diff --git a/checklists/avs_checklist.en.json b/checklists/avs_checklist.en.json index 61369b082..55269466e 100644 --- a/checklists/avs_checklist.en.json +++ b/checklists/avs_checklist.en.json @@ -1,1206 +1,888 @@ { - "$schema": "checklist.schema.json", - "items": [ - { - "category": "BCDR", - "subcategory": "Backup", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", - "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", - "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Use MABS as your backup solution", - "description": "Microsoft backup service", - "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", - "description": "Best practice - this is Backup, not disaster recovery", - "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae", - "link": "Best practice to deploy backup in the same region as your AVS deployment", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS", - "description": "Best practice - in case AVS is unavailable", - "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Escalation process with Microsoft in the event of a regional DR", - "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", - "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0", - "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution", - "description": "Compare SRM with HCX", - "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", - "description": "Recovery into Azure instead of Vmware solution", - "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19", - "link": "https://docs.microsoft.com/en-us/azure/site-recovery/avs-tutorial-prepare-azure", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use Automated recovery plans with either of the Disaster solutions,", - "description": "Avoid manual tasks as much as possible", - "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9", - "link": "https://docs.microsoft.com/en-us/azure/site-recovery/avs-tutorial-prepare-azure", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Configure a secondary disaster recovery environment", - "description": "Any other datacenter in the same region", - "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/connect-multiple-private-clouds-same-region", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Assign IP ranges unique to each region", - "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", - "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f", - "link": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use Global Reach between DR regions", - "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or routing must be done through network virtual appliances?", - "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c", - "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Encryption", - "text": "Use Azure Key Vault with in-guest encryption ", - "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", - "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646", - "link": "General recommendation for storing encryption keys.", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Encryption", - "text": "Use in-guest encryption", - "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", - "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-storage#data-at-rest-encryption", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Encryption", - "text": "Keyvault use for secrets", - "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e", - "link": "https://docs.microsoft.com/en-us/azure/key-vault/general/authentication", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Extended support", - "text": "Ensure extended security update support ", - "description": "Older OS security patching configured for workloads running on Azure VMware Solution are eligible for ESU", - "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08", - "link": "https://docs.microsoft.com/en-us/windows-server/get-started/extended-security-updates-deploy", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Investigation", - "text": "Enable Azure Sentinel or 3rd party SIEM ", - "description": "Use a SIEM/SOAR", - "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a", - "link": "https://learn.microsoft.com/en-us/azure/sentinel/overview", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Direct (no vWAN, no H&S)", - "text": "Global Reach to ExR circuit - no Azure resources", - "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections", - "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "ExpressRoute", - "text": "Connect to Azure using ExR", - "description": "Use ExR to connect on-premises (other) location to Azure", - "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "ExpressRoute", - "text": "Bandwidth sizing", - "description": "Use the migration assesment tool and timeline to determine bandwidth required", - "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340", - "link": "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "ExpressRoute", - "text": "Traffic routing ", - "description": "What traffic is routed through a firewall, what goes directly into Azure", - "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1", - "link": "https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "ExpressRoute", - "text": "Global Reach ", - "description": "AVS to ExR circuit, no traffic inspection", - "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8", - "link": "https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Hub & Spoke", - "text": "vNet name & address space", - "description": "Name of the vNet and a unique address space /24 minimum", - "guid": "91f7a87b-21ac-d712-959c-8df2ba034253", - "link": "https://learn.microsoft.com/en-us/azure/virtual-network/quick-create-portal", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Hub & Spoke", - "text": "Gateway subnet", - "description": "Subnet must be called GatewaySubnet", - "guid": "58a027e2-f37f-b540-45d5-e44843aba26b", - "link": "https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Hub & Spoke", - "text": "VPN Gateway", - "description": "Create a VPN gateway on the hub Gateway subnet", - "guid": "d4806549-0913-3e79-b580-ac2d3706e65a", - "link": "https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Hub & Spoke", - "text": "ExR Gateway", - "description": "Create an ExR Gateway in the hub Gateway subnet.", - "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2", - "link": "https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Internet", - "text": "Egress point", - "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?", - "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/enable-public-internet-access", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Jumpbox & Bastion", - "text": "Remote connectivity to AVS", - "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX", - "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f", - "link": "https://learn.microsoft.com/en-us/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Jumpbox & Bastion", - "text": "Configure a jumbox and Azure Bastion", - "description": "Name the jumpbox and identify the subnet where it will be hosted", - "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857", - "link": "https://learn.