. For more information
+ about autoscaling features, see Scaling Application Gateway v2 and WAF v2.If you
+ are running v1 SKU Application gateway, consider migrating to the Application gateway
+ v2 SKU. For more information, see Migrate Azure Application Gateway and Web Application
+ Firewall from v1 to v2.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Performance
+severity: 1
+labels:
+ guid: 22740e5f-f63b-4b82-8629-fb9d4fd74c36
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/revcl-ApplicationGatewayAvailabilityZones.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/revcl-ApplicationGatewayAvailabilityZones.yaml
new file mode 100644
index 000000000..c6d8e63b5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/revcl-ApplicationGatewayAvailabilityZones.yaml
@@ -0,0 +1,19 @@
+name: revcl-ApplicationGatewayAvailabilityZones
+title: Deploy Application Gateway across Availability Zones
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 060c6964-52b5-48db-af8b-83e4b2d85349
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries:
+ arg: resources | where type =~ 'microsoft.network/applicationGateways' | extend
+ compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/revcl-MinimumAmountAutoscaling.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/revcl-MinimumAmountAutoscaling.yaml
new file mode 100644
index 000000000..f00da8569
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/revcl-MinimumAmountAutoscaling.yaml
@@ -0,0 +1,20 @@
+name: revcl-MinimumAmountAutoscaling
+title: Configure autoscaling with a minimum amount of instances of two.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 135bf4ac-f9db-461f-b76b-2ee9e30b12c0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries:
+ arg: resources | where type =~ 'microsoft.network/applicationGateways' | extend
+ compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity
+ >= 2) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ApplicationGatewayBackendPool.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ApplicationGatewayBackendPool.yaml
new file mode 100644
index 000000000..cbe95cb0f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ApplicationGatewayBackendPool.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ApplicationGatewayBackendPool
+title: Plan for rule updates
+description: Plan enough time for updates before accessing Application Gateway or
+ making further changes. For example, removing servers from backend pool might take
+ some time because they have to drain existing connections.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 67b006ed-a8b2-4f66-806b-ed9d83f94982
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ApplicationGatewayInstanceShortTransientFailures.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ApplicationGatewayInstanceShortTransientFailures.yaml
new file mode 100644
index 000000000..5c1ecfdb4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ApplicationGatewayInstanceShortTransientFailures.yaml
@@ -0,0 +1,22 @@
+name: wafsg-ApplicationGatewayInstanceShortTransientFailures
+title: Review the impact of the interval and threshold settings on health probes
+description: The health probe sends requests to the configured endpoint at a set interval.
+ Also, there's a threshold of failed requests that will be tolerated before the backend
+ is marked unhealthy. These numbers present a trade-off.- Setting a higher interval
+ puts a higher load on your service. Each Application Gateway instance sends its
+ own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.-
+ Setting a lower interval leaves more time before an outage is detected.- Setting
+ a low unhealthy threshold might mean that short, transient failures might take down
+ a backend. - Setting a high threshold it can take longer to take a backend out of
+ rotation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 1690d11b-f93e-4bc4-9db3-25e56a9b2699
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-AzureApplicationGatewayNewDeployments.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-AzureApplicationGatewayNewDeployments.yaml
new file mode 100644
index 000000000..75c920d78
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-AzureApplicationGatewayNewDeployments.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureApplicationGatewayNewDeployments
+title: In new deployments, use Azure Application Gateway v2 unless there is a compelling
+ reason to use Azure Application Gateway v1.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 1b30c500-4ccd-4608-be41-d21c58fb0bb4
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-AzureFrontDoorApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-AzureFrontDoorApplicationGateway.yaml
new file mode 100644
index 000000000..b860f6caf
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-AzureFrontDoorApplicationGateway.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureFrontDoorApplicationGateway
+title: When using Azure Front Door and Application Gateway to protect `HTTP/S` applications,
+ use WAF policies in Front Door and lock down Application Gateway to receive traffic
+ only from Azure Front Door.
+description: Certain scenarios can force you to implement rules specifically on Application
+ Gateway. For example, if ModSec CRS 2.2.9, CRS 3.0 or CRS 3.1 rules are required,
+ these rules can be only implemented on Application Gateway. Conversely, rate-limiting
+ and geo-filtering are available only on Azure Front Door, not on AppGateway.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: f3b0ac39-7b7c-4fea-a540-6aa367afbc12
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-DirectDependencyCallHealthEndpoints.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-DirectDependencyCallHealthEndpoints.yaml
new file mode 100644
index 000000000..df294555e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-DirectDependencyCallHealthEndpoints.yaml
@@ -0,0 +1,22 @@
+name: wafsg-DirectDependencyCallHealthEndpoints
+title: Verify downstream dependencies through health endpoints
+description: Suppose each backend has its own dependencies to ensure failures are
+ isolated. For example, an application hosted behind Application Gateway might have
+ multiple backends, each connected to a different database (replica). When such a
+ dependency fails, the application might be working but won't return valid results.
+ For that reason, the health endpoint should ideally validate all dependencies. Keep
+ in mind that if each call to the health endpoint has a direct dependency call, that
+ database would receive 100 queries every 30 seconds instead of 1. To avoid this,
+ the health endpoint should cache the state of the dependencies for a short period
+ of time.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: f5d846c8-9341-4a57-a77e-ccf4e9818c7f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-DownstreamDependenciesHealthEndpoints.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-DownstreamDependenciesHealthEndpoints.yaml
new file mode 100644
index 000000000..bd1d40969
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-DownstreamDependenciesHealthEndpoints.yaml
@@ -0,0 +1,15 @@
+name: wafsg-DownstreamDependenciesHealthEndpoints
+title: Verify downstream dependencies through health endpoints
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: cdc7160c-bc9d-40d9-ba43-bc9fa804c8c6
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-HealthProbesBackendUnavailability.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-HealthProbesBackendUnavailability.yaml
new file mode 100644
index 000000000..1bb811c0d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-HealthProbesBackendUnavailability.yaml
@@ -0,0 +1,15 @@
+name: wafsg-HealthProbesBackendUnavailability
+title: Use health probes to detect backend unavailability
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: ca9df7df-8e89-4216-b9a2-0384af19938d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-MultipleBackendInstancesBackendUnavailability.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-MultipleBackendInstancesBackendUnavailability.yaml
new file mode 100644
index 000000000..1654944ca
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-MultipleBackendInstancesBackendUnavailability.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MultipleBackendInstancesBackendUnavailability
+title: Use health probes to detect backend unavailability
+description: If Application Gateway is used to load balance incoming traffic over
+ multiple backend instances, we recommend the use of health probes. These will ensure
+ that traffic is not routed to backends that are unable to handle the traffic.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 6dcb1632-2ca3-411f-8555-69d689b8054f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-RuleUpdatesPlan.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-RuleUpdatesPlan.yaml
new file mode 100644
index 000000000..ac5b84357
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-RuleUpdatesPlan.yaml
@@ -0,0 +1,15 @@
+name: wafsg-RuleUpdatesPlan
+title: Plan for rule updates
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 174a65f5-51ca-483e-937f-9096d4468afa
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ThresholdSettingsHealthProbes.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ThresholdSettingsHealthProbes.yaml
new file mode 100644
index 000000000..8c7353464
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ThresholdSettingsHealthProbes.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ThresholdSettingsHealthProbes
+title: Review the impact of the interval and threshold settings on health probes
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 9754bccf-e2a5-4b36-9bca-058ec0a08fff
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-UseApplicationGatewayWebApplicationFirewall.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-UseApplicationGatewayWebApplicationFirewall.yaml
new file mode 100644
index 000000000..1272e7778
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-UseApplicationGatewayWebApplicationFirewall.yaml
@@ -0,0 +1,16 @@
+name: wafsg-UseApplicationGatewayWebApplicationFirewall
+title: Use Application Gateway with Web Application Firewall (WAF) within a virtual
+ network to protect inbound `HTTP/S` traffic from the Internet.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 56195bba-5bc2-4f00-976e-f2734b46fe2b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ZoneAwareConfigurationInstances.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ZoneAwareConfigurationInstances.yaml
new file mode 100644
index 000000000..7374ac748
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Reliability/wafsg-ZoneAwareConfigurationInstances.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ZoneAwareConfigurationInstances
+title: Deploy the instances in a zone-aware configuration, where available.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: dc6efb36-f70f-41ed-aaf2-f8667781c123
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewayNativeSupport.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewayNativeSupport.yaml
new file mode 100644
index 000000000..1b40d57a4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewayNativeSupport.yaml
@@ -0,0 +1,15 @@
+name: revcl-ApplicationGatewayNativeSupport
+title: Use Application Gateway for native support for WebSocket and HTTP/2 protocols
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 2
+labels:
+ guid: fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewaySubnetInboundTraffic.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewaySubnetInboundTraffic.yaml
new file mode 100644
index 000000000..8a3bbf7aa
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewaySubnetInboundTraffic.yaml
@@ -0,0 +1,16 @@
+name: revcl-ApplicationGatewaySubnetInboundTraffic
+title: Filter inbound traffic in the backends so that they only accept connections
+ from the Application Gateway subnet, for example with NSGs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: d4eb8667-f8cb-4cdd-94e6-2f967ba98f88
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewayVSku.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewayVSku.yaml
new file mode 100644
index 000000000..63793cd5b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewayVSku.yaml
@@ -0,0 +1,19 @@
+name: revcl-ApplicationGatewayVSku
+title: Ensure you are using Application Gateway v2 SKU
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 553585a6-abe0-11ed-afa1-0242ac120002
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/overview-v2
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries:
+ arg: resources | where type == 'microsoft.network/applicationgateways' | project
+ id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewaysIpPrefixes.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewaysIpPrefixes.yaml
new file mode 100644
index 000000000..9c1c47f87
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ApplicationGatewaysIpPrefixes.yaml
@@ -0,0 +1,27 @@
+name: revcl-ApplicationGatewaysIpPrefixes
+title: Your Application Gateways v2 should be deployed in subnets with IP prefixes
+ equal or larger than /24
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: dfc50f87-3800-424c-937b-ed5f186e7c15
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries:
+ arg: resources | where type=='microsoft.network/applicationgateways' | extend subnetId
+ = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project
+ id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks'
+ | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes
+ | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix,
+ prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix
+ = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix,
+ '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength
+ == 64) | distinct id,compliant
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafBotProtectionRuleBotRules.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafBotProtectionRuleBotRules.yaml
new file mode 100644
index 000000000..ff31805a3
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafBotProtectionRuleBotRules.yaml
@@ -0,0 +1,21 @@
+name: revcl-AzureApplicationGatewayWafBotProtectionRuleBotRules
+title: Enable the Azure Application Gateway WAF bot protection rule set The bot rules
+ detect good and bad bots.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: 2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection
+queries:
+ arg: resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies'
+ | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype
+ = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype
+ == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant
+ = max(compliant1) by id
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafFalsePositiveDetections.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafFalsePositiveDetections.yaml
new file mode 100644
index 000000000..6fefc88c6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafFalsePositiveDetections.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureApplicationGatewayWafFalsePositiveDetections
+title: Tune the Azure Application Gateway WAF for your workload. Reduce false positive
+ detections.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: a4dd86d3-5ffa-408c-b660-cce073d085b8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafLargeAmounts.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafLargeAmounts.yaml
new file mode 100644
index 000000000..07b0e4231
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafLargeAmounts.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureApplicationGatewayWafLargeAmounts
+title: Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks
+ clients accidentally or intentionally sending large amounts of traffic in a short
+ period of time.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 43fae595-8a32-4299-a69e-0f32c454dcc9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafPolicyBodyInspectionFeature.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafPolicyBodyInspectionFeature.yaml
new file mode 100644
index 000000000..158d693fb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafPolicyBodyInspectionFeature.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureApplicationGatewayWafPolicyBodyInspectionFeature
+title: Enable request body inspection feature enabled in Azure Application Gateway
+ WAF policy.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: 8ea8e0d4-84e8-4b33-aeab-493f6391b4d6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafRateLimitsHighRateLimitThresholds.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafRateLimitsHighRateLimitThresholds.yaml
new file mode 100644
index 000000000..81e410d69
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafRateLimitsHighRateLimitThresholds.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureApplicationGatewayWafRateLimitsHighRateLimitThresholds
+title: 'Use a high threshold for Azure Application Gateway WAF rate limits. High rate
+ limit thresholds avoid blocking legitimate traffic, while still providing protection
+ against extremely high numbers of requests that might overwhelm your infrastructure. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 041e0ad8-7b12-4694-a0b7-a0e25ee2470f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafUnknownZzLocation.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafUnknownZzLocation.yaml
new file mode 100644
index 000000000..3ca3d194f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzureApplicationGatewayWafUnknownZzLocation.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureApplicationGatewayWafUnknownZzLocation
+title: Specify the unknown (ZZ) location when geo-filtering traffic with the Azure
+ Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP
+ addresses can't be geo-matched.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 349a15c1-52f4-4319-9078-3895d95ecafd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzurePaasServicesControlPlaneTraffic.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzurePaasServicesControlPlaneTraffic.yaml
new file mode 100644
index 000000000..26442240b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-AzurePaasServicesControlPlaneTraffic.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzurePaasServicesControlPlaneTraffic
+title: Ensure that control-plane communication for Azure PaaS services injected into
+ a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule
+ that blocks control plane traffic.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: d301d6e8-72e5-42e3-911c-c58b5a4b1511
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-BackendServersTraffic.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-BackendServersTraffic.yaml
new file mode 100644
index 000000000..e00ef5b97
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-BackendServersTraffic.yaml
@@ -0,0 +1,15 @@
+name: revcl-BackendServersTraffic
+title: You should encrypt traffic to the backend servers.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: a66f0fd8-2ca4-422e-8df3-235148127ca2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/ssl-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-GeographicalRegionsExpectedCountries-1.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-GeographicalRegionsExpectedCountries-1.yaml
new file mode 100644
index 000000000..e7b014a17
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-GeographicalRegionsExpectedCountries-1.yaml
@@ -0,0 +1,16 @@
+name: revcl-GeographicalRegionsExpectedCountries-1
+title: If you are not expecting traffic from all geographical regions, use geo-filters
+ to block traffic from non-expected countries.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 2
+labels:
+ guid: 99937189-ff78-492a-b9ca-18d828d82b37
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-Http.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-Http.yaml
new file mode 100644
index 000000000..0cc1ca294
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-Http.yaml
@@ -0,0 +1,15 @@
+name: revcl-Http
+title: Redirect HTTP to HTTPS
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 0158fcb6-0bc1-4687-832f-cc7c359c22d2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/redirect-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-HttpRequestsResponseHeaders.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-HttpRequestsResponseHeaders.yaml
new file mode 100644
index 000000000..b9802cdf5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-HttpRequestsResponseHeaders.yaml
@@ -0,0 +1,16 @@
+name: revcl-HttpRequestsResponseHeaders
+title: Edit HTTP requests and response headers for easier routing and information
+ exchange between the client and server
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: f850d46f-f5d7-4b17-b48c-a780741402e1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-InboundHttpSConnectionsLandingZoneVirtualNetwork.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-InboundHttpSConnectionsLandingZoneVirtualNetwork.yaml
new file mode 100644
index 000000000..796379200
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-InboundHttpSConnectionsLandingZoneVirtualNetwork.yaml
@@ -0,0 +1,23 @@
+name: revcl-InboundHttpSConnectionsLandingZoneVirtualNetwork
+title: Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound
+ HTTP(S) connections within the landing-zone virtual network and with the apps that
+ they're securing.
+description: Administration of reverse proxies in general and WAF in particular is
+ closer to the application than to networking, so they belong in the same subscription
+ as the app. Centralizing the Application Gateway and WAF in the connectivity subscription
+ might be OK if it is managed by one single team.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 48b662d6-d15f-4512-a654-98f6dfe237de
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-IpProtectionPlansPublicIpAddresses-1.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-IpProtectionPlansPublicIpAddresses-1.yaml
new file mode 100644
index 000000000..40b213439
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-IpProtectionPlansPublicIpAddresses-1.yaml
@@ -0,0 +1,18 @@
+name: revcl-IpProtectionPlansPublicIpAddresses-1
+title: Use a DDoS Network or IP protection plans for all Public IP addresses in application
+ landing zones.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: f109e1f3-c79b-4f14-82de-6b5c22314d08
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-LatestAzureApplicationGatewayWafRuleSetVersionRuleSetUpdates.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-LatestAzureApplicationGatewayWafRuleSetVersionRuleSetUpdates.yaml
new file mode 100644
index 000000000..9b51a3a5a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-LatestAzureApplicationGatewayWafRuleSetVersionRuleSetUpdates.yaml
@@ -0,0 +1,16 @@
+name: revcl-LatestAzureApplicationGatewayWafRuleSetVersionRuleSetUpdates
+title: Use the latest Azure Application Gateway WAF rule set version. Rule set updates
+ are regularly updated to take account of the current threat landscape.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 6c19dfd5-a61c-436c-9001-491b9b3d0228
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-MultipleWebApplicationsDomainName.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-MultipleWebApplicationsDomainName.yaml
new file mode 100644
index 000000000..81f07584d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-MultipleWebApplicationsDomainName.yaml
@@ -0,0 +1,16 @@
+name: revcl-MultipleWebApplicationsDomainName
+title: Configure routing based on host or domain name for multiple web applications
+ on a single gateway
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 276898c1-af5e-4819-9e8e-049c7801ab9d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/multiple-site-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ServiceUpdatesExistingMembrs.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ServiceUpdatesExistingMembrs.yaml
new file mode 100644
index 000000000..d7dfeee94
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-ServiceUpdatesExistingMembrs.yaml
@@ -0,0 +1,16 @@
+name: revcl-ServiceUpdatesExistingMembrs
+title: Enable connection draining during planned service updates to prevent connection
+ loss to existing membrs of the backend pool
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: ff353ad8-15fb-4ae8-9fc5-a85a36d36a35
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/configuration-http-settings
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-SslCertificateManagementBackendServerFarm.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-SslCertificateManagementBackendServerFarm.yaml
new file mode 100644
index 000000000..499d6c023
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-SslCertificateManagementBackendServerFarm.yaml
@@ -0,0 +1,16 @@
+name: revcl-SslCertificateManagementBackendServerFarm
+title: Centralize SSL certificate management to reduce encryption and decryption overhead
+ from a backend server farm
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 5fe365b6-58e8-47ed-a8cf-5163850380a2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/application-gateway/create-ssl-portal
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-WafPolicyApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-WafPolicyApplicationGateway.yaml
new file mode 100644
index 000000000..f4966b001
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-WafPolicyApplicationGateway.yaml
@@ -0,0 +1,22 @@
+name: revcl-WafPolicyApplicationGateway
+title: Deploy your WAF policy for Application Gateway in 'Prevention' mode.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: baf8e317-2397-4d49-b3d1-0dcc16d8778d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings
+queries:
+ arg: resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies'
+ | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks,
+ enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode
+ | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy,
+ '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3),
+ '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')),
+ enabledState, mode
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-WebApplicationFirewall.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-WebApplicationFirewall.yaml
new file mode 100644
index 000000000..4971ee7e5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/revcl-WebApplicationFirewall.yaml
@@ -0,0 +1,15 @@
+name: revcl-WebApplicationFirewall
+title: You should use a Web Application Firewall.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 0
+labels:
+ guid: 3dba65cb-834d-44d8-a3ca-a6aa2f1587be
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewayCapacityChangesApplicationGatewayCapacityRequirements.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewayCapacityChangesApplicationGatewayCapacityRequirements.yaml
new file mode 100644
index 000000000..3f896ca0a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewayCapacityChangesApplicationGatewayCapacityRequirements.yaml
@@ -0,0 +1,19 @@
+name: wafsg-ApplicationGatewayCapacityChangesApplicationGatewayCapacityRequirements
+title: Be aware of Application Gateway capacity changes when enabling WAF
+description: When WAF is enabled, every request must be buffered by the Application
+ Gateway until it fully arrives, checks if the request matches with any rule violation
+ in its core rule set, and then forwards the packet to the backend instances. When
+ there are large file uploads (30MB+ in size), it can result in a significant latency.