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "Jumpbox & Bastion", - "text": "Security measure allowing RDP access via the portal", - "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.", - "guid": "ba430d58-4541-085c-3641-068c00be9bc5", - "link": "https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "VPN", - "text": "Connect to Azure using a VPN", - "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)", - "guid": "9988598f-2a9f-6b12-9b46-488415ceb325", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-site-to-site-vpn-gateway", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "VPN", - "text": "Bandwidth sizing", - "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)", - "guid": "956ce5e9-a862-fe2b-a50d-a22923569357", - "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "VPN", - "text": "Traffic routing ", - "description": "What traffic is routed through a firewall, what goes directly into Azure", - "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59", - "link": "https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "vWAN hub", - "text": "vWAN name, hub name and address space", - "description": "Name and unique address space for the vWAN, name for the vWAN hub", - "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab", - "link": "https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "vWAN hub", - "text": "ExR and/or VPN gateway provisioned", - "description": "Select either boh or the appropriate connection type.", - "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076", - "link": "https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-point-to-site-portal", - "severity": "Medium" - }, - { - "category": "Connectivity", - "subcategory": "vWAN hub", - "text": "Secure vWAN", - "description": "Add Azure firewall to vWAN (recommended)", - "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b", - "link": "https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-expressroute-portal", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Access", - "text": "External Identity (user accounts)", - "description": "Active directory or other identity provider servers", - "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-identity-source-vcenter", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Access", - "text": "If using AD domain, ensure Sites & Services has been configured", - "description": "Not required for LDAPS, required for Kerberos", - "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997", - "link": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Access", - "text": "Use LDAPS not ldap ( vCenter)", - "description": "Authentication for users, must be secure.", - "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-identity-source-vcenter", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Access", - "text": "Use LDAPS not ldap (NSX-T)", - "description": "Authentication for users, must be secure.", - "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-external-identity-source-nsx-t", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security", - "text": "Security certificate installed on LDAPS servers ", - "description": "CN or SAN names, no wildcards, contains private key - CER or PFX", - "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c", - "link": "https://youtu.be/4jvfbsrhnEs", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security", - "text": "RBAC applied to Azure roles", - "description": "Standard Azure Roles Based Access Controls", - "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-identity", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security", - "text": "RBAC model in vCenter", - "description": "Create roles in vCenter required to meet minimum viable access guidelines", - "guid": "b04ca129-83a9-3494-7512-347dd2d766db", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security", - "text": "CloudAdmin role usage", - "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", - "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb", - "link": "Best practice", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security ", - "text": "Is Privileged Identity Management implemented", - "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", - "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63", - "link": "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security ", - "text": "Is Privileged Identity Management audit reporting implemented", - "description": "For the Azure VMware Solution PIM roles", - "guid": "0842d45f-41a8-8274-1155-2f6ed554d315", - "link": "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security ", - "text": "Limit use of CloudAdmin account to emergency access only", - "description": "Best practice, also see Monitoring/Alerts", - "guid": "915cbcd7-0640-eb7c-4162-9f33775de559", - "link": "Best practice", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Security ", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", - "description": "Operational procedure", - "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "AVS VM Management (Azure Arc)", - "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", - "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82", - "link": "https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/overview", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "Azure policy", - "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0", - "link": "https://docs.microsoft.com/en-us/azure/governance/policy/overview", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "Resource locks", - "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db", - "link": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "Run books", - "description": "For manual deployments, all configuration and deployments must be documented", - "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e", - "link": "Make sure to create your own runbook on the deployment of AVS.", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "Naming conventions for auth keys", - "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030", - "link": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Alerts", - "text": "Create warning alerts for critical thresholds ", - "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Alerts", - "text": "Create critical alert vSAN consumption", - "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "guid": "6d02f159-627d-79bf-a931-fab6d947eda2", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Alerts", - "text": "Configured for Azure Service Health alerts and notifications", - "description": "Provides platform alerts (generated by Microsoft)", - "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951", - "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Backup", - "text": "Backup policy", - "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Capacity", - "text": "Policy around ESXi host density and efficiency", - "description": "Keep in mind the lead time for requesting new nodes", - "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Costs", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - ", - "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ", - "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/govern", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Dashboard", - "text": "Connection monitor dashboard", - "description": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74", - "link": "https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-dashboards", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Logs & Metrics", - "text": "Configure Azure VMware Solution logging ", - "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)", - "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/configure-vmware-syslogs", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Logs & Metrics", - "text": "vRealize Operations", - "description": "Must be on-premises, implement if available", - "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6", - "link": "Is vROPS or vRealize Network Insight going to be used? ", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Logs & Metrics", - "text": "AVS VM logging", - "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/configure-vmware-syslogs", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Network", - "text": "Monitor ExpressRoute and/or VPN connections ", - "description": "Between on-premises to Azure are monitored using 'connection monitor'", - "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3", - "link": "https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Network", - "text": "Monitor from an Azure native resource to an Azure VMware Solution VM", - "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)", - "guid": "99209143-60fe-19f0-5633-8b5671277ba5", - "link": "https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Network", - "text": "Monitor from an on-premises resource to an Azure VMware Solution VM", - "description": "To monitor end-to-end, on-premises to AVS workloads", - "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe", - "link": "https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Security", - "text": "Auditing and logging is implemented for inbound internet ", - "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads", - "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962", - "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "Security", - "text": "Session monitoring ", - "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", - "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5", - "link": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "VMWare", - "text": "Logging and diagnostics", - "description": "Enable Diagnostic and metric logging on Azure VMware Solution", - "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/configure-vmware-syslogs", - "severity": "Medium" - }, - { - "category": "Monitoring", - "subcategory": "VMware", - "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads", - "description": "Monitor AVS workloads (each VM in AVS)", - "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a", - "link": "https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Hub & Spoke", - "text": "North/South routing through Az Firewall or 3rd party ", - "description": "Decision on traffic flow", - "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-hub-and-spoke", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Hub & Spoke", - "text": "East West (Internal to Azure)", - "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", - "guid": "29a8a499-ec31-f336-3266-0895f035e379", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-hub-and-spoke", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Hub & Spoke", - "text": "ExR without Global Reach", - "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)", - "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Hub & Spoke", - "text": "Route server ", - "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", - "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506", - "link": "https://learn.microsoft.com/en-us/azure/route-server/route-server-faq", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Internet", - "text": "Egress point(s)", - "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP", - "guid": "a4070dad-3def-818d-e9f7-be440d10e7de", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-design-public-internet-access", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Internet", - "text": "Internet facing applications", - "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ", - "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937", - "link": "Research and choose optimal solution for each application", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Routing", - "text": "When route server Route limit understood? ", - "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", - "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37", - "link": "https://docs.microsoft.com/en-us/azure/route-server/route-server-faq#route-server-limits", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Security", - "text": "Is DDoS standard protection of public facing IP addresses? ", - "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)", - "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a", - "link": "https://docs.microsoft.com/en-us/azure/ddos-protection/manage-ddos-protection", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Security", - "text": "Use a dedicated privileged access workstation (PAW)", - "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager", - "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32", - "link": "Best practice: Bastion or 3rd party tool", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Traffic Inspection", - "text": "East West (Internal to AVS)", - "description": "Use NSX-T for inter-vmware-traffic inspection", - "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f", - "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "vWAN", - "text": "Use Secure Hub (Azure Firewall or 3rd party)", - "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach", - "guid": "3f621543-dfac-c471-54a6-7b2849b6909a", - "link": "https://learn.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "vWAN", - "text": "East West (Internal to Azure)", - "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", - "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b", - "link": "https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Automated Scale", - "text": "Scale out operations planning", - "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/configure-nsx-network-components-azure-portal", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Automated Scale", - "text": "Scale in operations planning", - "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece", - "link": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Automated Scale", - "text": "Scale serialized operations planning", - "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "guid": "3233e49e-62ce-97f3-8737-8230e771b694", - "link": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Automated Scale", - "text": "Scale rd operations planning", - "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", - "guid": "68161d66-5707-319b-e77d-9217da892593", - "link": "Best practice (testing)", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Automated Scale", - "text": "Scale maximum operations planning", - "description": "Define and enforce scale in/out maximum limits for your environment in the automations", - "guid": "c32cb953-e860-f204-957a-c79d61202669", - "link": "Operational planning - understand workload requirements", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Automated Scale", - "text": "Monitor scaling operations ", - "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857", - "link": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Networking", - "text": "Private link", - "description": "Consider the use of Azure Private-Link when using other Azure Native Services", - "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7", - "link": "https://learn.microsoft.com/en-us/azure/private-link/private-link-overview", - "severity": "Medium" - }, - { - "category": "Other Services/Operations", - "subcategory": "Networking", - "text": "Provisioning Vmware VLANs", - "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", - "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2", - "link": "Best