+ Because Application Gateway capacity requirements are different with WAF, we do
+ not recommend enabling WAF on Application Gateway without proper testing and validation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: fb24f724-e47b-46ec-a3cb-426fe159fdbf
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewayCapacityChangesWaf.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewayCapacityChangesWaf.yaml
new file mode 100644
index 000000000..69b218a10
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewayCapacityChangesWaf.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ApplicationGatewayCapacityChangesWaf
+title: Be aware of Application Gateway capacity changes when enabling WAF
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 1c10e986-48da-4cf8-acd6-2a7f7c940735
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewaySubnetUdrs.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewaySubnetUdrs.yaml
new file mode 100644
index 000000000..68113c1e6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewaySubnetUdrs.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ApplicationGatewaySubnetUdrs
+title: Refrain from using UDRs on the Application Gateway subnet
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 4890a129-6456-48e0-843c-195848a1eeea
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewaySubnetUserDefinedRoutes.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewaySubnetUserDefinedRoutes.yaml
new file mode 100644
index 000000000..33387c424
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-ApplicationGatewaySubnetUserDefinedRoutes.yaml
@@ -0,0 +1,20 @@
+name: wafsg-ApplicationGatewaySubnetUserDefinedRoutes
+title: Refrain from using UDRs on the Application gateway subnet
+description: Using User Defined Routes (UDR) on the Application Gateway subnet can
+ cause some issues. Health status in the back-end might be unknown. Application Gateway
+ logs and metrics might not get generated. We recommend that you don't use UDRs on
+ the Application Gateway subnet so that you can view the back-end health, logs, and
+ metrics. If your organizations require to use UDR in the Application Gateway subnet,
+ please ensure you review the supported scenarios. For more information, see Supported
+ user-defined routes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 9ba32fa7-9880-47f8-aaed-93097fe35c99
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AppropriateDnsServerBackendPoolResources.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AppropriateDnsServerBackendPoolResources.yaml
new file mode 100644
index 000000000..87234a89e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AppropriateDnsServerBackendPoolResources.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AppropriateDnsServerBackendPoolResources
+title: Use an appropriate DNS server for backend pool resources
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 24847b21-1c0f-4ac9-9c00-f116155257b3
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AppropriateDnsServerPrivateDnsZone.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AppropriateDnsServerPrivateDnsZone.yaml
new file mode 100644
index 000000000..55617e916
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AppropriateDnsServerPrivateDnsZone.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AppropriateDnsServerPrivateDnsZone
+title: Use an appropriate DNS server for backend pool resources
+description: When the backend pool contains a resolvable FQDN, the DNS resolution
+ is based on a private DNS zone or custom DNS server (if configured on the VNet),
+ or it uses the default Azure-provided DNS.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 694b80a2-72fb-4d42-a249-e9c86fb4d00a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AzureKeyVaultTlsCertificates.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AzureKeyVaultTlsCertificates.yaml
new file mode 100644
index 000000000..4277a361b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-AzureKeyVaultTlsCertificates.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureKeyVaultTlsCertificates
+title: Use Azure Key Vault to store TLS certificates
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 2e0b6e8f-2784-4ea8-bec5-a128ddce6c98
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-EasierCertificateManagementTlsTermination.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-EasierCertificateManagementTlsTermination.yaml
new file mode 100644
index 000000000..fac039ede
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-EasierCertificateManagementTlsTermination.yaml
@@ -0,0 +1,19 @@
+name: wafsg-EasierCertificateManagementTlsTermination
+title: Use AppGateway for TLS termination
+description: There are advantages of using Application Gateway for TLS termination:-
+ Performance improves because requests going to different backends to have to re-authenticate
+ to each backend.- Better utilization of backend servers because they don't have
+ to perform TLS processing- Intelligent routing by accessing the request content.-
+ Easier certificate management because the certificate only needs to be installed
+ on Application Gateway.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 726e1bc8-2b65-4393-a9a5-1b73976c89ef
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-EasierCertificateRenewalAzureKeyVault.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-EasierCertificateRenewalAzureKeyVault.yaml
new file mode 100644
index 000000000..15e696bfc
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-EasierCertificateRenewalAzureKeyVault.yaml
@@ -0,0 +1,16 @@
+name: wafsg-EasierCertificateRenewalAzureKeyVault
+title: Use Azure Key Vault to store TLS certificates
+description: Application Gateway can be integrated with Key Vault. This provides stronger
+ security, easier separation of roles and responsibilities, support for managed certificates,
+ and an easier certificate renewal and rotation process.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 5692cf86-c36a-4c1b-a73f-1a73f5728cd0
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate-1.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate-1.yaml
new file mode 100644
index 000000000..3b6361771
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate-1.yaml
@@ -0,0 +1,19 @@
+name: wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate-1
+title: When re-encrypting backend traffic, ensure the backend server certificate contains
+ both the root and intermediate Certificate Authorities (CAs)
+description: A TLS certificate of the backend server must be issued by a well-known
+ CA. If the certificate was not issued by a trusted CA, the Application Gateway checks
+ if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate
+ is found. Only then a secure connection is established. Otherwise, Application Gateway
+ marks the backend as unhealthy.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 08b9ecd4-7e8b-40a1-803b-bad57bec80ea
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate.yaml
new file mode 100644
index 000000000..b4dd45ca8
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate.yaml
@@ -0,0 +1,16 @@
+name: wafsg-IntermediateCertificateAuthoritiesBackendServerCertificate
+title: When re-encrypting backend traffic, ensure the backend server certificate contains
+ both the root and intermediate Certificate Authorities (CAs)
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: d3ed4722-efc4-4567-b9fe-e4254225913e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-LatestTlsPolicyVersionEnhancedSecurity.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-LatestTlsPolicyVersionEnhancedSecurity.yaml
new file mode 100644
index 000000000..b299b0468
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-LatestTlsPolicyVersionEnhancedSecurity.yaml
@@ -0,0 +1,15 @@
+name: wafsg-LatestTlsPolicyVersionEnhancedSecurity
+title: Set up a TLS policy for enhanced security
+description: Set up a TLS policy for extra security. Ensure you're always using the
+ latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 7547ed98-86fb-4a8f-94d8-162c5d6fd39d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-NetworkSecurityGroupsApplicationGatewaySubnet.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-NetworkSecurityGroupsApplicationGatewaySubnet.yaml
new file mode 100644
index 000000000..c31fa6070
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-NetworkSecurityGroupsApplicationGatewaySubnet.yaml
@@ -0,0 +1,17 @@
+name: wafsg-NetworkSecurityGroupsApplicationGatewaySubnet
+title: Comply with all NSG restrictions for Application Gateway
+description: NSGs are supported on Application Gateway subnet, but there are some
+ restrictions. For instance, some communication with certain port ranges is prohibited.
+ Make sure you understand the implications of those restrictions. For details, see
+ Network security groups.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: fc06eb7c-1989-4048-9c2f-6fc6e48fc334
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-NsgRestrictionsApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-NsgRestrictionsApplicationGateway.yaml
new file mode 100644
index 000000000..c76a344cf
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-NsgRestrictionsApplicationGateway.yaml
@@ -0,0 +1,15 @@
+name: wafsg-NsgRestrictionsApplicationGateway
+title: Comply with all NSG restrictions for Application Gateway
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 12e359f5-1252-4fdf-83e8-542e5d5d34d8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-TlsPolicyEnhancedSecurity.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-TlsPolicyEnhancedSecurity.yaml
new file mode 100644
index 000000000..2bb0c655b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-TlsPolicyEnhancedSecurity.yaml
@@ -0,0 +1,15 @@
+name: wafsg-TlsPolicyEnhancedSecurity
+title: Set up a TLS policy for enhanced security
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 297b842f-979b-474d-aa48-b6799a76c083
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-TlsTerminationAppgateway.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-TlsTerminationAppgateway.yaml
new file mode 100644
index 000000000..e0b297207
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/Security/wafsg-TlsTerminationAppgateway.yaml
@@ -0,0 +1,15 @@
+name: wafsg-TlsTerminationAppgateway
+title: Use AppGateway for TLS termination
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-application-gateway.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/applicationgateways
+waf: Security
+severity: 1
+labels:
+ guid: 61aac352-64e1-4351-8bc5-7dd84996adc6
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-ApplicationGatewaySubnetWafVSku.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-ApplicationGatewaySubnetWafVSku.yaml
new file mode 100644
index 000000000..4888d797a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-ApplicationGatewaySubnetWafVSku.yaml
@@ -0,0 +1,31 @@
+name: aprl-ApplicationGatewaySubnetWafVSku
+title: Ensure Application Gateway Subnet is using a /24 subnet mask
+description: |-
+ Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 0
+labels:
+ guid: 8364fd0a-7c0e-e240-9d95-4bf965aec243
+ area: Other Best Practices
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This query will validate the subnet id for an appGW ends with a /24
+
+ resources
+ | where type =~ 'Microsoft.Network/applicationGateways'
+ | extend subnetid = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id)
+ | join kind=leftouter(resources
+ | where type == "microsoft.network/virtualnetworks"
+ | mv-expand properties.subnets
+ | extend subnetid = tostring(properties_subnets.id)
+ | extend addressprefix = tostring(properties_subnets.properties.addressPrefix)
+ | project subnetid, addressprefix) on subnetid
+ | where addressprefix !endswith '/24'
+ | project recommendationId = "8364fd0a-7c0e-e240-9d95-4bf965aec243", name, id, tags, param1 = strcat('AppGW subnet prefix: ', addressprefix)
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-ApplicationGatewayZoneRedundantConfiguration.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-ApplicationGatewayZoneRedundantConfiguration.yaml
new file mode 100644
index 000000000..c5a55ed77
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-ApplicationGatewayZoneRedundantConfiguration.yaml
@@ -0,0 +1,24 @@
+name: aprl-ApplicationGatewayZoneRedundantConfiguration
+title: Deploy Application Gateway in a zone-redundant configuration
+description: |-
+ Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 0
+labels:
+ guid: c9c00f2a-3888-714b-a72b-b4c9e8fcffb2
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // list Application Gateways that are not configured to use at least 2 Availability Zones
+ resources
+ | where type =~ "microsoft.network/applicationGateways"
+ | where isnull(zones) or array_length(zones) < 2
+ | extend zoneValue = iff((isnull(zones)), "null", zones)
+ | project recommendationId = "c9c00f2a-3888-714b-a72b-b4c9e8fcffb2", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Zones value: ", zoneValue )
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-AzureApplicationGatewaysAvailableFashion.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-AzureApplicationGatewaysAvailableFashion.yaml
new file mode 100644
index 000000000..c09ca9ea0
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-AzureApplicationGatewaysAvailableFashion.yaml
@@ -0,0 +1,26 @@
+name: aprl-AzureApplicationGatewaysAvailableFashion
+title: Ensure Autoscale feature has been enabled
+description: |-
+ Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 1
+labels:
+ guid: 823b0cff-05c0-2e4e-a1e7-9965e1cfa16f
+ area: Scalability
+links: []
+queries:
+ arg: |+
+ // Azure Resource Graph Query
+ // This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1
+ resources
+ | where type =~ "microsoft.network/applicationGateways"
+ | where isnull(properties.autoscaleConfiguration) or properties.autoscaleConfiguration.minCapacity <= 1
+ | project recommendationId = "823b0cff-05c0-2e4e-a1e7-9965e1cfa16f", name, id, tags, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1"
+ | order by id asc
+
+...
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-AzureKeyvaultIntegrationApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-AzureKeyvaultIntegrationApplicationGateway.yaml
new file mode 100644
index 000000000..32acc86ee
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-AzureKeyvaultIntegrationApplicationGateway.yaml
@@ -0,0 +1,24 @@
+name: aprl-AzureKeyvaultIntegrationApplicationGateway
+title: Migrate to Application Gateway v2
+description: |-
+ Use Application Gateway v2 for built-in features like autoscaling, static VIPs, Azure KeyVault integration for better traffic management and performance, unless v1 is necessary.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 0
+labels:
+ guid: 7893f0b3-8622-1d47-beed-4b50a19f7895
+ area: Scalability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Get all Application Gateways, which are using the deprecated V1 SKU
+ resources
+ | where type =~ 'microsoft.network/applicationgateways'
+ | extend tier = properties.sku.tier
+ | where tier == 'Standard' or tier == 'WAF'
+ | project recommendationId = "7893f0b3-8622-1d47-beed-4b50a19f7895", name, id, tags
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-BackendPoolMembersBackendMaintenance.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-BackendPoolMembersBackendMaintenance.yaml
new file mode 100644
index 000000000..98be01b62
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-BackendPoolMembersBackendMaintenance.yaml
@@ -0,0 +1,26 @@
+name: aprl-BackendPoolMembersBackendMaintenance
+title: Plan for backend maintenance by using connection draining
+description: |-
+ Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 1
+labels:
+ guid: 10f02bc6-e2e7-004d-a2c2-f9bf9f16b915
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This query will check if connection draining is enabled
+ resources
+ | where type =~ "microsoft.network/applicationGateways"
+ | mv-expand backendHttpSettings = properties.backendHttpSettingsCollection
+ | extend connectionDrainingEnabled = backendHttpSettings.properties.connectionDraining.enabled
+ | where connectionDrainingEnabled != true
+ | extend backendPoolName = backendHttpSettings.name
+ | project recommendationId = "10f02bc6-e2e7-004d-a2c2-f9bf9f16b915", name, id, tags, param1 = "connectionDraining: Disabled", param2 = strcat("backendSettingsName: ", backendPoolName)
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-CustomHealthProbesBackendAvailability.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-CustomHealthProbesBackendAvailability.yaml
new file mode 100644
index 000000000..0a5109410
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-CustomHealthProbesBackendAvailability.yaml
@@ -0,0 +1,23 @@
+name: aprl-CustomHealthProbesBackendAvailability
+title: Use Health Probes to detect backend availability
+description: |-
+ Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 0
+labels:
+ guid: 847a8d88-21c4-bc48-a94e-562206edd767
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Application Gateways are not using health probes to monitor the availability of the backend systems
+ resources
+ | where type =~ "microsoft.network/applicationGateways"
+ | where array_length(properties.probes) == 0
+ | project recommendationId="847a8d88-21c4-bc48-a94e-562206edd767", name, id, tags, param1="customHealthProbeUsed: false"
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-IncomingConnectionsProductionServices.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-IncomingConnectionsProductionServices.yaml
new file mode 100644
index 000000000..7ceba0657
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-IncomingConnectionsProductionServices.yaml
@@ -0,0 +1,25 @@
+name: aprl-IncomingConnectionsProductionServices
+title: Secure all incoming connections with SSL
+description: |-
+ Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 0
+labels:
+ guid: 233a7008-71e9-e745-923e-1a1c7a0b92f3
+ area: Security
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // You can use the following Azure Resource Graph query to check if an HTTP rule is using an SSL certificate or is using Azure Key Vault to store the certificates
+ resources
+ | where type =~ "microsoft.network/applicationGateways"
+ | mv-expand frontendPorts = properties.frontendPorts
+ | mv-expand httpListeners = properties.httpListeners
+ | where isnull(parse_json(httpListeners.properties.sslCertificate))
+ | project recommendationId="233a7008-71e9-e745-923e-1a1c7a0b92f3", name, id, tags, param1=strcat("frontendPort: ", frontendPorts.properties.port), param2="tls: false"
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-NsgFlowLogsDepthTrafficAnalysis.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-NsgFlowLogsDepthTrafficAnalysis.yaml
new file mode 100644
index 000000000..16de3f6f4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-NsgFlowLogsDepthTrafficAnalysis.yaml
@@ -0,0 +1,18 @@
+name: aprl-NsgFlowLogsDepthTrafficAnalysis
+title: Monitor and Log the configurations and traffic
+description: |-
+ Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights. If using NSGs, enable NSG flow logs to be stored, providing in-depth traffic analysis into Azure Cloud.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 0
+labels:
+ guid: 5d035919-898d-a047-8d5d-454e199692e5
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-OwaspCoreRuleSetsBasedRulesInboundHttpSInternetTraffic.yaml b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-OwaspCoreRuleSetsBasedRulesInboundHttpSInternetTraffic.yaml
new file mode 100644
index 000000000..b6692391f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-applicationGateways/aprl-OwaspCoreRuleSetsBasedRulesInboundHttpSInternetTraffic.yaml
@@ -0,0 +1,26 @@
+name: aprl-OwaspCoreRuleSetsBasedRulesInboundHttpSInternetTraffic
+title: Enable Web Application Firewall policies
+description: |-
+ Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.
+source:
+ type: aprl
+ file: azure-resources/Network/applicationGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/applicationGateways
+severity: 2
+labels:
+ guid: 8d9223c4-730d-ca47-af88-a9a024c37270
+ area: Security
+links: []
+queries:
+ arg: |+
+ // Azure Resource Graph Query
+ // This query will return all Application Gateways that do not have WAF enabled
+ Resources
+ | where type =~ "microsoft.network/applicationGateways"
+ | where properties.firewallpolicy != ""
+ | project recommendationId = "8d9223c4-730d-ca47-af88-a9a024c37270", name, id, tags, param1 = "webApplicationFirewallConfiguration: isNull"
+ | order by id asc
+
+...
diff --git a/v2/recos/Services/microsoftnetwork-bastionHosts/Security/revcl-AzureBastionNetwork.yaml b/v2/recos/Services/microsoftnetwork-bastionHosts/Security/revcl-AzureBastionNetwork.yaml
new file mode 100644
index 000000000..f1e28ec62
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-bastionHosts/Security/revcl-AzureBastionNetwork.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureBastionNetwork
+title: Consider using Azure Bastion to securely connect to your network.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/bastionhosts
+waf: Security
+severity: 1
+labels:
+ guid: ee1ac551-c4d5-46cf-b035-d0a3c50d87ad
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/bastion/bastion-overview
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-bastionHosts/Security/revcl-AzureBastionSubnet.yaml b/v2/recos/Services/microsoftnetwork-bastionHosts/Security/revcl-AzureBastionSubnet.yaml
new file mode 100644
index 000000000..7c48f8bde
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-bastionHosts/Security/revcl-AzureBastionSubnet.yaml
@@ -0,0 +1,20 @@
+name: revcl-AzureBastionSubnet
+title: Use Azure Bastion in a subnet /26 or larger.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/bastionhosts
+waf: Security
+severity: 1
+labels:
+ guid: 6eab9eb6-762b-485e-8ea8-15aa5dba0bd0
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/bastion/bastion-faq#subnet
+queries:
+ arg: resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets
+ | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix
+ | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName ==
+ 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct
+ id, compliant
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-CircuitsPeeringLocationLocalSku.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-CircuitsPeeringLocationLocalSku.yaml
new file mode 100644
index 000000000..b41070f8a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-CircuitsPeeringLocationLocalSku.yaml
@@ -0,0 +1,22 @@
+name: revcl-CircuitsPeeringLocationLocalSku
+title: Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits,
+ if your circuits' peering location supports your Azure regions for the Local SKU.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 0
+labels:
+ guid: f4e7926a-ec35-476e-a412-5dd17136bd62
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local
+queries:
+ arg: resources | where type=='microsoft.network/connections' | where properties.connectionType
+ == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id),
+ circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits'
+ | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project
+ id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant)
+ by id
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-LocalAzureRegionsExpressrouteLocalCircuits.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-LocalAzureRegionsExpressrouteLocalCircuits.yaml
new file mode 100644
index 000000000..1e2b63f68
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-LocalAzureRegionsExpressrouteLocalCircuits.yaml
@@ -0,0 +1,18 @@
+name: revcl-LocalAzureRegionsExpressrouteLocalCircuits
+title: If using ExpressRoute Direct, consider using ExpressRoute Local circuits to
+ the local Azure regions to save costs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 0
+labels:
+ guid: 718cb437-b060-2589-8856-2e93a5c6633b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-UnlimitedDataExpressrouteCircuitsBandwidth.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-UnlimitedDataExpressrouteCircuitsBandwidth.yaml
new file mode 100644
index 000000000..9ed81ba41
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/revcl-UnlimitedDataExpressrouteCircuitsBandwidth.yaml
@@ -0,0 +1,19 @@
+name: revcl-UnlimitedDataExpressrouteCircuitsBandwidth
+title: Ensure that you're using unlimited-data ExpressRoute circuits only if you reach
+ the bandwidth that justifies their cost.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 0
+labels:
+ guid: 7025b442-f6e9-4af6-b11f-c9574916016f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/plan-manage-cost
+queries:
+ arg: resources | where type=='microsoft.network/expressroutecircuits' | extend compliant
+ = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct
+ id,compliant
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-BudgetAlertsCost.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-BudgetAlertsCost.yaml
new file mode 100644
index 000000000..3017e768d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-BudgetAlertsCost.yaml
@@ -0,0 +1,15 @@
+name: wafsg-BudgetAlertsCost
+title: Monitor cost and create budget alerts.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: 7327aac3-008f-4878-bf49-a6c3f76746a1
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-DeprovisionExpressrouteCircuitsUse.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-DeprovisionExpressrouteCircuitsUse.yaml
new file mode 100644
index 000000000..abcc85c70
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-DeprovisionExpressrouteCircuitsUse.yaml
@@ -0,0 +1,15 @@
+name: wafsg-DeprovisionExpressrouteCircuitsUse
+title: Deprovision ExpressRoute circuits no longer in use.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: 271b6cfe-4507-4afa-a1e5-000e3be105ac
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteCircuitSkuBandwidth.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteCircuitSkuBandwidth.yaml
new file mode 100644
index 000000000..31ebb6b87
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteCircuitSkuBandwidth.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteCircuitSkuBandwidth
+title: Determine the ExpressRoute circuit SKU and bandwidth required.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: a3aaf86d-0531-404f-b881-78bbacd912ca
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteCircuitsUnnecessaryCost.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteCircuitsUnnecessaryCost.yaml
new file mode 100644
index 000000000..1a5ff3214
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteCircuitsUnnecessaryCost.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExpressrouteCircuitsUnnecessaryCost
+title: Deprovision and delete ExpressRoute circuits no longer in use.