practice", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Region selected", - "description": "In which region will AVS be deployed", - "guid": "04e3a2f9-83b7-968a-1044-2811811a924b", - "link": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Data residency compliant with selected regions", - "description": "Are there regulatory or compliance policies in play", - "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b", - "link": "Internal policy or regulatory compliance", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Request for number of AVS hosts submitted ", - "description": "Request through the support blade", - "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b", - "link": "https://learn.microsoft.com/en-us/azure/migrate/concepts-azure-vmware-solution-assessment-calculation", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Region and number of AVS nodes approved", - "description": "PG approval for deployment", - "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa", - "link": "Support request through portal or get help from Account Team", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Resource provider for AVS registered", - "description": "Portal/subscription/resource providers/ Microsoft.AVS", - "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa", - "link": "Done through the subscription/resource providers/ AVS register in the portal", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Landing zone architecture", - "description": "Connectivity, subscription & governanace model", - "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Resource group name selected", - "description": "The name of the RG where AVS will exist", - "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea", - "link": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Deployment prefix selected", - "description": "Each resource created as part of the deployment will also utilize this prefix in the name", - "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6", - "link": "Best practice - naming standards", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Network space for AVS management layer", - "description": "/22 unique non-overlapping IPv4 address space", - "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Network space for AVS NSX-T segments", - "description": "vNets used by workloads running in AVS (non-stretched)", - "guid": "0c87f999-e517-21ef-f355-f210ad4134d2", - "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "AVS SKU (region dependent)", - "description": "Choose AV36, AV36P, AV52, AV36T (AV36T = Trial)", - "guid": "946c8966-f902-6f53-4f37-00847e8895c2", - "link": "https://azure.microsoft.com/en-us/pricing/details/azure-vmware/", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Number of hosts to be deployed", - "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)", - "guid": "31833808-26ba-9c31-416f-d54a89a17f5d", - "link": "https://learn.microsoft.com/en-us/azure/migrate/how-to-assess", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Reserverd Instances", - "description": "Understand how and if you should be using reserved instances (cost control)", - "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f", - "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Capacity ", - "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", - "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "Networking & Connectivity See docs describing scenrario 1 through 5", - "description": "Identify which of the networking scenarios make ", - "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", - "severity": "Medium" - }, - { - "category": "Planning", - "subcategory": "Pre-deployment", - "text": "3rd party application compatibility ", - "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9", - "link": "Please Check Partner Ecosystem", - "severity": "Medium" - }, - { - "category": "Security", - "subcategory": "Security", - "text": "Enable Advanced Threat Detection ", - "description": "MS Defender For Cloud, for workloads running on Azure VMware Solution", - "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/azure-security-integration#prerequisites", - "severity": "Medium" - }, - { - "category": "Security", - "subcategory": "Security", - "text": "Policy & Regulatory Compliance", - "description": "Are the applicable policies enabled (compliance baselines added to MDfC)", - "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b", - "link": "https://docs.microsoft.com/en-us/azure/azure-vmware/azure-security-integration", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Firewalls", - "text": "Azure / 3rd party firewall", - "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure", - "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7", - "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling.", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Firewalls", - "text": "Firewalls allow for East/West traffic inside AVS", - "description": "To allow HCX appliance to connect/sync", - "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27", - "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Networking", - "text": "HCX and/or SRM", - "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)", - "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46", - "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Networking", - "text": "Configuring and Managing the HCX Interconnect", - "description": "Read up on requirements for Service Mesh requirements and how HCX ", - "guid": "be2ced52-da08-d366-cf7c-044c19e29509", - "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Networking", - "text": "Restrictions and limitations for network extensions", - "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements", - "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37", - "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Networking", - "text": "Mobility optimized networking", - "description": "Do workloads require MoN?", - "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/vmware-hcx-mon-guidance", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "On-premises pre-requisites", - "text": "Support matrix (OS versions etc).", - "description": "Operating system level of Vmware environment", - "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca", - "link": "https://learn.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "On-premises pre-requisites", - "text": "Standard switches converted to dynamic switches", - "description": "Required that all switches are dynamic", - "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf", - "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "On-premises pre-requisites", - "text": "Capacity for HCX appliance", - "description": "See sections on sizing and capacity in the link.", - "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/plan-private-cloud-deployment", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "On-premises pre-requisites", - "text": "Hardware compatibility", - "description": "Check hardware restrictions to ensure compatibility with AVS/OS ", - "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9", - "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "VSAN RDM disks are converted - not supported.", - "description": "Need to be converted", - "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7", - "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "VM with SCSI shared bus are not supported", - "description": "Need to be converted", - "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611", - "link": "3rd-Party