+description: ExpressRoute circuits are charged from the moment they're created. To
+ reduce unnecessary cost, deprovision the circuit with the service provider and delete
+ the ExpressRoute circuit from your subscription. For steps on how to remove an ExpressRoute
+ circuit, see Deprovisioning an ExpressRoute circuit.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: c36e0c83-11b4-409a-a4a6-2118b52a380f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressroutePricing.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressroutePricing.yaml
new file mode 100644
index 000000000..554a18f3e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressroutePricing.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressroutePricing
+title: Familiarize yourself with ExpressRoute pricing.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: 96599299-4653-4e94-989b-8c7fe64cb2bd
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressroutePricingUnderstandPricing.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressroutePricingUnderstandPricing.yaml
new file mode 100644
index 000000000..21eecb43c
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressroutePricingUnderstandPricing.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExpressroutePricingUnderstandPricing
+title: Familiarize yourself with ExpressRoute pricing
+description: For information about ExpressRoute pricing, see Understand pricing for
+ Azure ExpressRoute. You can also use the Pricing calculator.Ensure that the options
+ are adequately sized to meet the capacity demand and deliver expected performance
+ without wasting resources.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: 92eec823-61dd-486c-b46e-0339fc02987e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteVirtualNetworkGatewaySize.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteVirtualNetworkGatewaySize.yaml
new file mode 100644
index 000000000..037048d24
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteVirtualNetworkGatewaySize.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteVirtualNetworkGatewaySize
+title: Determine the ExpressRoute virtual network gateway size required.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: 2d710fcf-b8bc-461d-81a1-895193ce91cc
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteVirtualNetworkGatewaySizePreferredVirtualNetworkGatewaySku.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteVirtualNetworkGatewaySizePreferredVirtualNetworkGatewaySku.yaml
new file mode 100644
index 000000000..64629ef4c
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ExpressrouteVirtualNetworkGatewaySizePreferredVirtualNetworkGatewaySku.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExpressrouteVirtualNetworkGatewaySizePreferredVirtualNetworkGatewaySku
+title: Determine the ExpressRoute virtual network gateway size
+description: ExpressRoute virtual network gateways are used to pass traffic into a
+ virtual network over private peering. Review the performance and scale needs of
+ your preferred Virtual Network Gateway SKU. Select the appropriate gateway SKU on
+ your on-premises to Azure workload.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: 73967d95-39ff-47bb-b4f4-33ddade69d1f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-MonitoringExpressrouteCostsExpressrouteCircuit.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-MonitoringExpressrouteCostsExpressrouteCircuit.yaml
new file mode 100644
index 000000000..29bcdb327
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-MonitoringExpressrouteCostsExpressrouteCircuit.yaml
@@ -0,0 +1,16 @@
+name: wafsg-MonitoringExpressrouteCostsExpressrouteCircuit
+title: Monitor cost and create budget alerts
+description: Monitor the cost of your ExpressRoute circuit and create alerts for spending
+ anomalies and overspending risks. For more information, see Monitoring ExpressRoute
+ costs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: edd459fa-3105-4a03-b009-4f983d23da5a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ThreeDifferentSkuTypesUnlimitedDataPlan.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ThreeDifferentSkuTypesUnlimitedDataPlan.yaml
new file mode 100644
index 000000000..9ed25b7fe
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Cost/wafsg-ThreeDifferentSkuTypesUnlimitedDataPlan.yaml
@@ -0,0 +1,20 @@
+name: wafsg-ThreeDifferentSkuTypesUnlimitedDataPlan
+title: Determine SKU and bandwidth required
+description: The way you're charged for your ExpressRoute usage varies between the
+ three different SKU types. With Local SKU, you're automatically charged with an
+ Unlimited data plan. With Standard and Premium SKU, you can select between a Metered
+ or an Unlimited data plan. All ingress data are free of charge except when using
+ the Global Reach add-on. It's important to understand which SKU types and data plan
+ works best for your workload to best optimize cost and budget. For more information
+ resizing ExpressRoute circuit, see upgrading ExpressRoute circuit bandwidth.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Cost
+severity: 1
+labels:
+ guid: c5c27eb1-6f1c-4b97-a216-0cbdc31a3c98
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ConnectionMonitorConnectivityMonitoring.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ConnectionMonitorConnectivityMonitoring.yaml
new file mode 100644
index 000000000..fcf842b47
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ConnectionMonitorConnectivityMonitoring.yaml
@@ -0,0 +1,18 @@
+name: revcl-ConnectionMonitorConnectivityMonitoring
+title: Use Connection Monitor for connectivity monitoring across the network, especially
+ between on-premises and Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 5bf68dc9-325e-4873-bf88-f8214ef2e5d2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ExpressRouteInsightsExpressrouteAvailability.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ExpressRouteInsightsExpressrouteAvailability.yaml
new file mode 100644
index 000000000..1fd7d4512
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ExpressRouteInsightsExpressrouteAvailability.yaml
@@ -0,0 +1,18 @@
+name: revcl-ExpressRouteInsightsExpressrouteAvailability
+title: Monitor ExpressRoute availability and utilization using built-in Express Route
+ Insights.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: b30e38c3-f298-412b-8363-cefe179b599d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ExpressrouteVirtualNetworkGatewayDiagnosticLogs.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ExpressrouteVirtualNetworkGatewayDiagnosticLogs.yaml
new file mode 100644
index 000000000..cebdbd53c
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/revcl-ExpressrouteVirtualNetworkGatewayDiagnosticLogs.yaml
@@ -0,0 +1,17 @@
+name: revcl-ExpressrouteVirtualNetworkGatewayDiagnosticLogs
+title: Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 3f79ed00-203b-4c95-9efd-691505f5a1f9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ConnectionMonitoringAzureNetwork.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ConnectionMonitoringAzureNetwork.yaml
new file mode 100644
index 000000000..12fcf7fdb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ConnectionMonitoringAzureNetwork.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ConnectionMonitoringAzureNetwork
+title: Configure connection monitoring between your on-premises and Azure network.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 138436b3-3868-43ad-8a1c-61c8e4a84d8e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressrouteGatewayConnectionsExpressrouteResourceMetrics.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressrouteGatewayConnectionsExpressrouteResourceMetrics.yaml
new file mode 100644
index 000000000..849cfc606
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressrouteGatewayConnectionsExpressrouteResourceMetrics.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ExpressrouteGatewayConnectionsExpressrouteResourceMetrics
+title: Review ExpressRoute resource metrics
+description: ExpressRoute uses Azure Monitor to collect metrics and create alerts
+ base on your configuration. Metrics are collected for ExpressRoute circuits, ExpressRoute
+ gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics
+ are useful for diagnosing connectivity problems and understanding the performance
+ of your ExpressRoute connection.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: e2ca25a4-7d0d-49f8-8618-f81f0f3ff3e0
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressrouteInsightsNetworkInsights.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressrouteInsightsNetworkInsights.yaml
new file mode 100644
index 000000000..0b0b68728
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressrouteInsightsNetworkInsights.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ExpressrouteInsightsNetworkInsights
+title: Review metrics and dashboards available through ExpressRoute Insights using
+ Network Insights.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 6c4de9f0-b0f4-4390-8222-d5b9dfb506b6
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressroutePrivatePeeringMicrosoftPeeringConnection.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressroutePrivatePeeringMicrosoftPeeringConnection.yaml
new file mode 100644
index 000000000..d6a761d93
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ExpressroutePrivatePeeringMicrosoftPeeringConnection.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ExpressroutePrivatePeeringMicrosoftPeeringConnection
+title: Configure connection monitoring
+description: Connection monitoring allows you to monitor connectivity between your
+ on-premises resources and Azure over the ExpressRoute private peering and Microsoft
+ peering connection. Connection monitor can detect networking issues by identifying
+ where along the network path the problem is and help you quickly resolve configuration
+ or hardware failures.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 06b83763-eef7-4e07-8c16-8e0fcc9a388c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-HealthNotificationsUpcomingMaintenance.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-HealthNotificationsUpcomingMaintenance.yaml
new file mode 100644
index 000000000..7faca899d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-HealthNotificationsUpcomingMaintenance.yaml
@@ -0,0 +1,17 @@
+name: wafsg-HealthNotificationsUpcomingMaintenance
+title: Configure Service Health
+description: Set up Service Health notifications to alert when planned and upcoming
+ maintenance is happening to all ExpressRoute circuits in your subscription. Service
+ Health also displays past maintenance along with RCA if an unplanned maintenance
+ were to occur.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 98086164-1e4f-4bd3-b67b-904b60e32470
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ReviewExpressrouteResourceMetrics.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ReviewExpressrouteResourceMetrics.yaml
new file mode 100644
index 000000000..55d97a7b1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ReviewExpressrouteResourceMetrics.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ReviewExpressrouteResourceMetrics
+title: Review ExpressRoute resource metrics.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 8c22c571-98a1-4d91-94b7-efb58db4763e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ServiceHealthNotification.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ServiceHealthNotification.yaml
new file mode 100644
index 000000000..70f103cdc
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ServiceHealthNotification.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ServiceHealthNotification
+title: Configure Service Health for receiving notification.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: 7cfb8c20-2449-4892-bb3f-d994944ba6c9
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ThroughputGatewayMetricsNetworkInsights.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ThroughputGatewayMetricsNetworkInsights.yaml
new file mode 100644
index 000000000..375eb61ff
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Operations/wafsg-ThroughputGatewayMetricsNetworkInsights.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ThroughputGatewayMetricsNetworkInsights
+title: Review metrics with Network Insights
+description: ExpressRoute Insights with Network Insights allow you to review and analyze
+ ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute
+ Insights also provide a topology view of your ExpressRoute connections where you
+ can view details of your peering components all in a single place.Metrics available:-
+ Availability- Throughput- Gateway metrics
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Operations
+severity: 1
+labels:
+ guid: f48383e3-3d08-47a4-852e-211cc3a792df
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-ExpressrouteCircuitsVnetCommunication.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-ExpressrouteCircuitsVnetCommunication.yaml
new file mode 100644
index 000000000..a28cb5a1b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-ExpressrouteCircuitsVnetCommunication.yaml
@@ -0,0 +1,17 @@
+name: revcl-ExpressrouteCircuitsVnetCommunication
+title: Avoid using ExpressRoute circuits for VNet-to-VNet communication.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 5234c93f-b651-41dd-80c1-234177b91ced
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-GbpsPortsExpressrouteDirect.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-GbpsPortsExpressrouteDirect.yaml
new file mode 100644
index 000000000..f8253a86e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-GbpsPortsExpressrouteDirect.yaml
@@ -0,0 +1,18 @@
+name: revcl-GbpsPortsExpressrouteDirect
+title: For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps
+ ports, use ExpressRoute Direct.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 72e52e36-11cc-458b-9a4b-1511e43a58a9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-LowLatencyExpressrouteGateway.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-LowLatencyExpressrouteGateway.yaml
new file mode 100644
index 000000000..ef683cdae
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-LowLatencyExpressrouteGateway.yaml
@@ -0,0 +1,19 @@
+name: revcl-LowLatencyExpressrouteGateway
+title: When low latency is required, or throughput from on-premises to Azure must
+ be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from
+ the data path.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: c2299c4d-7b57-4d0c-9555-62f2b3e4563a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/about-fastpath
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-PrimaryConnectionPossibility.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-PrimaryConnectionPossibility.yaml
new file mode 100644
index 000000000..f899c6427
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-PrimaryConnectionPossibility.yaml
@@ -0,0 +1,18 @@
+name: revcl-PrimaryConnectionPossibility
+title: Ensure that you have investigated the possibility to use ExpressRoute as primary
+ connection to Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 359c373e-7dd6-4162-9a36-4a907ecae48e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-RightSkuExpressrouteVpnGateways.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-RightSkuExpressrouteVpnGateways.yaml
new file mode 100644
index 000000000..fbf5dd989
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/revcl-RightSkuExpressrouteVpnGateways.yaml
@@ -0,0 +1,23 @@
+name: revcl-RightSkuExpressrouteVpnGateways
+title: Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based
+ on bandwidth and performance requirements.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: d4cd21b0-8813-47f5-b6c4-cfd3e504547c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-routing
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries:
+ arg: resources| where type == 'microsoft.network/virtualnetworkgateways'| where
+ properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend
+ SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType|
+ extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId,
+ resourceGroup, compliant
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ErgwAzVirtualNetworkGatewayAzureVirtualNetwork.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ErgwAzVirtualNetworkGatewayAzureVirtualNetwork.yaml
new file mode 100644
index 000000000..e50eb4bbe
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ErgwAzVirtualNetworkGatewayAzureVirtualNetwork.yaml
@@ -0,0 +1,16 @@
+name: wafsg-ErgwAzVirtualNetworkGatewayAzureVirtualNetwork
+title: Enable ExpressRoute FastPath for higher throughput
+description: If you're using an Ultra performance or an ErGW3AZ virtual network gateway,
+ you can enable FastPath to improve the data path performance between your on-premises
+ network and Azure virtual network.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: a5327e51-9367-4f91-bca2-71b5724e6acb
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitBandwidth.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitBandwidth.yaml
new file mode 100644
index 000000000..01502217d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitBandwidth.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteCircuitBandwidth
+title: Upgrade the ExpressRoute circuit bandwidth.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 124c88c4-391e-41fc-be92-f8efd3ae6b71
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitExpressrouteConnection.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitExpressrouteConnection.yaml
new file mode 100644
index 000000000..e57b7c2ea
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitExpressrouteConnection.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExpressrouteCircuitExpressrouteConnection
+title: Monitor ExpressRoute circuit and gateway metrics
+description: Set up alerts base on ExpressRoute metrics to proactively notify you
+ when a certain threshold is met. These metrics are useful to understand anomalies
+ that can happen with your ExpressRoute connection such as outages and maintenance
+ happening to your ExpressRoute circuits.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 3e5d89cf-a4b0-4624-8a74-c086ce3665ac
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitGatewayMetrics.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitGatewayMetrics.yaml
new file mode 100644
index 000000000..a95f43330
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteCircuitGatewayMetrics.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteCircuitGatewayMetrics
+title: Monitor the ExpressRoute circuit and gateway metrics.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: a77220d0-45e2-4ac9-9f8e-352f4e4848d8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteFastpathHigherThroughput.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteFastpathHigherThroughput.yaml
new file mode 100644
index 000000000..4287cc25e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteFastpathHigherThroughput.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteFastpathHigherThroughput
+title: Enable ExpressRoute FastPath for higher throughput.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 21303a27-77fc-4cd0-afab-0080bbbf6501
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteGatewaySize.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteGatewaySize.yaml
new file mode 100644
index 000000000..9edee16cb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-ExpressrouteGatewaySize.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteGatewaySize
+title: Increase the size of the ExpressRoute gateway.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 68ebf30c-d5f8-4e5a-bafa-9b8ff5aea0cc
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-HigherGatewaySkuExpressrouteGateway.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-HigherGatewaySkuExpressrouteGateway.yaml
new file mode 100644
index 000000000..a52ac5bd5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-HigherGatewaySkuExpressrouteGateway.yaml
@@ -0,0 +1,15 @@
+name: wafsg-HigherGatewaySkuExpressrouteGateway
+title: Increase the size of the ExpressRoute gateway.
+description: Upgrade to a higher gateway SKU for improved throughput performance between
+ on-premises and Azure environment.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: caa42667-014b-4fb2-9e0a-954e05385785
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements-1.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements-1.yaml
new file mode 100644
index 000000000..a63038c6e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements-1.yaml
@@ -0,0 +1,15 @@
+name: wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements-1
+title: Test ExpressRoute gateway performance to meet work load requirements.
+description: Use Azure Connectivity Toolkit to test performance across your ExpressRoute
+ circuit to understand bandwidth capacity and latency of your network connection.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 71513d98-78dc-49ad-ba19-3d769b03c9bb
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements.yaml
new file mode 100644
index 000000000..c525ec15b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements.yaml
@@ -0,0 +1,15 @@
+name: wafsg-TestExpressrouteGatewayPerformanceWorkLoadRequirements
+title: Test ExpressRoute gateway performance to meet work load requirements.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: 986e4310-6a7c-469e-bd94-8b8d1c388f51
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-UpgradeExpressrouteCircuitBandwidthWorkLoadRequirements.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-UpgradeExpressrouteCircuitBandwidthWorkLoadRequirements.yaml
new file mode 100644
index 000000000..59b06ee1b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Performance/wafsg-UpgradeExpressrouteCircuitBandwidthWorkLoadRequirements.yaml
@@ -0,0 +1,17 @@
+name: wafsg-UpgradeExpressrouteCircuitBandwidthWorkLoadRequirements
+title: Upgrade ExpressRoute circuit bandwidth
+description: Upgrade your circuit bandwidth to meet your work load requirements. Circuit
+ bandwidth is shared between all virtual networks connected to the ExpressRoute circuit.
+ Depending on your work load, one or more virtual networks can use up all the bandwidth
+ on the circuit.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Performance
+severity: 1
+labels:
+ guid: be5fc5f6-92bd-4239-87a0-275d786b8d68
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-BidirectionalForwardingDetectionEdgeRoutingDevices.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-BidirectionalForwardingDetectionEdgeRoutingDevices.yaml
new file mode 100644
index 000000000..7bb5da6b0
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-BidirectionalForwardingDetectionEdgeRoutingDevices.yaml
@@ -0,0 +1,18 @@
+name: revcl-BidirectionalForwardingDetectionEdgeRoutingDevices
+title: Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on
+ customer or provider edge routing devices.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-bfd
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-DifferentPeeringLocationsExpressrouteCircuits.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-DifferentPeeringLocationsExpressrouteCircuits.yaml
new file mode 100644
index 000000000..824ab4790
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-DifferentPeeringLocationsExpressrouteCircuits.yaml
@@ -0,0 +1,23 @@
+name: revcl-DifferentPeeringLocationsExpressrouteCircuits
+title: Use ExpressRoute circuits from different peering locations for redundancy.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: e0d5973c-d4cd-421b-8881-37f5e6c4cfd3
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries:
+ arg: resources | where type=='microsoft.network/connections' | where properties.connectionType
+ == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id),
+ circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits'
+ | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation))
+ on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count()
+ by id=gwId | extend compliant = (countErLocations >= 2)
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-DifferentPeeringLocationsExpressrouteGateway.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-DifferentPeeringLocationsExpressrouteGateway.yaml
new file mode 100644
index 000000000..dc019e234
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-DifferentPeeringLocationsExpressrouteGateway.yaml
@@ -0,0 +1,18 @@
+name: revcl-DifferentPeeringLocationsExpressrouteGateway
+title: Connect the ExpressRoute Gateway to two or more circuits from different peering
+ locations for higher resiliency.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 0
+labels:
+ guid: 669b215a-ce43-4371-8f6f-11047f6490f1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-MultipleExpressrouteCircuitsPremLocations.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-MultipleExpressrouteCircuitsPremLocations.yaml
new file mode 100644
index 000000000..a7d8b5214
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-MultipleExpressrouteCircuitsPremLocations.yaml
@@ -0,0 +1,21 @@
+name: revcl-MultipleExpressrouteCircuitsPremLocations
+title: When you use multiple ExpressRoute circuits, or multiple on-prem locations,
+ make sure to optimize routing with BGP attributes, if certain paths are preferred.
+description: You can use AS-path prepending and connection weights to influence traffic
+ from Azure to on-premises, and the full range of BGP attributes in your own routers
+ to influence traffic from on-premises to Azure.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: f29812b2-363c-4efe-879b-599de0d5973c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-routing
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-PremisesRoutingConnectionFailure.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-PremisesRoutingConnectionFailure.yaml
new file mode 100644
index 000000000..839385931
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-PremisesRoutingConnectionFailure.yaml
@@ -0,0 +1,18 @@
+name: revcl-PremisesRoutingConnectionFailure
+title: 'If using ExpressRoute, your on-premises routing should be dynamic: in the
+ event of a connection failure it should converge to the remaining connection of
+ the circuit. Load should be shared across both connections ideally as active/active,
+ although active/passive is supported too.'
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 0
+labels:
+ guid: d581a947-69a2-4783-942e-9df3664324c8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-RouteTableGatewayRoutes.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-RouteTableGatewayRoutes.yaml
new file mode 100644
index 000000000..e57f5a25e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-RouteTableGatewayRoutes.yaml
@@ -0,0 +1,22 @@
+name: revcl-RouteTableGatewayRoutes
+title: If you are using a route table in the GatewaySubnet, make sure that gateway
+ routes are propagated.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 0
+labels:
+ guid: 72105cc8-aaea-4ee1-8c7a-ad25977afcaf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub
+queries:
+ arg: resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets
+ | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id)
+ | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where
+ type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id,
+ disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId
+ | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-SingleExpressrouteCircuitSite.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-SingleExpressrouteCircuitSite.yaml
new file mode 100644
index 000000000..c61851ad7
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-SingleExpressrouteCircuitSite.yaml
@@ -0,0 +1,16 @@
+name: revcl-SingleExpressrouteCircuitSite
+title: Use site-to-site VPN as failover of ExpressRoute, especially if only using
+ a single ExpressRoute circuit.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: cf3fe65c-fec0-495a-8edc-9675200f2add
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-TwoDistinctEdgeDevicesTwoPhysicalLinks.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-TwoDistinctEdgeDevicesTwoPhysicalLinks.yaml
new file mode 100644
index 000000000..aa5fd6b07
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-TwoDistinctEdgeDevicesTwoPhysicalLinks.yaml
@@ -0,0 +1,18 @@
+name: revcl-TwoDistinctEdgeDevicesTwoPhysicalLinks
+title: Ensure the two physical links of your ExpressRoute circuit are connected to
+ two distinct edge devices in your network.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: b258f058-b9f6-46cd-b28d-990106f0c3f8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-ZoneRedundantExpressrouteGatewayAzureRegions.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-ZoneRedundantExpressrouteGatewayAzureRegions.yaml
new file mode 100644
index 000000000..26e77f82d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/revcl-ZoneRedundantExpressrouteGatewayAzureRegions.yaml
@@ -0,0 +1,22 @@
+name: revcl-ZoneRedundantExpressrouteGatewayAzureRegions
+title: Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 2447ec66-138a-4720-8f1c-e16ed301d6e8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries:
+ arg: resources| where type == 'microsoft.network/virtualnetworkgateways'| where
+ properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend
+ SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType|
+ extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup,
+ Type, compliant
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ActiveActiveExpressrouteConnectionsPremises.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ActiveActiveExpressrouteConnectionsPremises.yaml
new file mode 100644
index 000000000..85c8281a1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ActiveActiveExpressrouteConnectionsPremises.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ActiveActiveExpressrouteConnectionsPremises
+title: Configure Active-Active ExpressRoute connections between on-premises and Azure.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 7a87eeb7-44d2-409f-842f-fad32d9b01e1
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-BusinessRequirementsExpressrouteCircuit.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-BusinessRequirementsExpressrouteCircuit.yaml
new file mode 100644
index 000000000..08a61ad7e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-BusinessRequirementsExpressrouteCircuit.yaml
@@ -0,0 +1,15 @@
+name: wafsg-BusinessRequirementsExpressrouteCircuit
+title: Select between ExpressRoute circuit or ExpressRoute Direct for business requirements.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: c18e33dd-d764-42da-b855-cd050de2367a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-DifferentServiceProvidersOnePeeringLocations.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-DifferentServiceProvidersOnePeeringLocations.yaml
new file mode 100644
index 000000000..43ebe0d9e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-DifferentServiceProvidersOnePeeringLocations.yaml
@@ -0,0 +1,18 @@
+name: wafsg-DifferentServiceProvidersOnePeeringLocations
+title: Plan for geo-redundant circuits
+description: To plan for disaster recovery, set up ExpressRoute circuits in more than
+ one peering locations. You can create circuits in peering locations in the same
+ metro or different metro and choose to work with different service providers for
+ diverse paths through each circuit. For more information, see Designing for disaster
+ recovery and Designing for high availability.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 6807a566-19b0-4db5-a02e-af800136355e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteCircuitMaintenanceNotificationService.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteCircuitMaintenanceNotificationService.yaml
new file mode 100644
index 000000000..1b362a7a1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteCircuitMaintenanceNotificationService.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteCircuitMaintenanceNotificationService
+title: Configure service health to receive ExpressRoute circuit maintenance notification.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 41687924-ef94-411f-b71a-c8ec2543dbb7
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteDedicatedCircuitsActiveActiveConnectivity.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteDedicatedCircuitsActiveActiveConnectivity.yaml
new file mode 100644
index 000000000..fe4bc562b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteDedicatedCircuitsActiveActiveConnectivity.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExpressrouteDedicatedCircuitsActiveActiveConnectivity
+title: Plan for Active-Active connectivity
+description: ExpressRoute dedicated circuits guarantee `99.95%` availability when
+ an active-active connectivity is configured between on-premises and Azure. This
+ mode provides higher availability of your Expressroute connection. It's also recommended
+ to configure BFD for faster failover if there's a link failure on a connection.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: b145c875-e017-4b1e-af6a-e2c86150d5b9
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressroutePrivatePeeringSite.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressroutePrivatePeeringSite.yaml
new file mode 100644
index 000000000..166d2bb9a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressroutePrivatePeeringSite.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressroutePrivatePeeringSite
+title: Configure site-to-site VPN as a backup to ExpressRoute private peering.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: d8dbe205-0115-4fc8-8aaf-fff7d9382a5e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteVirtualNetworkGatewaysAvailabilityZone.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteVirtualNetworkGatewaysAvailabilityZone.yaml
new file mode 100644
index 000000000..956d40bd4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteVirtualNetworkGatewaysAvailabilityZone.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteVirtualNetworkGatewaysAvailabilityZone
+title: Set up availability zone aware ExpressRoute Virtual Network Gateways.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 51ac729d-25ff-4632-88e5-72df1106559d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteVirtualNetworkGatewaysDifferentRegions.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteVirtualNetworkGatewaysDifferentRegions.yaml
new file mode 100644
index 000000000..2ff2a4820
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-ExpressrouteVirtualNetworkGatewaysDifferentRegions.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteVirtualNetworkGatewaysDifferentRegions
+title: Configure ExpressRoute Virtual Network Gateways in different regions.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 2d31b435-8edb-46cb-a682-8190d7cfedf9
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-InitialPlanningPhasePrivateDedicatedConnection.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-InitialPlanningPhasePrivateDedicatedConnection.yaml
new file mode 100644
index 000000000..34c9f8be7
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-InitialPlanningPhasePrivateDedicatedConnection.yaml
@@ -0,0 +1,19 @@
+name: wafsg-InitialPlanningPhasePrivateDedicatedConnection
+title: Plan for ExpressRoute circuit or ExpressRoute Direct
+description: During the initial planning phase, you want to decide whether you want
+ to configure an ExpressRoute circuit or an ExpressRoute Direct connection. An ExpressRoute
+ circuit allows a private dedicated connection into Azure with the help of a connectivity
+ provider. ExpressRoute Direct allows you to extend on-premises network directly
+ into the Microsoft network at a peering location. You also need to identify the
+ bandwidth requirement and the SKU type requirement for your business needs.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 47e7f99c-d9da-440c-96f3-53c2d1b3578e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-PhysicalLayerDiversityDifferentServiceProvider.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-PhysicalLayerDiversityDifferentServiceProvider.yaml
new file mode 100644
index 000000000..756c280d3
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-PhysicalLayerDiversityDifferentServiceProvider.yaml
@@ -0,0 +1,17 @@
+name: wafsg-PhysicalLayerDiversityDifferentServiceProvider
+title: Physical layer diversity
+description: For better resiliency, plan to have multiple paths between the on-premises
+ edge and the peering locations (provider/Microsoft edge locations). This configuration
+ can be achieved by going through different service provider or through a different
+ location from the on-premises network.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 18491e10-13a3-4864-87e9-3e37cbf8625e
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-UnplannedMaintenanceExpressrouteCircuits.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-UnplannedMaintenanceExpressrouteCircuits.yaml
new file mode 100644
index 000000000..f0ce057c7
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-UnplannedMaintenanceExpressrouteCircuits.yaml
@@ -0,0 +1,16 @@
+name: wafsg-UnplannedMaintenanceExpressrouteCircuits
+title: Enable service health
+description: ExpressRoute uses service health to notify about planned and unplanned
+ maintenance. Configuring service health will notify you about changes made to your
+ ExpressRoute circuits.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 1c26f51d-9ce7-49c5-87e8-d45a56f9fa14
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-VirtualNetworkGatewayHealthVariousMetrics.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-VirtualNetworkGatewayHealthVariousMetrics.yaml
new file mode 100644
index 000000000..8a24f8a32
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-VirtualNetworkGatewayHealthVariousMetrics.yaml
@@ -0,0 +1,15 @@
+name: wafsg-VirtualNetworkGatewayHealthVariousMetrics
+title: Monitor circuits and gateway health
+description: Set up monitoring and alerts for ExpressRoute circuits and Virtual Network
+ Gateway health based on various metrics available.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: 1f311354-8e72-4308-ac18-29dd48ce58ad
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-VirtualNetworkGatewaysAvailabilityZone.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-VirtualNetworkGatewaysAvailabilityZone.yaml
new file mode 100644
index 000000000..7e2fd924f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Reliability/wafsg-VirtualNetworkGatewaysAvailabilityZone.yaml
@@ -0,0 +1,16 @@
+name: wafsg-VirtualNetworkGatewaysAvailabilityZone
+title: Planning for Virtual Network Gateways
+description: Create availability zone aware Virtual Network Gateway for higher resiliency
+ and plan for Virtual Network Gateways in different region for disaster recovery
+ and high availability.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Reliability
+severity: 1
+labels:
+ guid: a71ef0ea-30fd-4a34-b4ca-10a87d4db10a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-AzurePaasServicesExpressroutePrivatePeering.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-AzurePaasServicesExpressroutePrivatePeering.yaml
new file mode 100644
index 000000000..281686d06
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-AzurePaasServicesExpressroutePrivatePeering.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzurePaasServicesExpressroutePrivatePeering
+title: Access Azure PaaS services from on-premises via private endpoints and ExpressRoute
+ private peering. This method avoids transiting over the public internet.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: b3e4563a-4d87-4397-98b6-62d6d15f512a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/app-service/networking-features
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-AzureRouteServerVpnGateways.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-AzureRouteServerVpnGateways.yaml
new file mode 100644
index 000000000..698de07f9
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-AzureRouteServerVpnGateways.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureRouteServerVpnGateways
+title: If you need transit between ExpressRoute and VPN gateways in hub and spoke
+ scenarios, use Azure Route Server.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 2
+labels:
+ guid: ce463dbb-bc8a-4c2a-aebc-92a43da1dae2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-DifferentExpressrouteCircuitsIsolatedRoutingDomains.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-DifferentExpressrouteCircuitsIsolatedRoutingDomains.yaml
new file mode 100644
index 000000000..4530c2c6a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-DifferentExpressrouteCircuitsIsolatedRoutingDomains.yaml
@@ -0,0 +1,19 @@
+name: revcl-DifferentExpressrouteCircuitsIsolatedRoutingDomains
+title: When traffic isolation or dedicated bandwidth is required, such as for separating
+ production and nonproduction environments, use different ExpressRoute circuits.
+ It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: 8042d88e-79d1-47b7-9b22-a5a67e7a8ed4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-ExpressrouteDirectLayerTwoLevel.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-ExpressrouteDirectLayerTwoLevel.yaml
new file mode 100644
index 000000000..a158e178f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-ExpressrouteDirectLayerTwoLevel.yaml
@@ -0,0 +1,17 @@
+name: revcl-ExpressrouteDirectLayerTwoLevel
+title: When you're using ExpressRoute Direct, configure MACsec in order to encrypt
+ traffic at the layer-two level between the organization's routers and MSEE. The
+ diagram shows this encryption in flow.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: de0d5973-cd4c-4d21-a088-137f5e6c4cfd
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-ExpressroutePrivatePeeringExpressrouteDirect.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-ExpressroutePrivatePeeringExpressrouteDirect.yaml
new file mode 100644
index 000000000..68c23b15d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-ExpressroutePrivatePeeringExpressrouteDirect.yaml
@@ -0,0 +1,19 @@
+name: revcl-ExpressroutePrivatePeeringExpressrouteDirect
+title: For scenarios where MACsec isn't an option (for example, not using ExpressRoute
+ Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private
+ peering.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 2
+labels:
+ guid: ed301d6e-872e-452e-9611-cc58b5a4b151
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/implement-network-security/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-GatewaySubnets.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-GatewaySubnets.yaml
new file mode 100644
index 000000000..17b93bdbb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-GatewaySubnets.yaml
@@ -0,0 +1,20 @@
+name: revcl-GatewaySubnets
+title: Use at least a /27 prefix for your Gateway subnets
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 0
+labels:
+ guid: f2aad7e3-bb03-4adc-8606-4123d342a917
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway
+queries:
+ arg: resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets
+ | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix
+ | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName ==
+ 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id,
+ compliant
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-OverlappingIpAddressSpacesAzureRegions.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-OverlappingIpAddressSpacesAzureRegions.yaml
new file mode 100644
index 000000000..05ca948a3
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/revcl-OverlappingIpAddressSpacesAzureRegions.yaml
@@ -0,0 +1,18 @@
+name: revcl-OverlappingIpAddressSpacesAzureRegions
+title: Ensure no overlapping IP address spaces across Azure regions and on-premises
+ locations are used
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 0
+labels:
+ guid: 558fd772-49b8-4211-82df-27ee412e7f98
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-network-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ActivityLogLogs.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ActivityLogLogs.yaml
new file mode 100644
index 000000000..78ef350a7
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ActivityLogLogs.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ActivityLogLogs
+title: Configure Activity log to send logs to archive.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: dbcfcfa3-dcb3-43f7-8e98-a9d6d44ab3ae
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ActivityLogSubscriptionLevel.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ActivityLogSubscriptionLevel.yaml
new file mode 100644
index 000000000..ac8be7b73
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ActivityLogSubscriptionLevel.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ActivityLogSubscriptionLevel
+title: Configure Activity log to send logs to archive
+description: Activity logs provide insights into operations that were performed at
+ the subscription level for ExpressRoute resources. With Activity logs, you can determine
+ who and when an operation was performed at the control plane. Data retention is
+ only 90 days and required to be stored in Log Analytics, Event Hubs or a storage
+ account for archive.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: b893441c-5f7c-44fe-bfa2-457af4ae1cb8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-AdministrativeAccountsExpressrouteResources.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-AdministrativeAccountsExpressrouteResources.yaml
new file mode 100644
index 000000000..0250d8e97
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-AdministrativeAccountsExpressrouteResources.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AdministrativeAccountsExpressrouteResources
+title: Maintain an inventory of administrative accounts with access to ExpressRoute
+ resources.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: fd7f29a7-ae31-4983-8510-e219a25cfdfc
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-AzureVirtualNetworkPremisesNetwork.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-AzureVirtualNetworkPremisesNetwork.yaml
new file mode 100644
index 000000000..5bf38ddfd
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-AzureVirtualNetworkPremisesNetwork.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureVirtualNetworkPremisesNetwork
+title: Encrypt traffic using IPsec
+description: Configure a Site-to-site VPN tunnel over your ExpressRoute circuit to
+ encrypt data transferring between your on-premises network and Azure virtual network.
+ You can configure a tunnel using private peering or using Microsoft peering.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: a7cb83ea-dfc8-49eb-9c03-a57fbcd3a0ef
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ExpressrouteDirectResourcesMacsec.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ExpressrouteDirectResourcesMacsec.yaml
new file mode 100644
index 000000000..83d6ae53b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-ExpressrouteDirectResourcesMacsec.yaml
@@ -0,0 +1,15 @@
+name: wafsg-ExpressrouteDirectResourcesMacsec
+title: Configure MACSec for ExpressRoute Direct resources.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: e09a0328-3f6e-4ab5-9856-581a76090453
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MaintainInventoryAdministrativeAccounts.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MaintainInventoryAdministrativeAccounts.yaml
new file mode 100644
index 000000000..1df4d1ab1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MaintainInventoryAdministrativeAccounts.yaml
@@ -0,0 +1,15 @@
+name: wafsg-MaintainInventoryAdministrativeAccounts
+title: Maintain inventory of administrative accounts
+description: Use Azure RBAC to configure roles to limit user accounts that can add,
+ update, or delete peering configuration on an ExpressRoute circuit.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: 44059f81-2473-4325-ad67-70df146e1f5d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MdHashExpressrouteCircuit-1.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MdHashExpressrouteCircuit-1.yaml
new file mode 100644
index 000000000..e8fc613ad
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MdHashExpressrouteCircuit-1.yaml
@@ -0,0 +1,15 @@
+name: wafsg-MdHashExpressrouteCircuit-1
+title: Configure MD5 hash on ExpressRoute circuit
+description: During configuration of private peering or Microsoft peering, apply an
+ MD5 hash to secure messages between the on-premises route and the MSEE routers.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: 0d7a206c-e977-4c39-9379-766f5f20365b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MdHashExpressrouteCircuit.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MdHashExpressrouteCircuit.yaml
new file mode 100644
index 000000000..d81b13b1e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MdHashExpressrouteCircuit.yaml
@@ -0,0 +1,15 @@
+name: wafsg-MdHashExpressrouteCircuit
+title: Configure MD5 hash on ExpressRoute circuit.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: 5f06f160-46b8-48b3-ab94-89da0ff37c56
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MediaAccessControlSecurityDataLinkLayer.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MediaAccessControlSecurityDataLinkLayer.yaml
new file mode 100644
index 000000000..87b989c73
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-MediaAccessControlSecurityDataLinkLayer.yaml
@@ -0,0 +1,18 @@
+name: wafsg-MediaAccessControlSecurityDataLinkLayer
+title: Configure MACSec for ExpressRoute Direct resources
+description: Media Access Control security is a point-to-point security at the data
+ link layer. ExpressRoute Direct supports configuring MACSec to prevent security
+ threats to protocols such as ARP, DHCP, LACP not normally secured on the Ethernet
+ link. For more information on how to configure MACSec, see MACSec for ExpressRoute
+ Direct ports.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: 02e71cb8-379a-45ef-8daa-e4bfa3fa7237
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-VirtualNetworkTrafficPrivatePeering.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-VirtualNetworkTrafficPrivatePeering.yaml
new file mode 100644
index 000000000..f98423c6e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/Security/wafsg-VirtualNetworkTrafficPrivatePeering.yaml
@@ -0,0 +1,16 @@
+name: wafsg-VirtualNetworkTrafficPrivatePeering
+title: Encrypt traffic over private peering and Microsoft peering for virtual network
+ traffic.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-expressroute.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/expressroutecircuits
+waf: Security
+severity: 1
+labels:
+ guid: 960e86aa-d918-4a37-917a-eab33a2a98fa
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-AzureCriticalWorkloadsDifferentPeeringLocations.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-AzureCriticalWorkloadsDifferentPeeringLocations.yaml
new file mode 100644
index 000000000..43a56f812
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-AzureCriticalWorkloadsDifferentPeeringLocations.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureCriticalWorkloadsDifferentPeeringLocations
+title: Connect on-prem networks to Azure critical workloads via multiple ExpressRoutes
+description: |-
+ Connecting each ExpressRoute Gateway to a minimum of two circuits in different peering locations enhances redundancy and reliability by ensuring alternate pathways for data in case one circuit fails.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 0
+labels:
+ guid: 4d703025-dafc-f840-a183-5dc440456134
+ area: High Availability
+links: []
+queries:
+ arg: |-
+ // under-development
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-AzureMonitorBaselineAlertsExpressrouteCircuitAvailability.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-AzureMonitorBaselineAlertsExpressrouteCircuitAvailability.yaml
new file mode 100644
index 000000000..af554d361
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-AzureMonitorBaselineAlertsExpressrouteCircuitAvailability.yaml
@@ -0,0 +1,18 @@
+name: aprl-AzureMonitorBaselineAlertsExpressrouteCircuitAvailability
+title: Configure monitoring and alerting for ExpressRoute circuits
+description: |-
+ Use Network Insights for monitoring ExpressRoute circuit availability, QoS, and throughput. Set alerts based on Azure Monitor Baseline Alerts for availability, QoS metrics, and throughput metrics exceeding specific thresholds.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 0
+labels:
+ guid: 9771a435-d031-814e-9827-9b5fdafc0f87
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-DistinctNetworkEdgeDevicesExpressroutePeeringLocation.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-DistinctNetworkEdgeDevicesExpressroutePeeringLocation.yaml
new file mode 100644
index 000000000..db830f598
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-DistinctNetworkEdgeDevicesExpressroutePeeringLocation.yaml
@@ -0,0 +1,18 @@
+name: aprl-DistinctNetworkEdgeDevicesExpressroutePeeringLocation
+title: Ensure ExpressRoute's physical links connect to distinct network edge devices
+description: |-
+ Microsoft or the ExpressRoute provider always ensures physical redundancy in their services. It's essential to maintain this level of physical redundancy (two devices, two links) from the ExpressRoute peering location to your network for optimal performance and reliability.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 0
+labels:
+ guid: 0e19cc41-8274-1342-b0db-0e4146eacef8
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteCircuitActiveMode.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteCircuitActiveMode.yaml
new file mode 100644
index 000000000..f4ad8cafb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteCircuitActiveMode.yaml
@@ -0,0 +1,19 @@
+name: aprl-ExpressrouteCircuitActiveMode
+title: Ensure both connections of an ExpressRoute circuit are configured in active-active
+ mode
+description: |-
+ Operating both connections of an ExpressRoute circuit in active-active mode enhances high availability as the Microsoft network will load balance the traffic across the connections on a per-flow basis.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 0
+labels:
+ guid: f06a2bbe-5839-d447-9f39-fc3d20562d88
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteCircuitMaintenanceNotificationUnplannedMaintenance.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteCircuitMaintenanceNotificationUnplannedMaintenance.yaml
new file mode 100644
index 000000000..a129859dc
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteCircuitMaintenanceNotificationUnplannedMaintenance.yaml
@@ -0,0 +1,18 @@
+name: aprl-ExpressrouteCircuitMaintenanceNotificationUnplannedMaintenance
+title: Configure service health to receive ExpressRoute circuit maintenance notification
+description: |-
+ ExpressRoute leverages service health for notifications on both planned and unplanned maintenance, ensuring users are informed about any changes to their ExpressRoute circuits.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 0
+labels:
+ guid: 26cb547f-aabc-dc40-be02-d0a9b6b04b1a
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteDirectCircuitsNetworkFlow.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteDirectCircuitsNetworkFlow.yaml
new file mode 100644
index 000000000..038816ef3
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-ExpressrouteDirectCircuitsNetworkFlow.yaml
@@ -0,0 +1,25 @@
+name: aprl-ExpressrouteDirectCircuitsNetworkFlow
+title: Implement rate-limiting across ExpressRoute Direct Circuits to optimize network
+ flow
+description: |-
+ Rate limiting controls traffic volume between on-premises networks and Azure via ExpressRoute Direct, applying to private or Microsoft peering. It distributes port bandwidth, ensures stability, and prevents congestion, with steps outlined for enabling on circuits.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 1
+labels:
+ guid: d40c769d-2f08-4980-8d8f-a386946276e6
+ area: Scalability
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // This query will return all the ExpressRoute circuits (Direct Based) that have Direct Port Rate Limiting disabled
+ resources
+ | where type =~ "microsoft.network/expressroutecircuits"
+ | where properties.expressRoutePort != "" or isnotnull(properties.expressRoutePort)
+ | where properties.enableDirectPortRateLimit == false
+ | project recommendationId = "d40c769d-2f08-4980-8d8f-a386946276e6", name, id, tags, param1=strcat("enableDirectPortRateLimit: ",properties.enableDirectPortRateLimit)
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-PartnerEdgeRoutingDevicesBidirectionalForwardingDetection.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-PartnerEdgeRoutingDevicesBidirectionalForwardingDetection.yaml
new file mode 100644
index 000000000..b31b5ff21
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-PartnerEdgeRoutingDevicesBidirectionalForwardingDetection.yaml
@@ -0,0 +1,18 @@
+name: aprl-PartnerEdgeRoutingDevicesBidirectionalForwardingDetection
+title: Activate Bidirectional Forwarding Detection on edge devices for faster failover
+description: |-
+ Enabling BFD over ExpressRoute speeds up link failure detection between MSEE devices and routers configured for ExpressRoute (CE/PE), applicable over both customer and Partner Edge routing devices with managed Layer 3 service.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 0
+labels:
+ guid: 2a5bf650-586d-db4c-a292-d922be7d3e0e
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-SingleExpressrouteCircuitInterimBackupSolution.yaml b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-SingleExpressrouteCircuitInterimBackupSolution.yaml
new file mode 100644
index 000000000..9ad8f6e31
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-expressRouteCircuits/aprl-SingleExpressrouteCircuitInterimBackupSolution.yaml
@@ -0,0 +1,19 @@
+name: aprl-SingleExpressrouteCircuitInterimBackupSolution
+title: Use a site-to-site VPN as an interim backup solution for a single ExpressRoute
+ circuit
+description: |-
+ If you haven't added a second ExpressRoute circuit, use a site-to-site VPN as a temporary solution until the second circuit is available. This ensures network reliability and continuity of service.
+source:
+ type: aprl
+ file: azure-resources/Network/expressRouteCircuits/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/expressRouteCircuits
+severity: 1
+labels:
+ guid: f902cf86-2b53-2942-abc2-781f4fb62be6
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/revcl-DefaultHomepageinApplicationSettings.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/revcl-DefaultHomepageinApplicationSettings.yaml
new file mode 100644
index 000000000..29018f580
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/revcl-DefaultHomepageinApplicationSettings.yaml
@@ -0,0 +1,17 @@
+name: revcl-DefaultHomepageinApplicationSettings
+title: Frontdoor - Turn off the default homepageIn the application settings of your
+ App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content)
+ to the PoP so only header data is returned.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 3da1dae2-cc88-4147-8607-c1cca0e61465
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/revcl-MinimalContentFunctionProxy.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/revcl-MinimalContentFunctionProxy.yaml
new file mode 100644
index 000000000..d7619ef6b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/revcl-MinimalContentFunctionProxy.yaml
@@ -0,0 +1,18 @@
+name: revcl-MinimalContentFunctionProxy
+title: Frontdoor - Route to something that returns nothing. Either set up a Function,
+ Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no
+ or minimal content. The advantage of this is you will be able to log out when it
+ is called.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 8dd458e9-2713-49b8-8110-2dbd6eaf11e6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorIncomingRequests.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorIncomingRequests.yaml
new file mode 100644
index 000000000..1b2277ff6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorIncomingRequests.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureFrontDoorIncomingRequests
+title: Optimize incoming requests. Azure Front Door bills the incoming requests. You
+ can set restrictions in your design configuration.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 871b4651-734d-40f4-b8a5-1705fa30dbe3
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorInstanceDataTransferCosts.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorInstanceDataTransferCosts.yaml
new file mode 100644
index 000000000..76a25e40b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorInstanceDataTransferCosts.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFrontDoorInstanceDataTransferCosts
+title: Use caching for endpoints that support it.