tools", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "VM with Direct IO require removing DirectPath device", - "description": "Remove Direct IO before migration", - "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381", - "link": "Contact VMware", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "Shared VMDK files are not supported", - "description": "Cannot migrate clusters ", - "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266", - "link": "Contact VMware", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "RDM with 'physical compatibility mode' are not supported.", - "description": "Convert to a different format", - "guid": "ab6c89cd-a26f-b894-fe59-61863975458e", - "link": "Contact VMware", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "Default storage policy", - "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning", - "guid": "7628d446-6b10-9678-9cec-f407d990de43", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "Ensure that the appropriate VM template storage policy is used", - "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.", - "guid": "37fef358-7ab9-43a9-542c-22673955200e", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-storage-policy", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "Failure to tolerate policy", - "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", - "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", - "severity": "Medium" - }, - { - "category": "VMware", - "subcategory": "Storage", - "text": "Use ANF for external storage", - "description": "ANF can be used to extend storage for Azure VMware Solution,", - "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863", - "link": "https://learn.microsoft.com/en-us/azure/azure-vmware/netapp-files-with-azure-vmware-solution", - "severity": "Medium" - } - ], - "categories": [ - { - "name": "Planning" - }, - { - "name": "Connectivity" - }, - { - "name": "Identity" - }, - { - "name": "Networking" - }, - { - "name": "Security" - }, - { - "name": "Monitoring" - }, - { - "name": "BCDR" - }, - { - "name": "Other Services/Operations" - }, - { - "name": "Management" - } - ], - "status": [ - { - "name": "Not verified", - "description": "This check has not been looked at yet" - }, - { - "name": "Open", - "description": "There is an action item associated to this check" - }, - { - "name": "Fulfilled", - "description": "This check has been verified, and there are no further action items associated to it" - }, - { - "name": "Not required", - "description": "Recommendation understood, but not needed by current requirements" - }, - { - "name": "N/A", - "description": "Not applicable for current design" - } - ], - "severities": [ - { - "name": "High" - }, - { - "name": "Medium" - }, - { - "name": "Low" - } - ], - "metadata": { - "name": "Azure VMware Solution Checklist", - "state": "Preview", - "timestamp": "June 05, 2023" + "items": [ + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "waf": "Security", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "id": "A01.01", + "severity": "High" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", + "waf": "Security", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "id": "A01.02", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", + "waf": "Security", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "id": "A01.03", + "severity": "High" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", + "waf": "Security", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "id": "A01.04", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "waf": "Security", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "id": "A01.05", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure that NSX-Manager is integrated with an external Identity provider", + "waf": "Security", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "id": "A01.06", + "severity": "High" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Has an RBAC model been created for use within VMware vSphere", + "waf": "Security", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "id": "A01.07", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "waf": "Security", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "id": "A01.08", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "waf": "Security", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "id": "A01.09", + "severity": "High" + }, + { + "category": "Networking", + "subcategory": "Architecture", + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "waf": "Performance", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "id": "B01.01", + "severity": "High", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking" + }, + { + "category": "Networking", + "subcategory": "Monitoring", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", + "waf": "Operations", + "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc", + "id": "B02.01", + "severity": "High" + }, + { + "category": "Networking", + "subcategory": "Monitoring", + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", + "waf": "Operations", + "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6", + "id": "B02.02", + "severity": "Medium" + }, + { + "category": "Networking", + "subcategory": "Monitoring", + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", + "waf": "Operations", + "guid": "25659d35-58fd-4772-99c9-31112d027fe4", + "id": "B02.03", + "severity": "Medium" + }, + { + "category": "Networking", + "subcategory": "Routing", + "text": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", + "waf": "Operations", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "id": "B03.01", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "waf": "Security", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "id": "C01.01", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Is Privileged Identity Management audit reporting implemented for the Azure VMware Solution PIM roles", + "waf": "Security", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "id": "C01.02", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Limit use of CloudAdmin account to emergency access only", + "waf": "Security", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "id": "C01.03", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", + "waf": "Security", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "id": "C01.04", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "waf": "Security", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "id": "C01.05", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", + "waf": "Security", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "id": "C01.06", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Is East-West traffic filtering implemented within NSX-T", + "waf": "Security", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "id": "C02.01", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", + "waf": "Security", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "id": "C02.02", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "waf": "Security", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "id": "C02.03", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "waf": "Security", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "id": "C02.04", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "waf": "Security", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "id": "C02.05", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "waf": "Security", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "id": "C02.06", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", + "waf": "Security", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "id": "C03.01", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "waf": "Security", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "id": "C03.02", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "waf": "Security", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "id": "C03.03", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "waf": "Security", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "id": "C03.04", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Ensure