+description: Caching optimizes data transfer costs because it reduces the number of
+ calls from your Azure Front Door instance to the origin.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: fc470281-721e-40db-9289-ad73b03159d7
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorOriginGroupSingleBackEndPools.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorOriginGroupSingleBackEndPools.yaml
new file mode 100644
index 000000000..1165034d4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorOriginGroupSingleBackEndPools.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureFrontDoorOriginGroupSingleBackEndPools
+title: Disable health checks in single back-end pools.If you have only one origin
+ configured in your Azure Front Door origin group, these calls are unnecessary.
+description: You can save on bandwidth costs by disabling requests that aren't required
+ to make routing decisions.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: f397a438-b320-46f8-a41a-f94545db3412
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorReportsDataTransfer.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorReportsDataTransfer.yaml
new file mode 100644
index 000000000..c61098e91
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorReportsDataTransfer.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFrontDoorReportsDataTransfer
+title: Consider bandwidth costs. The bandwidth costs of Azure Front Door depend on
+ the tier that you choose and the type of data transfer. Azure Front Door provides
+ built-in reports for billable metrics. To assess your costs related to bandwidth
+ and where you can focus your optimization efforts, see Azure Front Door reports.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 3db5b1f9-57ec-44a6-adec-4f7cef47e63c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorRoutingMethod.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorRoutingMethod.yaml
new file mode 100644
index 000000000..8b963af27
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorRoutingMethod.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFrontDoorRoutingMethod
+title: Use resources efficiently. Azure Front Door uses a routing method that helps
+ with resource optimization. Unless the workload is extremely latency sensitive,
+ distribute traffic evenly across all environments to effectively use deployed resources.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: d16d79fc-3c0c-4da4-9cfe-8a6b97d7259d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorTiersRealisticCosts.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorTiersRealisticCosts.yaml
new file mode 100644
index 000000000..5d3b5a785
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-AzureFrontDoorTiersRealisticCosts.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFrontDoorTiersRealisticCosts
+title: Review Azure Front Door tiers and pricing. Use the pricing calculator to estimate
+ the realistic costs for each tier. Compare the features and suitability of each
+ tier for your scenario. For instance, only the Premium tier supports connecting
+ to your origin via Private Link.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 5ecb8da9-9b18-4f39-a69e-c69eb2513b4b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-BandwidthConsumptionFileCompression.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-BandwidthConsumptionFileCompression.yaml
new file mode 100644
index 000000000..1f2f390be
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-BandwidthConsumptionFileCompression.yaml
@@ -0,0 +1,15 @@
+name: wafsg-BandwidthConsumptionFileCompression
+title: Consider enabling file compression. For this configuration, the application
+ must support compression and caching must be enabled.
+description: Compression reduces bandwidth consumption and improves performance.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 638db3b0-f9b3-49b8-86f1-11621086b10f
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-HighAvailabilityRequirementsCentralizedServices.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-HighAvailabilityRequirementsCentralizedServices.yaml
new file mode 100644
index 000000000..c790aec4d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-HighAvailabilityRequirementsCentralizedServices.yaml
@@ -0,0 +1,18 @@
+name: wafsg-HighAvailabilityRequirementsCentralizedServices
+title: Consider using a shared instance that's provided by the organization. Costs
+ incurred from centralized services are shared between the workloads. However, consider
+ the tradeoff with reliability. For mission-critical applications that have high
+ availability requirements, we recommend an autonomous instance.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 78f09072-d08f-430c-9d24-6d3b938ecd14
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-LongPeriodLoggingData.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-LongPeriodLoggingData.yaml
new file mode 100644
index 000000000..2eacd935c
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Cost/wafsg-LongPeriodLoggingData.yaml
@@ -0,0 +1,17 @@
+name: wafsg-LongPeriodLoggingData
+title: Pay attention to the amount of data logged. Costs related to both bandwidth
+ and storage can accrue if certain requests aren't necessary or if logging data is
+ retained for a long period of time.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Cost
+severity: 1
+labels:
+ guid: 1069bc46-68c3-46dd-80d0-700866521165
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafConfigurationNewRuleSetVersion.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafConfigurationNewRuleSetVersion.yaml
new file mode 100644
index 000000000..d4f334a1e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafConfigurationNewRuleSetVersion.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureFrontDoorWafConfigurationNewRuleSetVersion
+title: Define your Azure Front Door WAF configuration as code. By using code, you
+ can more easily adopt new rule set version and gain additional protection.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 189ea962-3969-4863-8f5a-5ad808c2cf4b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafLogsDiagnosticSettings.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafLogsDiagnosticSettings.yaml
new file mode 100644
index 000000000..5df784f76
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafLogsDiagnosticSettings.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFrontDoorWafLogsDiagnosticSettings
+title: Add diagnostic settings to save your Azure Front Door WAF logs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 4cea4050-7946-4a7c-89e6-b021b73c352d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafLogsMicrosoftSentinel.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafLogsMicrosoftSentinel.yaml
new file mode 100644
index 000000000..024a234f9
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-AzureFrontDoorWafLogsMicrosoftSentinel.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFrontDoorWafLogsMicrosoftSentinel
+title: Send Azure Front Door WAF logs to Microsoft Sentinel.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 845f5f91-9c21-4674-a725-5ce890850e20
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-CustomerManagedTlsCertificatesAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-CustomerManagedTlsCertificatesAzureFrontDoor.yaml
new file mode 100644
index 000000000..2e2326ab5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-CustomerManagedTlsCertificatesAzureFrontDoor.yaml
@@ -0,0 +1,17 @@
+name: revcl-CustomerManagedTlsCertificatesAzureFrontDoor
+title: If you use customer-managed TLS certificates with Azure Front Door, use the
+ 'Latest' certificate version. Reduce the risk of outages caused by manual certificate
+ renewal
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: f00a69de-7076-4734-a734-6e4552cad9e1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-ManagedTlsCertificatesAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-ManagedTlsCertificatesAzureFrontDoor.yaml
new file mode 100644
index 000000000..13f440f65
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/revcl-ManagedTlsCertificatesAzureFrontDoor.yaml
@@ -0,0 +1,20 @@
+name: revcl-ManagedTlsCertificatesAzureFrontDoor
+title: Use managed TLS certificates with Azure Front Door. Reduce operational cost
+ and risk of outages due to certificate renewals.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 0
+labels:
+ guid: af95c92d-d723-4f4a-98d7-8722324efd4d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates
+queries:
+ arg: cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend
+ frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant
+ = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType'])
+ =~ 'customercertificate') | project compliant, id = frontDoorId
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorConfigurationCriticalOperationalIssues.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorConfigurationCriticalOperationalIssues.yaml
new file mode 100644
index 000000000..2f56eff2f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorConfigurationCriticalOperationalIssues.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFrontDoorConfigurationCriticalOperationalIssues
+title: Capture logs and metrics. Include resource activity logs, access logs, health
+ probe logs, and WAF logs. Set up alerts.
+description: Monitoring ingress flow is a crucial part of monitoring an application.
+ You want to track requests and make performance and security improvements. You need
+ data to debug your Azure Front Door configuration. With alerts in place, you can
+ get instant notifications of any critical operational issues.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 90aa5326-da06-4070-bcb0-26d31648029a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorForwardCompatibility.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorForwardCompatibility.yaml
new file mode 100644
index 000000000..b975dbede
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorForwardCompatibility.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFrontDoorForwardCompatibility
+title: Use HTTP to HTTPS redirection to support forward compatibility.
+description: When redirection is enabled, Azure Front Door automatically redirects
+ clients that are using older protocol to use HTTPS for a secure experience.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 1e9aecf0-747c-47c6-936e-a0c404ae8e21
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorManagedTlsCertificates.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorManagedTlsCertificates.yaml
new file mode 100644
index 000000000..a938a3e89
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorManagedTlsCertificates.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureFrontDoorManagedTlsCertificates
+title: Use managed TLS certificates when possible.
+description: Azure Front Door can issue and manage certificates for you. This feature
+ eliminates the need for certificate renewals and minimizes the risk of an outage
+ due to an invalid or expired TLS certificate.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 544fffff-4bcd-4d30-851d-05b7bc2cdb91
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorProfileAnalyticsReports.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorProfileAnalyticsReports.yaml
new file mode 100644
index 000000000..8260df02a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorProfileAnalyticsReports.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFrontDoorProfileAnalyticsReports
+title: Review the built-in analytics reports.
+description: A holistic view of your Azure Front Door profile helps drive improvements
+ based on traffic and security reports through WAF metrics.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: bf371c38-103b-4467-953d-f6fc7746d599
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorRedirectionCapabilities.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorRedirectionCapabilities.yaml
new file mode 100644
index 000000000..675f765bd
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorRedirectionCapabilities.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFrontDoorRedirectionCapabilities
+title: Simplify configurations. Use Azure Front Door to easily manage configurations.
+ For example, suppose your architecture supports microservices. Azure Front Door
+ supports redirection capabilities, so you can use path-based redirection to target
+ individual services.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: bd0f5f64-5670-4d70-9e1e-a455f393824b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorRoutingMethodsWeightedLoadBalancingApproach.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorRoutingMethodsWeightedLoadBalancingApproach.yaml
new file mode 100644
index 000000000..42dd58ef4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureFrontDoorRoutingMethodsWeightedLoadBalancingApproach.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureFrontDoorRoutingMethodsWeightedLoadBalancingApproach
+title: Handle progressive exposure by using Azure Front Door routing methods. For
+ a weighted load balancing approach you can use a canary deployment to send a specific
+ percentage of traffic to a back end. This approach helps you test new features and
+ releases in a controlled environment before you roll them out.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 34d0c653-4565-4c84-b000-6226c6410dac
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureResourceManagerTemplatesAzureFrontDoorInstance.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureResourceManagerTemplatesAzureFrontDoorInstance.yaml
new file mode 100644
index 000000000..9318f3368
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-AzureResourceManagerTemplatesAzureFrontDoorInstance.yaml
@@ -0,0 +1,18 @@
+name: wafsg-AzureResourceManagerTemplatesAzureFrontDoorInstance
+title: Use infrastructure as code (IaC) technologies. Use IaC technologies like Bicep
+ and Azure Resource Manager templates to provision the Azure Front Door instance.
+ These declarative approaches provide consistency and straightforward maintenance.
+ For example, by using IaC technologies, you can easily adopt new ruleset versions.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 58485d89-afb9-4dd4-bc01-1c487bce0642
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-CertificateManagementOperationalBurden.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-CertificateManagementOperationalBurden.yaml
new file mode 100644
index 000000000..328b833d9
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-CertificateManagementOperationalBurden.yaml
@@ -0,0 +1,16 @@
+name: wafsg-CertificateManagementOperationalBurden
+title: Offload certificate management to Azure. Ease the operational burden associated
+ with certification rotation and renewals.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 29049b7b-7468-4852-895e-f33d1fb0c7fb
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-RelevantAzureFrontDoorLogsAzureFrontDoorOperationalData.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-RelevantAzureFrontDoorLogsAzureFrontDoorOperationalData.yaml
new file mode 100644
index 000000000..64cb5accb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-RelevantAzureFrontDoorLogsAzureFrontDoorOperationalData.yaml
@@ -0,0 +1,18 @@
+name: wafsg-RelevantAzureFrontDoorLogsAzureFrontDoorOperationalData
+title: Collect and analyze Azure Front Door operational data as part of your workload
+ monitoring. Capture relevant Azure Front Door logs and metrics with Azure Monitor
+ Logs. This data helps you troubleshoot, understand user behaviors, and optimize
+ operations.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: 46ce7fe1-829b-48d0-889f-cafd0e5cae28
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-WildcardTlsCertificatesConfiguration.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-WildcardTlsCertificatesConfiguration.yaml
new file mode 100644
index 000000000..d0cc87b5a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Operations/wafsg-WildcardTlsCertificatesConfiguration.yaml
@@ -0,0 +1,15 @@
+name: wafsg-WildcardTlsCertificatesConfiguration
+title: Use wildcard TLS certificates.
+description: You don't need to modify the configuration to add or specify each subdomain
+ separately.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Operations
+severity: 1
+labels:
+ guid: bf934891-a9a1-49f7-9036-ea7ba9630bdc
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/revcl-AzureFrontDoorOriginGroupOneOrigin.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/revcl-AzureFrontDoorOriginGroupOneOrigin.yaml
new file mode 100644
index 000000000..e56389b6e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/revcl-AzureFrontDoorOriginGroupOneOrigin.yaml
@@ -0,0 +1,24 @@
+name: revcl-AzureFrontDoorOriginGroupOneOrigin
+title: Disable health probes when there is only one origin in an Azure Front Door
+ origin group.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 2
+labels:
+ guid: 0b5a380c-4bfb-47bc-b1d7-dcfef363a61b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group
+queries:
+ arg: cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins'
+ | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend
+ originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources
+ | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName
+ = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on
+ $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId,
+ subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant
+ = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/revcl-HeadHealthProbesAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/revcl-HeadHealthProbesAzureFrontDoor.yaml
new file mode 100644
index 000000000..a7479f1f4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/revcl-HeadHealthProbesAzureFrontDoor.yaml
@@ -0,0 +1,20 @@
+name: revcl-HeadHealthProbesAzureFrontDoor
+title: Use HEAD health probes with Azure Front Door, to reduce the traffic that Front
+ Door sends to your application.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 2
+labels:
+ guid: a13f72f3-8f5c-4864-95e5-75bf37fbbeb1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes
+queries:
+ arg: cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend
+ frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant
+ = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType'])
+ == 'HEAD') | project compliant, id=frontDoorId
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorHealthProbes.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorHealthProbes.yaml
new file mode 100644
index 000000000..f967896ed
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorHealthProbes.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFrontDoorHealthProbes
+title: When you configure health probes in Azure Front Door, consider using `HEAD`
+ requests instead of `GET` requests. The health probe reads only the status code,
+ not the content.
+description: '`HEAD` requests let you query a state change without fetching its entire
+ content.'
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: a03377e9-9c4a-49dd-abbc-6b240286eb1d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorOptimalFormat.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorOptimalFormat.yaml
new file mode 100644
index 000000000..f0a6acb08
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorOptimalFormat.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFrontDoorOptimalFormat
+title: Use file compression when you're accessing downloadable content.
+description: Compression in Azure Front Door helps deliver content in the optimal
+ format, has a smaller payload, and delivers content to the users faster.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: 1c3bbe86-1c5f-491f-99c7-54f0603b943a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorReportsPerformanceData.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorReportsPerformanceData.yaml
new file mode 100644
index 000000000..1b73f692d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-AzureFrontDoorReportsPerformanceData.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFrontDoorReportsPerformanceData
+title: Analyze performance data by regularly reviewing Azure Front Door reports. These
+ reports provide insights into various metrics that serve as performance indicators
+ at the technology level.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: 83ea22a9-10c2-4d23-a022-05fc70bfc284
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-BestTrafficRoutingOptionSessionAffinityBasedRouting.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-BestTrafficRoutingOptionSessionAffinityBasedRouting.yaml
new file mode 100644
index 000000000..e39dc83f7
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-BestTrafficRoutingOptionSessionAffinityBasedRouting.yaml
@@ -0,0 +1,19 @@
+name: wafsg-BestTrafficRoutingOptionSessionAffinityBasedRouting
+title: Review the origin routing method. Azure Front Door provides various routing
+ methods, including latency-based, priority-based, weighted, and session affinity-based
+ routing, to the origin. These methods significantly affect your application's performance.
+ To learn more about the best traffic routing option for your scenario, see Traffic
+ routing methods to origin.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: c1024a4d-bcba-42d9-92a8-070c5de5abf4
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-DataTransfers.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-DataTransfers.yaml
new file mode 100644
index 000000000..03f9657fb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-DataTransfers.yaml
@@ -0,0 +1,15 @@
+name: wafsg-DataTransfers
+title: Optimize data transfers.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: b3216475-74fa-46b9-b5a3-f13fcbb7e718
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-ExpectedTrafficPatternsPlanCapacity.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-ExpectedTrafficPatternsPlanCapacity.yaml
new file mode 100644
index 000000000..080699781
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-ExpectedTrafficPatternsPlanCapacity.yaml
@@ -0,0 +1,17 @@
+name: wafsg-ExpectedTrafficPatternsPlanCapacity
+title: Plan capacity by analyzing your expected traffic patterns. Conduct thorough
+ testing to understand how your application performs under different loads. Consider
+ factors like simultaneous transactions, request rates, and data transfer.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: 231e1a74-b2af-4061-8703-c1bc0c84ad7c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-HealthProbesHealthInformation.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-HealthProbesHealthInformation.yaml
new file mode 100644
index 000000000..0eab6a516
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-HealthProbesHealthInformation.yaml
@@ -0,0 +1,17 @@
+name: wafsg-HealthProbesHealthInformation
+title: Optimize the use of health probes. Get health information from health probes
+ only when the state of the origins change. Strike a balance between monitoring accuracy
+ and minimizing unnecessary traffic.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: fa0e75e6-5669-406a-8155-44e8d40ae935
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-MultipleBackEndsSameBackEndServer.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-MultipleBackEndsSameBackEndServer.yaml
new file mode 100644
index 000000000..bc919b042
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-MultipleBackEndsSameBackEndServer.yaml
@@ -0,0 +1,20 @@
+name: wafsg-MultipleBackEndsSameBackEndServer
+title: Evaluate whether you should enable session affinity when requests from the
+ same user should be directed to the same back-end server. From a reliability perspective,
+ we don't recommend this approach. If you use this option, the application should
+ gracefully recover without disrupting user sessions. There's also a tradeoff on
+ load balancing because it restricts the flexibility of distributing traffic across
+ multiple back ends evenly.
+description: Optimize performance and maintain continuity for user sessions, especially
+ when applications rely on maintaining state information locally.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: c1acd7ab-028c-4f25-a0a9-840fe534fca7
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-NearestAzureFrontDoorEntryPointFasterUserExperience.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-NearestAzureFrontDoorEntryPointFasterUserExperience.yaml
new file mode 100644
index 000000000..843c6fca5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-NearestAzureFrontDoorEntryPointFasterUserExperience.yaml
@@ -0,0 +1,20 @@
+name: wafsg-NearestAzureFrontDoorEntryPointFasterUserExperience
+title: Review the location of origin servers. Your origin servers' location impacts
+ the responsiveness of your application. Origin servers should be closer to the users.
+ Azure Front Door ensures that users from a specific location access the nearest
+ Azure Front Door entry point. The performance benefits include faster user experience,
+ better use of latency-based routing by Azure Front Door, and minimized data transfer
+ time by using caching, which stores content closer to users.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: 95d67b4f-c19e-40d0-9a55-dba46c40eea8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-RobustContentDeliveryNetworkSolutionAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-RobustContentDeliveryNetworkSolutionAzureFrontDoor.yaml
new file mode 100644
index 000000000..01d4731e5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Performance/wafsg-RobustContentDeliveryNetworkSolutionAzureFrontDoor.yaml
@@ -0,0 +1,21 @@
+name: wafsg-RobustContentDeliveryNetworkSolutionAzureFrontDoor
+title: Enable caching. You can optimize query strings for caching. For purely static
+ content, ignore query strings to maximize your use of the cache. If your application
+ uses query strings, consider including them in the cache key. Including the query
+ strings in the cache key allows Azure Front Door to serve cached responses or other
+ responses, based on your configuration.
+description: Azure Front Door offers a robust content delivery network solution that
+ caches content at the edge of the network. Caching reduces the load on the back-end
+ servers and reduces data movement across the network, which helps offload bandwidth
+ usage.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Performance
+severity: 1
+labels:
+ guid: 6133804d-8e26-4b44-b0ac-9a94fc420227
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/revcl-GoodHealthProbeEndpointsAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/revcl-GoodHealthProbeEndpointsAzureFrontDoor.yaml
new file mode 100644
index 000000000..28eb29d94
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/revcl-GoodHealthProbeEndpointsAzureFrontDoor.yaml
@@ -0,0 +1,16 @@
+name: revcl-GoodHealthProbeEndpointsAzureFrontDoor
+title: Select good health probe endpoints for Azure Front Door. Consider building
+ health endpoints that check all of your application's dependencies.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 5567048e-e5d7-4206-9c55-b5ed45d2cc0c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AllowableLatencyRangeBestOriginResource.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AllowableLatencyRangeBestOriginResource.yaml
new file mode 100644
index 000000000..09ea7160f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AllowableLatencyRangeBestOriginResource.yaml
@@ -0,0 +1,21 @@
+name: wafsg-AllowableLatencyRangeBestOriginResource
+title: Choose a routing method that supports your deployment strategy. The weighted
+ method, which distributes traffic based on the configured weight coefficient, supports
+ active-active models. A priority-based value that configures the primary region
+ to receive all traffic and send traffic to the secondary region as a backup supports
+ active-passive models. Combine the preceding methods with latency so that the origin
+ with the lowest latency receives traffic.
+description: You can select the best origin resource by using a series of decision
+ steps and your design. The selected origin serves traffic within the allowable latency
+ range in the specified ratio of weights.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 2de15aa6-f607-4487-8972-2267a304f313
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorBackEnd.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorBackEnd.yaml
new file mode 100644
index 000000000..8503f417f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorBackEnd.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureFrontDoorBackEnd
+title: Set a timeout on forwarding requests to the back end. Adjust the timeout setting
+ according to your endpoints' needs. If you don't, Azure Front Door might close the
+ connection before the origin sends the response. You can also lower the default
+ timeout for Azure Front Door if all of your origins have a shorter timeout. For
+ more information, see Troubleshooting unresponsive requests.