extended security update support is configured for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "waf": "Security", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "id": "C03.05", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that the appropriate VM template storage policy is used", + "waf": "Performance", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "id": "C04.01", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "waf": "Reliability", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "id": "C04.02", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "waf": "Reliability", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "id": "C04.03", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "waf": "Operations", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "id": "C04.04", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", + "waf": "Operations", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "id": "C04.05", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "waf": "Cost", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "id": "C04.06", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "waf": "Cost", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "id": "C04.07", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "waf": "Security", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "id": "C04.08", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "waf": "Security", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "id": "C05.01", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "waf": "Security", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "id": "C05.02", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "id": "C05.03", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "waf": "Operations", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "id": "C05.04", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "id": "C05.05", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "waf": "Security", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "id": "C06.01", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "waf": "Security", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "id": "C06.02", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "waf": "Security", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "id": "C06.03", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "waf": "Security", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "id": "C06.04", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "id": "D01.01", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "id": "D01.02", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", + "waf": "Operations", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "id": "D01.03", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "waf": "Operations", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "id": "D01.04", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "waf": "Operations", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "id": "D01.05", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "waf": "Operations", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "id": "D01.06", + "severity": "Low" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "waf": "Operations", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "id": "D02.01", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "waf": "Operations", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "id": "D02.02", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Operations", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "id": "D02.03", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", + "waf": "Operations", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "id": "D02.04", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "id": "D02.05", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", + "waf": "Operations", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "id": "D02.06", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "id": "D02.07", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "When ANF is used to extend storage for Azure VMware Solution, ensure it is used at the VM level only for now (ANF as NFS datastore is still in private preview)", + "waf": "Operations", + "guid": "ab79b188-dab8-4193-8c9f-c9d1bb77036f", + "id": "D02.08", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Security", + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "waf": "Security", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "id": "D03.01", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Backup", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "waf": "Reliability", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "id": "E01.01", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution", + "waf": "Reliability", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "id": "E02.01", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", + "waf": "Reliability", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "id": "E02.02", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", + "waf": "Reliability", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "id": "E02.03", + "severity": "High" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", + "waf": "Reliability", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "id": "E02.04", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "waf": "Reliability", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "id": "E02.05", + "severity": "High" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", + "waf": "Reliability", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "id": "E02.06", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Use MABS as your backup solution", + "waf": "Reliability", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "id": "E03.01", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "waf": "Reliability", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "id": "E03.02", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS", + "waf": "Reliability", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "id": "E03.03", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "waf": "Reliability", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "id": "E03.04", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Deployment strategy", + "text": "For manual deployments, all configuration and deployments must be documented", + "waf": "Operations", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "id": "F01.01", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Deployment