+description: Timeouts help prevent performance issues and availability issues by terminating
+ requests that take longer than expected to complete.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: afb9a354-567a-4820-ae85-8eff0ad71f44
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorFundamentalDeploymentApproaches.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorFundamentalDeploymentApproaches.yaml
new file mode 100644
index 000000000..6552e9dd1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorFundamentalDeploymentApproaches.yaml
@@ -0,0 +1,22 @@
+name: wafsg-AzureFrontDoorFundamentalDeploymentApproaches
+title: Choose your deployment strategy. The fundamental deployment approaches are
+ active-active and active-passive. Active-active deployment means that multiple environments
+ or stamps that run the workload serve traffic. Active-passive deployment means that
+ only the primary region handles all traffic, but it fails over to the secondary
+ region when necessary. In a multiregion deployment, stamps run in different regions
+ for higher availability with a global load balancer, like Azure Front Door, that
+ distributes traffic. Therefore, it's important to configure the load balancer for
+ the appropriate deployment approach.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 1bc246b5-fba0-4047-bfaf-e5b677c6d003
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorHealthProbesHealthEndpointMonitoringPattern.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorHealthProbesHealthEndpointMonitoringPattern.yaml
new file mode 100644
index 000000000..ef43691ae
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorHealthProbesHealthEndpointMonitoringPattern.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureFrontDoorHealthProbesHealthEndpointMonitoringPattern
+title: Implement the health endpoint monitoring pattern. Your application should expose
+ health endpoints, which aggregate the state of the critical services and dependencies
+ that your application needs to serve requests. Azure Front Door health probes use
+ the endpoint to detect origin servers' health. For more information, see Health
+ Endpoint Monitoring pattern.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: c30bd721-eb70-4887-8b8a-ce38e47ec178
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorPremiumTierAzureFrontDoorEdge.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorPremiumTierAzureFrontDoorEdge.yaml
new file mode 100644
index 000000000..6fc7d9931
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-AzureFrontDoorPremiumTierAzureFrontDoorEdge.yaml
@@ -0,0 +1,19 @@
+name: wafsg-AzureFrontDoorPremiumTierAzureFrontDoorEdge
+title: Estimate the traffic pattern and volume. The number of requests from the client
+ to the Azure Front Door edge might influence your tier choice. If you need to support
+ a high volume of requests, consider the Azure Front Door Premium tier because performance
+ ultimately impacts availability. However, there's a cost tradeoff. These tiers are
+ described in Performance Efficiency.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: fd9f0940-7c31-4ed9-bd8c-5e927973c6c5
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-ContentDeliveryNetworkFunctionalityContentDeliveryNetworkFeature.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-ContentDeliveryNetworkFunctionalityContentDeliveryNetworkFeature.yaml
new file mode 100644
index 000000000..2c9445e67
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-ContentDeliveryNetworkFunctionalityContentDeliveryNetworkFeature.yaml
@@ -0,0 +1,18 @@
+name: wafsg-ContentDeliveryNetworkFunctionalityContentDeliveryNetworkFeature
+title: Take advantage of the built-in content delivery network functionality in Azure
+ Front Door. The content delivery network feature of Azure Front Door has hundreds
+ of edge locations and can help withstand distributed denial of service (DDoS) attacks.
+ These capabilities help improve reliability.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: ec18a3d4-61d5-4247-aa88-acbf11a339df
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-HealthMonitoringPatternImplementationAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-HealthMonitoringPatternImplementationAzureFrontDoor.yaml
new file mode 100644
index 000000000..cddaf50d1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-HealthMonitoringPatternImplementationAzureFrontDoor.yaml
@@ -0,0 +1,19 @@
+name: wafsg-HealthMonitoringPatternImplementationAzureFrontDoor
+title: Set up health probes on the origin. Configure Azure Front Door to conduct health
+ checks to determine if the back-end instance is available and ready to continue
+ receiving requests.
+description: Enabled health probes are part of the health monitoring pattern implementation.
+ Health probes make sure that Azure Front Door only routes traffic to instances that
+ are healthy enough to handle requests. For more information, see Best practices
+ on health probes.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 803e063d-1267-43c9-9878-54b1f3bb33b1
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-HighReliabilityRequirementsSessionAffinity.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-HighReliabilityRequirementsSessionAffinity.yaml
new file mode 100644
index 000000000..b50731a1d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-HighReliabilityRequirementsSessionAffinity.yaml
@@ -0,0 +1,17 @@
+name: wafsg-HighReliabilityRequirementsSessionAffinity
+title: Decide if your application requires session affinity. If you have high reliability
+ requirements, we recommend that you disable session affinity.
+description: With session affinity, user connections stay on the same origin during
+ the user session. If that origin becomes unavailable, the user experience might
+ be disrupted.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 702c37d1-ddfb-40fc-9ea0-58643a2e61b6
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-MultipleCustomDomainNamesOriginalHttpHostName.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-MultipleCustomDomainNamesOriginalHttpHostName.yaml
new file mode 100644
index 000000000..56c3456b1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-MultipleCustomDomainNamesOriginalHttpHostName.yaml
@@ -0,0 +1,19 @@
+name: wafsg-MultipleCustomDomainNamesOriginalHttpHostName
+title: Use the same host name on Azure Front Door and your origin. Azure Front Door
+ can rewrite the host header of incoming requests, which is useful when you have
+ multiple custom domain names that route to one origin. However, rewriting the host
+ header might cause issues with request cookies and URL redirection.
+description: Set the same host name to prevent malfunction with session affinity,
+ authentication, and authorization. For more information, see Preserve the original
+ HTTP host name between a reverse proxy and its back-end web application.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: afa6253b-fffa-487f-a9b9-911e9821afef
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-OriginalHttpHostNameSameHostName.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-OriginalHttpHostNameSameHostName.yaml
new file mode 100644
index 000000000..57eed267e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-OriginalHttpHostNameSameHostName.yaml
@@ -0,0 +1,17 @@
+name: wafsg-OriginalHttpHostNameSameHostName
+title: Use the same host name on Azure Front Door and origin servers. To ensure that
+ cookies or redirect URLs work properly, preserve the original HTTP host name when
+ you use a reverse proxy, like a load balancer, in front of a web application.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 70c56b7a-a811-4c35-9fe0-939d9e866854
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-OtherBackEndOriginsBackEndPools.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-OtherBackEndOriginsBackEndPools.yaml
new file mode 100644
index 000000000..faf0422fd
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-OtherBackEndOriginsBackEndPools.yaml
@@ -0,0 +1,19 @@
+name: wafsg-OtherBackEndOriginsBackEndPools
+title: Support redundancy by having multiple origins in one or more back-end pools.
+ Always have redundant instances of your application and make sure each instance
+ exposes an endpoint or origin. You can place those origins in one or more back-end
+ pools.
+description: Multiple origins support redundancy by distributing traffic across multiple
+ instances of the application. If one instance is unavailable, then other back-end
+ origins can still receive traffic.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: d5494be7-6a79-4d3f-bf44-ebe88788cd95
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-RedundantTrafficManagementOptionAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-RedundantTrafficManagementOptionAzureFrontDoor.yaml
new file mode 100644
index 000000000..27c4d8493
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-RedundantTrafficManagementOptionAzureFrontDoor.yaml
@@ -0,0 +1,18 @@
+name: wafsg-RedundantTrafficManagementOptionAzureFrontDoor
+title: Consider a redundant traffic management option. Azure Front Door is a globally
+ distributed service that runs as a singleton in an environment. Azure Front Door
+ is a potential single point of failure in the system. If the service fails, then
+ clients can't access your application during the downtime.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 5a88863f-43e9-48c7-8346-cf797fa4e4fa
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-WebApplicationFirewallRateLimitingRules.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-WebApplicationFirewallRateLimitingRules.yaml
new file mode 100644
index 000000000..9c253f15d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Reliability/wafsg-WebApplicationFirewallRateLimitingRules.yaml
@@ -0,0 +1,16 @@
+name: wafsg-WebApplicationFirewallRateLimitingRules
+title: Take advantage of the rate-limiting rules that are included with a web application
+ firewall (WAF).
+description: Limit requests to prevent clients from sending too much traffic to your
+ application. Rate limiting can help you avoid problems like a retry storm.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Reliability
+severity: 1
+labels:
+ guid: 4a17bea1-3951-4f73-8de7-cd3193bca5d2
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorEnd.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorEnd.yaml
new file mode 100644
index 000000000..8be91682e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorEnd.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureFrontDoorEnd
+title: Use end-to-end TLS with Azure Front Door. Use TLS for connections from your
+ clients to Front Door, and from Front Door to your origin.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 2e30abab-5478-417c-81bf-bf1ad4ed1ed4
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorGlobalHttpSApps.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorGlobalHttpSApps.yaml
new file mode 100644
index 000000000..d8b6ef350
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorGlobalHttpSApps.yaml
@@ -0,0 +1,18 @@
+name: revcl-AzureFrontDoorGlobalHttpSApps
+title: Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S
+ apps that span multiple Azure regions.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorHttpsRedirection.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorHttpsRedirection.yaml
new file mode 100644
index 000000000..3e263d6f2
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorHttpsRedirection.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureFrontDoorHttpsRedirection
+title: Use HTTP to HTTPS redirection with Azure Front Door. Support older clients
+ by redirecting them to an HTTPS request automatically.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 10aa45af-166f-44c4-9f36-b6d592dac2ca
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorInstanceOrigins.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorInstanceOrigins.yaml
new file mode 100644
index 000000000..43a75bfc8
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorInstanceOrigins.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFrontDoorInstanceOrigins
+title: Make sure your origins only take traffic from your Azure Front Door instance.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 7d3df025-59a3-447d-ac25-3f5750d35de1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafApplication.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafApplication.yaml
new file mode 100644
index 000000000..547c4ccaa
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafApplication.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFrontDoorWafApplication
+title: Enable the Azure Front Door WAF. Protect your application from a range of attacks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 28b9ee82-b2c7-45aa-bc98-6de6f59a095d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafBotProtectionRuleSetBotRules.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafBotProtectionRuleSetBotRules.yaml
new file mode 100644
index 000000000..0c6ed8875
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafBotProtectionRuleSetBotRules.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureFrontDoorWafBotProtectionRuleSetBotRules
+title: Enable the Azure Front Door WAF bot protection rule set. The bot rules detect
+ good and bad bots.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 147a13d4-2a2f-4824-a524-f5855b52b946
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafDefaultRuleSetsCommonAttacks.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafDefaultRuleSetsCommonAttacks.yaml
new file mode 100644
index 000000000..05ccf11ba
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafDefaultRuleSetsCommonAttacks.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureFrontDoorWafDefaultRuleSetsCommonAttacks
+title: Enable the Azure Front Door WAF default rule sets. The default rule sets detect
+ and block common attacks.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 49a98f2b-ec22-4a87-9415-6a10b00d6555
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafFalsePositiveDetections.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafFalsePositiveDetections.yaml
new file mode 100644
index 000000000..c50889aaa
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafFalsePositiveDetections.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFrontDoorWafFalsePositiveDetections
+title: Tune the Azure Front Door WAF for your workload. Reduce false positive detections.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 2902d8cc-1b0c-4495-afad-624ab70f7bd6
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafLargeAmounts.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafLargeAmounts.yaml
new file mode 100644
index 000000000..a0b09b7cd
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafLargeAmounts.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureFrontDoorWafLargeAmounts
+title: Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients
+ accidentally or intentionally sending large amounts of traffic in a short period
+ of time.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: b9620385-1cde-418f-914b-a84a06982ffc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafPolicyBodyInspectionFeature.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafPolicyBodyInspectionFeature.yaml
new file mode 100644
index 000000000..dd91ae780
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafPolicyBodyInspectionFeature.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureFrontDoorWafPolicyBodyInspectionFeature
+title: Enable request body inspection feature enabled in Azure Front Door WAF policy.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 17ba124b-127d-42b6-9322-388d5b2bbcfc
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafRateLimitsHighRateLimitThresholds.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafRateLimitsHighRateLimitThresholds.yaml
new file mode 100644
index 000000000..976ed5c5b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafRateLimitsHighRateLimitThresholds.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureFrontDoorWafRateLimitsHighRateLimitThresholds
+title: 'Use a high threshold for Azure Front Door WAF rate limits. High rate limit
+ thresholds avoid blocking legitimate traffic, while still providing protection against
+ extremely high numbers of requests that might overwhelm your infrastructure. '
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 6dc36c52-0124-4ffe-9eaf-23ec1282dedb
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafUnknownZzLocation.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafUnknownZzLocation.yaml
new file mode 100644
index 000000000..9d918ec16
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureFrontDoorWafUnknownZzLocation.yaml
@@ -0,0 +1,17 @@
+name: revcl-AzureFrontDoorWafUnknownZzLocation
+title: Specify the unknown (ZZ) location when geo-filtering traffic with the Azure
+ Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses
+ can't be geo-matched.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 00acd8a9-6975-414f-8491-2be6309893b8
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureTrafficManagerAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureTrafficManagerAzureFrontDoor.yaml
new file mode 100644
index 000000000..1329d6f82
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-AzureTrafficManagerAzureFrontDoor.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureTrafficManagerAzureFrontDoor
+title: Avoid combining Azure Traffic Manager and Azure Front Door.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 062d5839-4d36-402f-bfa4-02811eb936e9
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-FrontDoorApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-FrontDoorApplicationGateway.yaml
new file mode 100644
index 000000000..b9716fea6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-FrontDoorApplicationGateway.yaml
@@ -0,0 +1,19 @@
+name: revcl-FrontDoorApplicationGateway
+title: When using Front Door and Application Gateway to help protect HTTP/S apps,
+ use WAF policies in Front Door. Lock down Application Gateway to receive traffic
+ only from Front Door.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 3f29812b-2363-4cef-b179-b599de0d5973
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-GeographicalRegionsExpectedCountries.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-GeographicalRegionsExpectedCountries.yaml
new file mode 100644
index 000000000..83e011f69
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-GeographicalRegionsExpectedCountries.yaml
@@ -0,0 +1,16 @@
+name: revcl-GeographicalRegionsExpectedCountries
+title: If you are not expecting traffic from all geographical regions, use geo-filters
+ to block traffic from non-expected countries.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 2
+labels:
+ guid: 388a3d0e-0a43-4367-90b2-3dd2aeece5ee
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-LatestAzureFrontDoorWafRuleSetVersionRuleSetUpdates.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-LatestAzureFrontDoorWafRuleSetVersionRuleSetUpdates.yaml
new file mode 100644
index 000000000..e201fd283
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-LatestAzureFrontDoorWafRuleSetVersionRuleSetUpdates.yaml
@@ -0,0 +1,16 @@
+name: revcl-LatestAzureFrontDoorWafRuleSetVersionRuleSetUpdates
+title: Use the latest Azure Front Door WAF rule set version. Rule set updates are
+ regularly updated to take account of the current threat landscape.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: d7dcdcb9-0d99-44b9-baab-ac7570ede79a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-SameDomainNameAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-SameDomainNameAzureFrontDoor.yaml
new file mode 100644
index 000000000..062a9b80a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-SameDomainNameAzureFrontDoor.yaml
@@ -0,0 +1,16 @@
+name: revcl-SameDomainNameAzureFrontDoor
+title: Use the same domain name on Azure Front Door and your origin. Mismatched host
+ names can cause subtle bugs.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: 5efeb96a-003f-4b18-8fcd-b4d84459c2b2
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-WafPolicyFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-WafPolicyFrontDoor.yaml
new file mode 100644
index 000000000..0c0c253af
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/revcl-WafPolicyFrontDoor.yaml
@@ -0,0 +1,22 @@
+name: revcl-WafPolicyFrontDoor
+title: Deploy your WAF policy for Front Door in 'Prevention' mode.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 0
+labels:
+ guid: ae248989-b306-4591-9186-de482e3f0f0e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings
+queries:
+ arg: resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies'
+ | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks,
+ enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode
+ | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy,
+ '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3),
+ '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')),
+ enabledState, mode
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorFrontEnds.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorFrontEnds.yaml
new file mode 100644
index 000000000..6c53df4f6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorFrontEnds.yaml
@@ -0,0 +1,17 @@
+name: wafsg-AzureFrontDoorFrontEnds
+title: Block common threats at the edge. WAF is integrated with Azure Front Door.
+ Enable WAF rules on the front ends to protect applications from common exploits
+ and vulnerabilities at the network edge, closer to the attack source.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 45987127-47d8-43a3-ad12-9f625ed6a883
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorRoleBasedAccessControlControlPlane.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorRoleBasedAccessControlControlPlane.yaml
new file mode 100644
index 000000000..a79752e1f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorRoleBasedAccessControlControlPlane.yaml
@@ -0,0 +1,16 @@
+name: wafsg-AzureFrontDoorRoleBasedAccessControlControlPlane
+title: Allow only authorized access to the control plane. Use Azure Front Door role-based
+ access control (RBAC) to restrict access to only the identities that need it.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 959ab078-8d43-4796-9fef-6445a325097c
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorSecurityBaseline.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorSecurityBaseline.yaml
new file mode 100644
index 000000000..7faf78aed
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-AzureFrontDoorSecurityBaseline.yaml
@@ -0,0 +1,15 @@
+name: wafsg-AzureFrontDoorSecurityBaseline
+title: Review the security baseline for Azure Front Door.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 017b3c2c-d4ae-434f-8a34-07892661814d
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-BackEndServersFrontEnd.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-BackEndServersFrontEnd.yaml
new file mode 100644
index 000000000..743e8c6e6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-BackEndServersFrontEnd.yaml
@@ -0,0 +1,16 @@
+name: wafsg-BackEndServersFrontEnd
+title: Protect the back-end servers. The front end acts as the single point of ingress
+ to the application.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: cbbd35ba-ecdb-4139-ab42-bdac8141062a
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-CentralizedSecurityInformationAnomalousActivity.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-CentralizedSecurityInformationAnomalousActivity.yaml
new file mode 100644
index 000000000..a9c13b51b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-CentralizedSecurityInformationAnomalousActivity.yaml
@@ -0,0 +1,19 @@
+name: wafsg-CentralizedSecurityInformationAnomalousActivity
+title: Monitor anomalous activity. Regularly review the logs to check for attacks
+ and false positives. Send WAF logs from Azure Front Door to your organization's
+ centralized security information and event management (SIEM), such as Microsoft
+ Sentinel, to detect threat patterns and incorporate preventative measures in the
+ workload design.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 7eec048b-3dfe-4a71-b4ac-5a3f554ff7ae
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-EndTransportLayerSecurityAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-EndTransportLayerSecurityAzureFrontDoor.yaml
new file mode 100644
index 000000000..3a7e1b4f2
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-EndTransportLayerSecurityAzureFrontDoor.yaml
@@ -0,0 +1,17 @@
+name: wafsg-EndTransportLayerSecurityAzureFrontDoor
+title: Protect data in transit. Enable end-to-end Transport Layer Security (TLS),
+ HTTP to HTTPS redirection, and managed TLS certificates when applicable. For more
+ information, see TLS best practices for Azure Front Door.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: ad119b63-dfca-446a-a65b-9f1e5849be6b
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-FrontDoorCustomDomainEndpointsAzureFrontDoorManagedCertificates.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-FrontDoorCustomDomainEndpointsAzureFrontDoorManagedCertificates.yaml
new file mode 100644
index 000000000..e3ab5923d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-FrontDoorCustomDomainEndpointsAzureFrontDoorManagedCertificates.yaml
@@ -0,0 +1,21 @@
+name: wafsg-FrontDoorCustomDomainEndpointsAzureFrontDoorManagedCertificates
+title: Enable end-to-end TLS, HTTP to HTTPS redirection, and managed TLS certificates
+ when applicable. Review the TLS best practices for Azure Front Door. Use TLS version
+ 1.2 as the minimum allowed version with ciphers that are relevant for your application. Azure
+ Front Door managed certificates should be your default choice for ease of operations.
+ However, if you want to manage the lifecycle of the certificates, use your own certificates
+ in Azure Front Door custom domain endpoints and store them in Key Vault.
+description: TLS ensures that data exchanges between the browser, Azure Front Door,
+ and the back-end origins are encrypted to prevent tampering. Key Vault offers managed
+ certificate support and simple certificate renewal and rotation.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 5d4054fd-512a-4af5-84bd-1b039783b5e2
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-OtherPublicIpAddressesDdosProtectionStandardPlan.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-OtherPublicIpAddressesDdosProtectionStandardPlan.yaml
new file mode 100644
index 000000000..463234347
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-OtherPublicIpAddressesDdosProtectionStandardPlan.yaml
@@ -0,0 +1,19 @@
+name: wafsg-OtherPublicIpAddressesDdosProtectionStandardPlan
+title: Protect Azure Front Door against unexpected traffic. Azure Front Door uses
+ the basic plan of Azure DDoS protection to protect application endpoints from DDoS
+ attacks. If you need to expose other public IP addresses from your application,
+ consider adding the DDoS Protection standard plan for those addresses for advanced
+ protection and detection capabilities.
+description: ''
+source:
+ type: wafsg
+ file: well-architected/service-guides/azure-front-door.md
+ timestamp: July 24, 2024
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 92f43df8-151b-4445-bba9-e1b96da81d10
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-OwaspTopAttackTypesMicrosoftThreatIntelligence.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-OwaspTopAttackTypesMicrosoftThreatIntelligence.yaml
new file mode 100644
index 000000000..9a82b33f1
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-OwaspTopAttackTypesMicrosoftThreatIntelligence.yaml
@@ -0,0 +1,22 @@
+name: wafsg-OwaspTopAttackTypesMicrosoftThreatIntelligence
+title: 'Enable WAF rule sets that detect and block potentially malicious traffic.
+ This feature is available on the Premium tier. We recommend these rule sets: -
+ Default- Bot protection- IP restriction- Geo-filtering- Rate limiting'
+description: Default rule sets are updated frequently based on OWASP top-10 attack
+ types and information from Microsoft Threat Intelligence. The specialized rule
+ sets detect certain use cases. For example, bot rules classify bots as good, bad,
+ or unknown based on the client IP addresses. They also block bad bots and known
+ IP addresses and restrict traffic based on geographical location of the callers. By
+ using a combination of rule sets, you can detect and block attacks with various
+ intents.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: 67a91ccb-b42b-486c-8d10-99717d93fdb8
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-RuleSetsWafPolicy.yaml b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-RuleSetsWafPolicy.yaml
new file mode 100644
index 000000000..11428acbb
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoors/Security/wafsg-RuleSetsWafPolicy.yaml
@@ -0,0 +1,15 @@
+name: wafsg-RuleSetsWafPolicy
+title: Create exclusions for managed rule sets. Test a WAF policy in detection mode
+ for a few weeks and adjust any false positives before you deploy it.
+description: Reduce false positives and allow legitimate requests for your application.
+source:
+ type: wafsg
+ file: ./checklists-ext/wafsg_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoors
+waf: Security
+severity: 1
+labels:
+ guid: e85f5804-244d-4e3e-bd19-9c5476602260
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Operations/revcl-ApplicationDeliveryServicesAzureFrontDoor-1.yaml b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Operations/revcl-ApplicationDeliveryServicesAzureFrontDoor-1.yaml
new file mode 100644
index 000000000..a912d1b6a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Operations/revcl-ApplicationDeliveryServicesAzureFrontDoor-1.yaml
@@ -0,0 +1,17 @@
+name: revcl-ApplicationDeliveryServicesAzureFrontDoor-1
+title: Send WAF logs from your application delivery services like Azure Front Door
+ and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate
+ WAF telemetry into your overall Azure environment.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoorwebapplicationfirewalls
+waf: Operations
+severity: 1
+labels:
+ guid: 7f408960-c626-44cb-a018-347c8d790cdf
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Operations/revcl-ApplicationDeliveryServicesAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Operations/revcl-ApplicationDeliveryServicesAzureFrontDoor.yaml
new file mode 100644
index 000000000..79391f341
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Operations/revcl-ApplicationDeliveryServicesAzureFrontDoor.yaml
@@ -0,0 +1,17 @@
+name: revcl-ApplicationDeliveryServicesAzureFrontDoor
+title: Add diagnostic settings to save WAF logs from application delivery services
+ like Azure Front Door and Azure Application Gateway. Regularly review the logs to
+ check for attacks and for false positive detections.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoorwebapplicationfirewalls
+waf: Operations
+severity: 0
+labels:
+ guid: 89cc5e11-aa4d-4c3b-893d-feb99215266a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-AzureFrontDoorAzureApplicationGateway.yaml b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-AzureFrontDoorAzureApplicationGateway.yaml
new file mode 100644
index 000000000..80787b07f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-AzureFrontDoorAzureApplicationGateway.yaml
@@ -0,0 +1,19 @@
+name: revcl-AzureFrontDoorAzureApplicationGateway
+title: When using Azure Front Door and Azure Application Gateway to help protect HTTP/S
+ apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway
+ to receive traffic only from Azure Front Door.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoorwebapplicationfirewalls
+waf: Security
+severity: 2
+labels:
+ guid: 3b22a5a6-7e7a-48ed-9b30-e38c3f29812b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-InboundHttpSConnectionsAzureFrontDoor.yaml b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-InboundHttpSConnectionsAzureFrontDoor.yaml
new file mode 100644
index 000000000..a256745d4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-InboundHttpSConnectionsAzureFrontDoor.yaml
@@ -0,0 +1,18 @@
+name: revcl-InboundHttpSConnectionsAzureFrontDoor
+title: Use Azure Front Door and WAF policies to provide global protection across Azure
+ regions for inbound HTTP/S connections to a landing zone.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoorwebapplicationfirewalls
+waf: Security
+severity: 1
+labels:
+ guid: 1d7aa9b6-4704-4489-a804-2d88e79d17b7
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-application-delivery/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-OtherReverseProxiesLandingZoneVirtualNetwork.yaml b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-OtherReverseProxiesLandingZoneVirtualNetwork.yaml
new file mode 100644
index 000000000..a24cd6fa8
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-frontdoorwebApplicationFirewalls/Security/revcl-OtherReverseProxiesLandingZoneVirtualNetwork.yaml
@@ -0,0 +1,19 @@
+name: revcl-OtherReverseProxiesLandingZoneVirtualNetwork
+title: Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections,
+ deploy them within a landing-zone virtual network and together with the apps that
+ they're protecting and exposing to the internet.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/frontdoorwebapplicationfirewalls
+waf: Security
+severity: 0
+labels:
+ guid: 2363cefe-179b-4599-be0d-5973cd4cd21b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/architect-network-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-networkWatchers/Operations/revcl-NetworkWatcherTrafficFlows.yaml b/v2/recos/Services/microsoftnetwork-networkWatchers/Operations/revcl-NetworkWatcherTrafficFlows.yaml
new file mode 100644
index 000000000..7e155cd64
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-networkWatchers/Operations/revcl-NetworkWatcherTrafficFlows.yaml
@@ -0,0 +1,17 @@
+name: revcl-NetworkWatcherTrafficFlows
+title: Use Network Watcher to proactively monitor traffic flows
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/networkwatchers
+waf: Operations
+severity: 1
+labels:
+ guid: 90483845-c986-4cb2-a131-56a12476e49f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/configure-network-watcher/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-AzureNetworkWatcherNetworkingServices.yaml b/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-AzureNetworkWatcherNetworkingServices.yaml
new file mode 100644
index 000000000..08846c0a4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-AzureNetworkWatcherNetworkingServices.yaml
@@ -0,0 +1,26 @@
+name: aprl-AzureNetworkWatcherNetworkingServices
+title: Deploy Network Watcher in all regions where you have networking services
+description: |-
+ Azure Network Watcher offers tools for monitoring, diagnosing, viewing metrics, and managing logs for IaaS resources. It helps maintain the health of VMs, VNets, application gateways, load balancers, but not for PaaS or Web analytics.
+source:
+ type: aprl
+ file: azure-resources/Network/networkWatchers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkWatchers
+severity: 2
+labels:
+ guid: 4e133bd0-8762-bc40-a95b-b29142427d73
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This query will return all locations that do not have a Network Watcher deployed
+ resources
+ | where location != "global"
+ | union (Resources
+ | where type =~ "microsoft.network/networkwatchers")
+ | summarize NetworkWatcherCount = countif(type =~ 'Microsoft.Network/networkWatchers') by location
+ | where NetworkWatcherCount == 0
+ | project recommendationId = "4e133bd0-8762-bc40-a95b-b29142427d73", name=location, id="n/a", param1 = strcat("LocationMisingNetworkWatcher:", location)
diff --git a/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-NetworkSecurityGroupFlowLoggingFlowLogConfigurations.yaml b/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-NetworkSecurityGroupFlowLoggingFlowLogConfigurations.yaml
new file mode 100644
index 000000000..359a96a8f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-NetworkSecurityGroupFlowLoggingFlowLogConfigurations.yaml
@@ -0,0 +1,27 @@
+name: aprl-NetworkSecurityGroupFlowLoggingFlowLogConfigurations
+title: Fix Flow Log configurations in Failed state or Disabled Status
+description: |-
+ Network security group flow logging is a feature of Azure Network Watcher that logs IP traffic info through a network security group. If in Failed state, monitoring data from the associated resource is not collected.
+source:
+ type: aprl
+ file: azure-resources/Network/networkWatchers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkWatchers
+severity: 2
+labels:
+ guid: 22a769ed-0ecb-8b49-bafe-8f52e6373d9c
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state
+ resources
+ | where type =~ "microsoft.network/networkwatchers/flowlogs" and isnotnull(properties)
+ | extend targetResourceId = tostring(properties.targetResourceId)
+ | extend status = iff(properties.enabled =~ 'true', "Enabled", "Disabled")
+ | extend provisioningState = tostring(properties.provisioningState)
+ | extend flowLogType = iff(properties.targetResourceId contains "Microsoft.Network/virtualNetworks", 'Virtual network', 'Network security group')
+ | where provisioningState != "Succeeded" or status != "Enabled"
+ | project recommendationId = "22a769ed-0ecb-8b49-bafe-8f52e6373d9c", name, id, tags, param1 = strcat("provisioningState:", provisioningState), param2=strcat("Status:", status), param3=strcat("targetResourceId:",targetResourceId), param4=strcat("flowLogType:",flowLogType)
diff --git a/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-NetworkWatcherConnectionMonitorHybridConnectivity.yaml b/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-NetworkWatcherConnectionMonitorHybridConnectivity.yaml
new file mode 100644
index 000000000..4ebc4b55a
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-networkWatchers/aprl-NetworkWatcherConnectionMonitorHybridConnectivity.yaml
@@ -0,0 +1,16 @@
+name: aprl-NetworkWatcherConnectionMonitorHybridConnectivity
+title: Configure Network Watcher Connection monitor
+description: |-
+ Improves monitoring for Azure and Hybrid connectivity
+source:
+ type: aprl
+ file: azure-resources/Network/networkWatchers/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/networkWatchers
+severity: 0
+labels:
+ guid: 1e28bbc1-1eb7-486f-8d7f-93943f40219c
+ area: Monitoring and Alerting
+links: []
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/Reliability/revcl-TrafficManagerGlobalApps.yaml b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/Reliability/revcl-TrafficManagerGlobalApps.yaml
new file mode 100644
index 000000000..213536abd
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/Reliability/revcl-TrafficManagerGlobalApps.yaml
@@ -0,0 +1,17 @@
+name: revcl-TrafficManagerGlobalApps
+title: Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/trafficmanagerprofiles
+waf: Reliability
+severity: 0
+labels:
+ guid: cd4cd21b-0881-437f-9e6c-4cfd3e504547
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-DifferentRegionsOneEndpoint.yaml b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-DifferentRegionsOneEndpoint.yaml
new file mode 100644
index 000000000..a7a360dd5
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-DifferentRegionsOneEndpoint.yaml
@@ -0,0 +1,18 @@
+name: aprl-DifferentRegionsOneEndpoint
+title: Configure at least one endpoint within a another region
+description: |-
+ Profiles should have multiple endpoints to ensure availability in case an endpoint fails. It's also advised to distribute these endpoints across different regions for enhanced reliability.
+source:
+ type: aprl
+ file: azure-resources/Network/trafficManagerProfiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/trafficManagerProfiles
+severity: 1
+labels:
+ guid: 1ad9d7b7-9692-1441-a8f4-93792efbe97a
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |
+ // cannot-be-validated-with-arg
diff --git a/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficBlackHolesGeographicProfiles.yaml b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficBlackHolesGeographicProfiles.yaml
new file mode 100644
index 000000000..2148ade9c
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficBlackHolesGeographicProfiles.yaml
@@ -0,0 +1,27 @@
+name: aprl-TrafficBlackHolesGeographicProfiles
+title: Ensure endpoint configured to (All World) for geographic profiles
+description: |-
+ For geographic routing, traffic is directed to endpoints based on specific regions. If a region fails, without a predefined failover, configuring an endpoint to "All (World)" for geographic profiles can prevent traffic black holes, ensuring service remains available.
+source:
+ type: aprl
+ file: azure-resources/Network/trafficManagerProfiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/trafficManagerProfiles
+severity: 0
+labels:
+ guid: c31f76a0-48cd-9f44-aa43-99ee904db9bc
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |-
+ // Azure Resource Graph Query
+ // Provides a list of Traffic Manager resources that are not confirgured for all-World access
+ Resources
+ | where type == 'microsoft.network/trafficmanagerprofiles'
+ | where properties.trafficRoutingMethod =~ "Geographic"
+ | extend endpoints = properties.endpoints
+ | mv-expand endpoint = endpoints
+ | where endpoint.properties.geoMapping !contains "WORLD"
+ | extend endpointName = endpoint.name
+ | project recommendationId="c31f76a0-48cd-9f44-aa43-99ee904db9bc", name, id, tags, param1=strcat("endpointName:",endpointName), param2=strcat("GeoMapping:", tostring(endpoint.properties.geoMapping))
diff --git a/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficManagerMonitorStatusApplicationWorkload.yaml b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficManagerMonitorStatusApplicationWorkload.yaml
new file mode 100644
index 000000000..d7063a85f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficManagerMonitorStatusApplicationWorkload.yaml
@@ -0,0 +1,24 @@
+name: aprl-TrafficManagerMonitorStatusApplicationWorkload
+title: Traffic Manager Monitor Status Should be Online
+description: |-
+ Monitor status should be online to ensure failover for application workload. If Traffic Manager's health shows Degraded, one or more endpoints may also be Degraded.
+source:
+ type: aprl
+ file: azure-resources/Network/trafficManagerProfiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/trafficManagerProfiles
+severity: 0
+labels:
+ guid: f05a3e6d-49db-2740-88e2-2b13706c1f67
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find traffic manager profiles that have an endpoint monitor status of not 'Online'
+ resources
+ | where type == "microsoft.network/trafficmanagerprofiles"
+ | mv-expand properties.endpoints
+ | where properties_endpoints.properties.endpointMonitorStatus != "Online"
+ | project recommendationId = "f05a3e6d-49db-2740-88e2-2b13706c1f67", name, id, tags, param1 = strcat('Profile name: ',properties_endpoints.name), param2 = strcat('endpointMonitorStatus: ', properties_endpoints.properties.endpointMonitorStatus)
diff --git a/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficManagerProfilesAzureTrafficManager.yaml b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficManagerProfilesAzureTrafficManager.yaml
new file mode 100644
index 000000000..5b2a4e93d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-trafficManagerProfiles/aprl-TrafficManagerProfilesAzureTrafficManager.yaml
@@ -0,0 +1,23 @@
+name: aprl-TrafficManagerProfilesAzureTrafficManager
+title: Traffic manager profiles should have more than one endpoint
+description: |-
+ When configuring the Azure traffic manager, provision at least two endpoints to ensure workloads can fail-over to another instance, enhancing reliability and availability.
+source:
+ type: aprl
+ file: azure-resources/Network/trafficManagerProfiles/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/trafficManagerProfiles
+severity: 1
+labels:
+ guid: 5b422a7f-8caa-3d48-becb-511599e5bba9
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find traffic manager profiles that have less than 2 endpoints
+ resources
+ | where type == "microsoft.network/trafficmanagerprofiles"
+ | where array_length(properties.endpoints) < 2
+ | project recommendationId = "5b422a7f-8caa-3d48-becb-511599e5bba9", name, id, tags, param1 = strcat('EndpointCount: ', array_length(properties.endpoints))
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/Reliability/revcl-RedundantVpnAppliancesPremises.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/Reliability/revcl-RedundantVpnAppliancesPremises.yaml
new file mode 100644
index 000000000..4f3dbf49f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/Reliability/revcl-RedundantVpnAppliancesPremises.yaml
@@ -0,0 +1,17 @@
+name: revcl-RedundantVpnAppliancesPremises
+title: Use redundant VPN appliances on-premises (active/active or active/passive).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworkgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 45866df8-cf85-4ca9-bbe2-65ec1478919e
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable
+- type: docs
+ url: https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/Reliability/revcl-ZoneRedundantVpnGatewaysRemoteLocations.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/Reliability/revcl-ZoneRedundantVpnGatewaysRemoteLocations.yaml
new file mode 100644
index 000000000..e26ad5a9d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/Reliability/revcl-ZoneRedundantVpnGatewaysRemoteLocations.yaml
@@ -0,0 +1,21 @@
+name: revcl-ZoneRedundantVpnGatewaysRemoteLocations
+title: Use zone-redundant VPN gateways to connect branches or remote locations to
+ Azure (where available).
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualnetworkgateways
+waf: Reliability
+severity: 1
+labels:
+ guid: 4d873974-8b66-42d6-b15f-512a65498f6d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway
+- type: docs
+ url: https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/
+queries:
+ arg: resources | where type=='microsoft.network/virtualnetworkgateways' | where
+ properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name)
+ contains 'az') | distinct id, compliant
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-CustomerControlledExpressrouteGatewayMaintenanceCustomerControlledMaintenanceConfiguration.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-CustomerControlledExpressrouteGatewayMaintenanceCustomerControlledMaintenanceConfiguration.yaml
new file mode 100644
index 000000000..789d0d37b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-CustomerControlledExpressrouteGatewayMaintenanceCustomerControlledMaintenanceConfiguration.yaml
@@ -0,0 +1,37 @@
+name: aprl-CustomerControlledExpressrouteGatewayMaintenanceCustomerControlledMaintenanceConfiguration
+title: Configure customer-controlled ExpressRoute gateway maintenance
+description: |-
+ ExpressRoute gateways are updated for improved functionality, reliability, performance, and security. Customer-controlled maintenance configuration and scheduling minimize update impact and align with your maintenance windows.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: 3e115044-a3aa-433e-be01-ce17d67e50da
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Find all Virtual Network Gateways without Maintenance Configurations
+
+ resources
+ | where type =~ "Microsoft.Network/virtualNetworkGateways"
+ | extend resourceId = tolower(id)
+ | join kind=leftouter (
+ maintenanceresources
+ | where type =~ "Microsoft.Maintenance/configurationAssignments"
+ | project JsonData = parse_json(properties)
+ | extend maintenanceConfigurationId = tolower(tostring(JsonData.maintenanceConfigurationId))
+ | join kind=inner (
+ resources
+ | where type =~ "Microsoft.Maintenance/maintenanceConfigurations"
+ | project maintenanceConfigurationId=tolower(id)
+ ) on maintenanceConfigurationId
+ | project maintenanceConfigurationId, resourceId=tolower(tostring(JsonData.resourceId))
+ ) on resourceId
+ | where isempty(maintenanceConfigurationId)
+ | project recommendationId = "3e115044-a3aa-433e-be01-ce17d67e50da", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-DiversePeeringLocationsDifferentPeeringLocation-1.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-DiversePeeringLocationsDifferentPeeringLocation-1.yaml
new file mode 100644
index 000000000..401961756
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-DiversePeeringLocationsDifferentPeeringLocation-1.yaml
@@ -0,0 +1,74 @@
+name: aprl-DiversePeeringLocationsDifferentPeeringLocation-1
+title: Connect ExpressRoute gateway with circuits from diverse peering locations for
+ resilience
+description: |-
+ To increase reliability, it's advised that each ExpressRoute gateway connects to at least two circuits, with each circuit originating from a different peering location than the other, ensuring diverse connectivity paths for enhanced resilience.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: d37db635-157f-584d-9bce-4f6fc8c65ce5
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of ExpressRoute Gateways that are not connected to two or more ExpressRoute Circuits. Baremetal circuits are excluded from consideration
+ //This query assumes that the running entity has visibilty to the gateway, connection, and circuit scopes.
+ //Start with a full list of gateways
+ (resources
+ | where type == "microsoft.network/virtualnetworkgateways"
+ | where properties.gatewayType == "ExpressRoute"
+ | extend exrGatewayId = tolower(tostring(id))
+ | join kind=inner(
+ resources
+ | where type == "microsoft.network/virtualnetworkgateways"
+ | where properties.gatewayType == "ExpressRoute"
+ | extend exrGatewayId = tolower(tostring(id))
+ | join kind=leftouter(
+ //connections joined with circuit peer info
+ resources
+ | where type == "microsoft.network/connections"
+ | extend connectionType = properties.connectionType
+ | extend exrGatewayId = tolower(tostring(properties.virtualNetworkGateway1.id))
+ | extend peerId = tolower(tostring(properties.peer.id))
+ | extend connectionId = tolower(tostring(id))
+ | where connectionType == "ExpressRoute"
+ | join kind=leftouter(
+ resources
+ | where type == "microsoft.network/expressroutecircuits"
+ //should this be location instead of peeringLocation
+ | extend circuitId = tolower(tostring(id))
+ | extend peeringLocation = tostring(properties.serviceProviderProperties.peeringLocation)
+ | extend peerId = tolower(id)
+ ) on peerId ) on exrGatewayId
+ //remove bare metal services connections/circuits
+ | where not(isnotnull(connectionId) and isnull(sku1))
+ //group by gateway ID's and peering locations
+ | summarize by exrGatewayId, peeringLocation
+ //summarize to connections with fewer than two unique connections
+ | summarize connCount = count() by exrGatewayId
+ | where connCount < 2) on exrGatewayId
+ | project recommendationId = "d37db635-157f-584d-9bce-4f6fc8c65ce5", name, id, tags, param1 = "twoOrMoreCircuitsConnectedFromDifferentPeeringLocations: false")
+ | union
+ (
+ resources
+ | where type == "microsoft.network/virtualnetworkgateways"
+ | where properties.gatewayType == "ExpressRoute"
+ | extend exrGatewayId = tolower(tostring(id))
+ | join kind=leftouter(
+ //connections joined with circuit peer info
+ resources
+ | where type == "microsoft.network/connections"
+ | extend connectionType = properties.connectionType
+ | extend exrGatewayId = tolower(tostring(properties.virtualNetworkGateway1.id))
+ | extend peerId = tolower(tostring(properties.peer.id))
+ | extend connectionId = tolower(tostring(id))
+ | where connectionType == "ExpressRoute") on exrGatewayId
+ | where isnull(connectionType)
+ | project recommendationId = "d37db635-157f-584d-9bce-4f6fc8c65ce5", name, id, tags, param1 = "twoOrMoreCircuitsConnectedFromDifferentPeeringLocations: false", param2 = "noConnectionsOnGateway: true"
+ )
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ExpressrouteGatewaysNetworkInsights.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ExpressrouteGatewaysNetworkInsights.yaml
new file mode 100644
index 000000000..88a7a5140
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ExpressrouteGatewaysNetworkInsights.yaml
@@ -0,0 +1,20 @@
+name: aprl-ExpressrouteGatewaysNetworkInsights
+title: Monitor gateway health for ExpressRoute gateways
+description: |-
+ Use Network Insights for monitoring ExpressRoute Gateway's health, including availability, performance, and scalability.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: 1c34faa8-8b99-974c-adbf-71922eae943c
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |+
+ // under-development
+
+...
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-FourIpsecTunnelsActiveActiveVpnConcentrators.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-FourIpsecTunnelsActiveActiveVpnConcentrators.yaml
new file mode 100644
index 000000000..9bcd30425
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-FourIpsecTunnelsActiveActiveVpnConcentrators.yaml
@@ -0,0 +1,21 @@
+name: aprl-FourIpsecTunnelsActiveActiveVpnConcentrators
+title: Deploy active-active VPN concentrators on your premises for maximum resiliency
+ with VPN gateways
+description: |-
+ Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: af11fc4c-c06c-4f4c-b98d-6eee6d5c4c70
+ area: Disaster Recovery
+links: []
+queries:
+ arg: |+
+ // under-development
+
+...
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-SameExpressrouteGatewayAzureRouteServer.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-SameExpressrouteGatewayAzureRouteServer.yaml
new file mode 100644
index 000000000..8f6eeebc6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-SameExpressrouteGatewayAzureRouteServer.yaml
@@ -0,0 +1,18 @@
+name: aprl-SameExpressrouteGatewayAzureRouteServer
+title: Avoid using ExpressRoute circuits for VNet to VNet communication
+description: |-
+ While multiple VNets can connect via the same ExpressRoute gateway, Microsoft recommends using alternatives like VNet peering, Azure Firewall, NVA, Azure Route Server, site-to-site VPN, virtual WAN, or SD-WAN for VNet-to-VNet communication to optimize network performance and management.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 1
+labels:
+ guid: 194c14ac-0d7a-5a48-ae32-75fa450ee564
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-TwoGatewayIpConfigurationsTwoPublicIpAddresses.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-TwoGatewayIpConfigurationsTwoPublicIpAddresses.yaml
new file mode 100644
index 000000000..bd2d1b476
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-TwoGatewayIpConfigurationsTwoPublicIpAddresses.yaml
@@ -0,0 +1,27 @@
+name: aprl-TwoGatewayIpConfigurationsTwoPublicIpAddresses
+title: Enable Active-Active VPN Gateways for redundancy
+description: |-
+ The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 1
+labels:
+ guid: 281a2713-c0e0-3c48-b596-19f590c46671
+ area: High Availability
+links: []
+queries:
+ arg: |+
+ // Azure Resource Graph Query
+ // Identifies non-active-active VPN type virtual network gateways
+ resources
+ | where type =~ 'Microsoft.Network/virtualNetworkGateways'
+ | where properties.gatewayType =~ "vpn"
+ | extend gatewayType = properties.gatewayType, vpnType = properties.vpnType, connections = properties.connections, activeactive=properties.activeActive
+ | where activeactive == false
+ | project recommendationId = "281a2713-c0e0-3c48-b596-19f590c46671", name, id, tags
+
+...
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-UnintendedUserDeletionsAzureResourceLock.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-UnintendedUserDeletionsAzureResourceLock.yaml
new file mode 100644
index 000000000..697e71bf6
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-UnintendedUserDeletionsAzureResourceLock.yaml
@@ -0,0 +1,19 @@
+name: aprl-UnintendedUserDeletionsAzureResourceLock
+title: Configure an Azure Resource lock for ExpressRoute gateway to prevent accidental
+ deletion
+description: |-
+ Configuring an Azure Resource lock for ExpressRoute gateway prevents accidental deletion by enabling administrators to lock an Azure subscription, resource group, or resource, thereby protecting them from unintended user deletions and modifications, with the lock overriding all user permissions.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 1
+labels:
+ guid: c0f23a92-d322-4d4d-97e9-a238b5e3bbb8
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-VirtualNetworkGatewayHealthVpnGatewayConnections.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-VirtualNetworkGatewayHealthVpnGatewayConnections.yaml
new file mode 100644
index 000000000..2d86bf034
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-VirtualNetworkGatewayHealthVpnGatewayConnections.yaml
@@ -0,0 +1,18 @@
+name: aprl-VirtualNetworkGatewayHealthVpnGatewayConnections
+title: Monitor VPN gateway connections and health
+description: |-
+ Set up monitoring and alerts for Virtual Network Gateway health to utilize a variety of metrics for ensuring operational efficiency and prompt response to any disruptions.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: 9eab120e-f6d3-ee49-ba0d-766562ce7df1
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |
+ // under-development
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-VpnGatewayServiceHealthVpnConnectivity.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-VpnGatewayServiceHealthVpnConnectivity.yaml
new file mode 100644
index 000000000..7236f0c2b
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-VpnGatewayServiceHealthVpnConnectivity.yaml
@@ -0,0 +1,20 @@
+name: aprl-VpnGatewayServiceHealthVpnConnectivity
+title: Enable VPN gateway service health
+description: |-
+ VPN gateway leverages service health to inform users about both planned and unplanned maintenance, ensuring they are notified about modifications to their VPN connectivity.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: 9186dae0-7ddc-8f4b-bea5-55538cea4893
+ area: Monitoring and Alerting
+links: []
+queries:
+ arg: |+
+ // under-development
+
+...
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantExpressrouteGatewaySkusAzureExpressrouteGateway.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantExpressrouteGatewaySkusAzureExpressrouteGateway.yaml
new file mode 100644
index 000000000..0ca7419c4
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantExpressrouteGatewaySkusAzureExpressrouteGateway.yaml
@@ -0,0 +1,25 @@
+name: aprl-ZoneRedundantExpressrouteGatewaySkusAzureExpressrouteGateway
+title: Use Zone-redundant ExpressRoute gateway SKUs
+description: |-
+ Azure ExpressRoute gateway offers variable SLAs based on deployment in single or multiple availability zones. To deploy virtual network gateways across zones automatically, use zone-redundant gateways for accessing critical, scalable services with increased resilience.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: bbe668b7-eb5c-c746-8b82-70afdedf0cae
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // For all VNGs of type ExpressRoute, show any that do not have AZ in the SKU tier
+ resources
+ | where type =~ "Microsoft.Network/virtualNetworkGateways"
+ | where properties.gatewayType == "ExpressRoute"
+ | where properties.sku.tier !contains 'AZ'
+ | project recommendationId = "bbe668b7-eb5c-c746-8b82-70afdedf0cae", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location
+ | order by id asc
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantStandardSkuPublicIpsZoneRedundantPublicIpS.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantStandardSkuPublicIpsZoneRedundantPublicIpS.yaml
new file mode 100644
index 000000000..8444e8cfc
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantStandardSkuPublicIpsZoneRedundantPublicIpS.yaml
@@ -0,0 +1,31 @@
+name: aprl-ZoneRedundantStandardSkuPublicIpsZoneRedundantPublicIpS
+title: Deploy zone-redundant VPN gateways with zone-redundant Public IP(s)
+description: |-
+ For zone-redundant VPN gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability, applying to both active-passive (single IP) and active-active (dual IP) setups.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: 4bae5a28-5cf4-40d9-bcf1-623d28f6d917
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs
+ resources
+ | where type =~ "Microsoft.Network/virtualNetworkGateways"
+ | where properties.gatewayType == "Vpn"
+ | where properties.sku.tier contains 'AZ'
+ | mv-expand ipconfig = properties.ipConfigurations
+ | extend pipId = tostring(ipconfig.properties.publicIPAddress.id)
+ | join kind=inner (
+ resources
+ | where type == "microsoft.network/publicipaddresses"
+ | where isnull(zones) or array_length(zones) < 3 )
+ on $left.pipId == $right.id
+ | project recommendationId = "4bae5a28-5cf4-40d9-bcf1-623d28f6d917", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1)
diff --git a/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantVirtualNetworkGatewaysZoneRedundantVpnGateway.yaml b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantVirtualNetworkGatewaysZoneRedundantVpnGateway.yaml
new file mode 100644
index 000000000..408f8b541
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualNetworkGateways/aprl-ZoneRedundantVirtualNetworkGatewaysZoneRedundantVpnGateway.yaml
@@ -0,0 +1,25 @@
+name: aprl-ZoneRedundantVirtualNetworkGatewaysZoneRedundantVpnGateway
+title: Choose a Zone-redundant VPN gateway
+description: |-
+ Azure VPN gateway offers variable SLAs based on deployment in one or two availability zones. Deploying zone-redundant virtual network gateways across availability zones ensures zone-resiliency, improving access to mission-critical, scalable services on Azure.
+source:
+ type: aprl
+ file: azure-resources/Network/virtualNetworkGateways/recommendations.yaml
+ timestamp: July 24, 2024
+resourceTypes:
+- Microsoft.Network/virtualNetworkGateways
+severity: 0
+labels:
+ guid: 5b1933a6-90e4-f642-a01f-e58594e5aab2
+ area: High Availability
+links: []
+queries:
+ arg: |
+ // Azure Resource Graph Query
+ // For all VNGs of type Vpn, show any that do not have AZ in the SKU tier
+ resources
+ | where type =~ "Microsoft.Network/virtualNetworkGateways"
+ | where properties.gatewayType == "Vpn"
+ | where properties.sku.tier !contains 'AZ'
+ | project recommendationId = "5b1933a6-90e4-f642-a01f-e58594e5aab2", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location
+ | order by id asc
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Operations/revcl-AzureMonitorInsightsVirtualWan.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Operations/revcl-AzureMonitorInsightsVirtualWan.yaml
new file mode 100644
index 000000000..0f7339407
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Operations/revcl-AzureMonitorInsightsVirtualWan.yaml
@@ -0,0 +1,16 @@
+name: revcl-AzureMonitorInsightsVirtualWan
+title: Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology
+ of the Virtual WAN, status, and key metrics.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Operations
+severity: 1
+labels:
+ guid: 261623a7-65a9-417e-8f34-8ef254c27d42
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Operations/revcl-SimplifiedAzureNetworkingManagementVirtualWanRoutingDesigns.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Operations/revcl-SimplifiedAzureNetworkingManagementVirtualWanRoutingDesigns.yaml
new file mode 100644
index 000000000..a85cecc96
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Operations/revcl-SimplifiedAzureNetworkingManagementVirtualWanRoutingDesigns.yaml
@@ -0,0 +1,18 @@
+name: revcl-SimplifiedAzureNetworkingManagementVirtualWanRoutingDesigns
+title: Consider Virtual WAN for simplified Azure networking management, and make sure
+ your scenario is explicitly described in the list of Virtual WAN routing designs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Operations
+severity: 1
+labels:
+ guid: 412e7f98-3f63-4047-82dd-69c5b5c2622f
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any
+- type: docs
+ url: https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Performance/revcl-CommonGlobalAzureVirtualWanVirtualWanHub.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Performance/revcl-CommonGlobalAzureVirtualWanVirtualWanHub.yaml
new file mode 100644
index 000000000..a31a5897d
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Performance/revcl-CommonGlobalAzureVirtualWanVirtualWanHub.yaml
@@ -0,0 +1,16 @@
+name: revcl-CommonGlobalAzureVirtualWanVirtualWanHub
+title: Use a Virtual WAN hub per Azure region to connect multiple landing zones together
+ across Azure regions via a common global Azure Virtual WAN.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Performance
+severity: 1
+labels:
+ guid: 54b69bad-33aa-4d5e-ac68-e1d76667313b
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Performance/revcl-MicrosoftBackboneNetworkPrinciple.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Performance/revcl-MicrosoftBackboneNetworkPrinciple.yaml
new file mode 100644
index 000000000..6711e3aef
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Performance/revcl-MicrosoftBackboneNetworkPrinciple.yaml
@@ -0,0 +1,16 @@
+name: revcl-MicrosoftBackboneNetworkPrinciple
+title: Follow the principle 'traffic in Azure stays in Azure' so that communication
+ across resources in Azure occurs via the Microsoft backbone network
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Performance
+severity: 2
+labels:
+ guid: 8ac6a9e0-1e6a-483d-b5de-32c199248160
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-AzureVirtualWanLimitsNetworkArchitecture.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-AzureVirtualWanLimitsNetworkArchitecture.yaml
new file mode 100644
index 000000000..2a05c6d6e
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-AzureVirtualWanLimitsNetworkArchitecture.yaml
@@ -0,0 +1,15 @@
+name: revcl-AzureVirtualWanLimitsNetworkArchitecture
+title: Ensure that the network architecture is within the Azure Virtual WAN limits.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Reliability
+severity: 1
+labels:
+ guid: 6667313b-4f56-464b-9e98-4a859c773e7d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-EnoughIpSpaceVirtualHubs.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-EnoughIpSpaceVirtualHubs.yaml
new file mode 100644
index 000000000..ccbd6a430
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-EnoughIpSpaceVirtualHubs.yaml
@@ -0,0 +1,15 @@
+name: revcl-EnoughIpSpaceVirtualHubs
+title: Assign enough IP space to virtual hubs, ideally a /23 prefix.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Reliability
+severity: 0
+labels:
+ guid: 9c75dfef-573c-461c-a698-68598595581a
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-HubRoutingPreferenceAsPath.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-HubRoutingPreferenceAsPath.yaml
new file mode 100644
index 000000000..0be13b51f
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-HubRoutingPreferenceAsPath.yaml
@@ -0,0 +1,16 @@
+name: revcl-HubRoutingPreferenceAsPath
+title: Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute
+ or VPN.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Reliability
+severity: 1
+labels:
+ guid: d49ac006-6670-4bc9-9948-d3e0a3a94f4d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-IacDeploymentsLabelBasedPropagation.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-IacDeploymentsLabelBasedPropagation.yaml
new file mode 100644
index 000000000..6aa3bd2b7
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-IacDeploymentsLabelBasedPropagation.yaml
@@ -0,0 +1,16 @@
+name: revcl-IacDeploymentsLabelBasedPropagation
+title: Make sure that your IaC deployments are configuring label-based propagation
+ in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Reliability
+severity: 1
+labels:
+ guid: 2586b854-237e-47f1-84a1-d45d4cd2310d
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-IacDeploymentsVirtualWan.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-IacDeploymentsVirtualWan.yaml
new file mode 100644
index 000000000..d824f8a49
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Reliability/revcl-IacDeploymentsVirtualWan.yaml
@@ -0,0 +1,16 @@
+name: revcl-IacDeploymentsVirtualWan
+title: Make sure that your IaC deployments does not disable branch-to-branch traffic
+ in Virtual WAN, unless these flows should be explicitly blocked.
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Reliability
+severity: 1
+labels:
+ guid: 727c77e1-b9aa-4a37-a024-129d042422c1
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan
+queries: {}
diff --git a/v2/recos/Services/microsoftnetwork-virtualWans/Security/revcl-OutboundInternetTrafficProtectionAzureFirewall.yaml b/v2/recos/Services/microsoftnetwork-virtualWans/Security/revcl-OutboundInternetTrafficProtectionAzureFirewall.yaml
new file mode 100644
index 000000000..b3b6f0004
--- /dev/null
+++ b/v2/recos/Services/microsoftnetwork-virtualWans/Security/revcl-OutboundInternetTrafficProtectionAzureFirewall.yaml
@@ -0,0 +1,20 @@
+name: revcl-OutboundInternetTrafficProtectionAzureFirewall
+title: For outbound Internet traffic protection and filtering, deploy Azure Firewall
+ in secured hubs
+source:
+ type: revcl
+ file: ./checklists/waf_checklist.en.json
+resourceTypes:
+- microsoft.network/virtualwans
+waf: Security
+severity: 1
+labels:
+ guid: 7d5d1e4e-6146-458d-9558-fd77249b8211
+links:
+- type: docs
+ url: https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about
+- type: docs
+ url: https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/
+queries:
+ arg: resources | where type=='microsoft.network/virtualhubs' | extend compliant
+ = isnotnull(properties.azureFirewall.id) | project id, compliant
diff --git a/v2/schema/checklist.schema.json b/v2/schema/checklist.schema.json
new file mode 100644
index 000000000..54d6cb491
--- /dev/null
+++ b/v2/schema/checklist.schema.json
@@ -0,0 +1,114 @@
+{
+ "$schema": "https://json-schema.org/2020-12/schema#",
+ "$id": "https://github.com/Azure/review-checklists/v2/checklist.schema.json",
+ "title": "Checklist",
+ "type": "object",
+ "anyOf": [
+ {"required": ["include"]},
+ {"required": ["exclude"]},
+ {"required": ["areas"]}
+ ],
+ "required": ["name"],
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Human readable name for the checklist.",
+ "minLength": 5,
+ "maxLength": 50
+ },
+ "include": {
+ "$ref": "#/definitions/selectorBlock"
+ },
+ "exclude": {
+ "$ref": "#/definitions/selectorBlock"
+ },
+ "areas": {
+ "type": "array",
+ "description": "Areas included in the checklist.",
+ "items": {
+ "type": "object",
+ "description": "Areas included in the checklist.",
+ "anyOf": [
+ {"required": ["include"]},
+ {"required": ["exclude"]},
+ {"required": ["subareas"]}
+ ],
+ "properties": {
+ "include": {
+ "$ref": "#/definitions/selectorBlock"
+ },
+ "exclude": {
+ "$ref": "#/definitions/selectorBlock"
+ },
+ "subareas": {
+ "type": "array",
+ "description": "Subareas included in the checklist.",
+ "items": {
+ "type": "object",
+ "description": "Subareas included in the checklist.",
+ "anyOf": [
+ {"required": ["include"]},
+ {"required": ["exclude"]}
+ ],
+ "properties": {
+ "include": {
+ "$ref": "#/definitions/selectorBlock"
+ },
+ "exclude": {
+ "$ref": "#/definitions/selectorBlock"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "definitions": {
+ "selectorBlock": {
+ "type": "object",
+ "anyOf": [
+ {"required": ["nameSelector"]},
+ {"required": ["resourceTypeSelector"]},
+ {"required": ["wafSelector"]},
+ {"required": ["sourceSelector"]}
+ ],
+ "properties": {
+ "nameSelector": {
+ "type": "array",
+ "description": "List of names that will be matched by the selector.",
+ "items": {
+ "type": "string",
+ "minLength": 5,
+ "maxLength": 100
+ }
+ },
+ "resourceTypeSelector": {
+ "type": "array",
+ "description": "List of resource types that will be matched by the selector.",
+ "items": {
+ "type": "string",
+ "minLength": 4,
+ "maxLength": 50
+ }
+ },
+ "wafSelector": {
+ "type": "array",
+ "description": "List of WAF pillars that will be matched by the selector.",
+ "items": {
+ "type": "string",
+ "enum": ["Security", "Performance", "Reliability", "Cost", "Operations"]
+ }
+ },
+ "sourceSelector": {
+ "type": "array",
+ "description": "List of reco sources that will be matched by the selector.",
+ "items": {
+ "type": "string",
+ "enum": ["revcl", "aprl", "wafsg"]
+ }
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/v2/schema/recommendation.schema.json b/v2/schema/recommendation.schema.json
new file mode 100644
index 000000000..f116c1583
--- /dev/null
+++ b/v2/schema/recommendation.schema.json
@@ -0,0 +1,141 @@
+{
+ "$schema": "https://json-schema.org/2020-12/schema#",
+ "$id": "https://github.com/Azure/review-checklists/v2/recommendation.schema.json",
+ "title": "Recommendation",
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Unique identifier for the recommendation, human readable.",
+ "pattern": "^[0-9A-Za-z\\-]+$",
+ "minLength": 5,
+ "maxLength": 100,
+ "$comment": "Names added for human readability, even if not strictly necessary when having GUIDs."
+ },
+ "title": {
+ "type": "string",
+ "description": "Recommendation text.",
+ "minLength": 5,
+ "maxLength": 1000
+ },
+ "description": {
+ "type": "string",
+ "description": "More verbose recommendation description.",
+ "maxLength": 2000
+ },
+ "severity": {
+ "type": "integer",
+ "description": "Severity of the recommendation.",
+ "enum": [0, 1, 2],
+ "$comment": "0: High, 1: Medium, 2: Low"
+ },
+ "waf": {
+ "type": "string",
+ "description": "WAF pillar.",
+ "enum": ["Security", "Performance", "Reliability", "Cost", "Operations"]
+ },
+ "source": {
+ "type": "object",
+ "description": "Source of the recommendation.",
+ "properties": {
+ "type": {
+ "type": "string",
+ "description": "Type of the source.",
+ "enum": ["revcl", "aprl", "wafsg"]
+ },
+ "url": {
+ "type": "string",
+ "description": "ID of the source."
+ }
+ }
+ },
+ "reviewedDate": {
+ "type": "string",
+ "description": "WAF pillar.",
+ "format": "date"
+ },
+ "resourceTypes": {
+ "type": "array",
+ "description": "List of resource types that this recommendation applies to.",
+ "items": {
+ "type": "string",
+ "minLength": 5,
+ "maxLength": 100
+ }
+ },
+ "automatable": {
+ "type": "boolean",
+ "description": "Whether this check can be automated via some kind of query, such as Azure Resource Graph."
+ },
+ "queries": {
+ "type": "object",
+ "description": "Query to find the resources that this recommendation applies to.",
+ "properties": {
+ "arg": {
+ "type": "string",
+ "description": "Azure Resource Graph query"
+ }
+ }
+ },
+ "links": {
+ "type": "array",
+ "description": "List of links to documentation or other resources.",
+ "items": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "description": "target type.",
+ "enum": ["docs", "training", "other"]
+ },
+ "url": {
+ "type": "string",
+ "description": "Link URL."
+ }
+ }
+ }
+ },
+ "labels": {
+ "type": "object",
+ "description": "Optional labels for the recommendation."
+ },
+ "constraints": {
+ "type": "array",
+ "description": "List of constraints that this recommendation applies to.",
+ "items": {
+ "type": "object",
+ "properties": {
+ "field": {
+ "type": "string",
+ "description": "Variable to compare."
+ },
+ "operator": {
+ "type": "string",
+ "description": "Comparison operator.",
+ "enum": ["equals", "greater", "less", "contains", "startsWith", "endsWith"]
+ },
+ "value": {
+ "type": "string",
+ "description": "Value to compare against"
+ },
+ "effect": {
+ "type": "string",
+ "description": "Effect of the constraint.",
+ "enum": ["show", "hide"],
+ "$comment": "Show or hide the recommendation."
+ }
+ }
+ }
+ },
+ "duplicates": {
+ "type": "array",
+ "description": "List of names of recommendations that are duplicates of this one.",
+ "items": {
+ "type": "string",
+ "minLength": 36,
+ "maxLength": 36
+ }
+ }
+ },
+ "required": ["name", "title", "severity"]
+}