strategy", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "id": "F01.02", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Deployment", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", + "waf": "Operations", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "id": "F02.01", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Deployment", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "waf": "Operations", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "id": "F02.02", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Deployment", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "waf": "Operations", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "id": "F02.03", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "waf": "Operations", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "id": "F03.01", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "waf": "Operations", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "id": "F03.02", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "waf": "Operations", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "id": "F03.03", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "waf": "Operations", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "id": "F03.04", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "id": "F04.01", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "waf": "Performance", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "id": "F04.02", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "id": "F04.03", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "id": "F04.04", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "id": "F04.05", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Operations", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "id": "F04.06", + "severity": "Medium" } -} \ No newline at end of file + ], + "categories": [ + { + "name": "Identity" + }, + { + "name": "Networking" + }, + { + "name": "Governance" + }, + { + "name": "Management" + }, + { + "name": "BCDR" + }, + { + "name": "Platform Automation" + } + ], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "yesno": [ + { + "name": "Yes" + }, + { + "name": "No" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Azure VMware Solution Design Review", + "state": "preview" + } +} diff --git a/checklists/avs_implementation_checklist.en.json b/checklists/avs_implementation_checklist.en.json new file mode 100644 index 000000000..01f009741 --- /dev/null +++ b/checklists/avs_implementation_checklist.en.json @@ -0,0 +1,1482 @@ +{ + "items": [ + { + "category": "BCDR", + "subcategory": "Backup", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Reliability", + "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b", + "id": "A01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Use MABS as your backup solution", + "description": "Microsoft backup service", + "waf": "Reliability", + "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0", + "id": "A02.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "description": "Best practice - this is Backup, not disaster recovery", + "waf": "Reliability", + "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae", + "id": "A02.02", + "severity": "Medium", + "link": "Best practice to deploy backup in the same region as your AVS deployment" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS", + "description": "Best practice - in case AVS is unavailable", + "waf": "Reliability", + "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540", + "id": "A02.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Escalation process with Microsoft in the event of a regional DR", + "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "waf": "Reliability", + "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0", + "id": "A02.04", + "severity": "Medium", + "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution", + "description": "Compare SRM with HCX", + "waf": "Reliability", + "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677", + "id": "A03.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", + "description": "Recovery into Azure instead of Vmware solution", + "waf": "Reliability", + "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19", + "id": "A03.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use Automated recovery plans with either of the Disaster solutions,", + "description": "Avoid manual tasks as much as possible", + "waf": "Reliability", + "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9", + "id": "A03.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Configure a secondary disaster recovery environment", + "description": "Any other datacenter in the same region", + "waf": "Reliability", + "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76", + "id": "A03.04", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Assign IP ranges unique to each region", + "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "waf": "Reliability", + "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f", + "id": "A03.05", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use Global Reach between DR regions", + "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or routing must be done through network virtual appliances?", + "waf": "Reliability", + "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c", + "id": "A03.06", + "severity": "Medium", + "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach." + }, + { + "category": "Connectivity", + "subcategory": "Direct (no vWAN, no H&S)", + "text": "Global Reach to ExR circuit - no Azure resources", + "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections", + "waf": "Performance", + "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952", + "id": "B01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud" + }, + { + "category": "Connectivity", + "subcategory": "ExpressRoute", + "text": "Connect to Azure using ExR", + "description": "Use ExR to connect on-premises (other) location to Azure", + "waf": "Performance", + "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706", + "id": "B02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud" + }, + { + "category": "Connectivity", + "subcategory": "ExpressRoute", + "text": "Bandwidth sizing", + "description": "Use the migration assesment tool and timeline to determine bandwidth required", + "waf": "Performance", + "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340", + "id": "B02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction" + }, + { + "category": "Connectivity", + "subcategory": "ExpressRoute", + "text": "Traffic routing ", + "description": "What traffic is routed through a firewall, what goes directly into Azure", + "waf": "Performance", + "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1", + "id": "B02.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking" + }, + { + "category": "Connectivity", + "subcategory": "ExpressRoute", + "text": "Global Reach ", + "description": "AVS to ExR circuit, no traffic inspection", + "waf": "Performance", + "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8", + "id": "B02.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking" + }, + { + "category": "Connectivity", + "subcategory": "Hub & Spoke", + "text": "VNet name & address space", + "description": "Name of the vNet and a unique address space /24 minimum", + "waf": "Performance", + "guid": "91f7a87b-21ac-d712-959c-8df2ba034253", + "id": "B03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal" + }, + { + "category": "Connectivity", + "subcategory": "Hub & Spoke", + "text": "Gateway subnet", + "description": "Subnet must be called GatewaySubnet", + "waf": "Performance", + "guid": "58a027e2-f37f-b540-45d5-e44843aba26b", + "id": "B03.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings" + }, + { + "category": "Connectivity", + "subcategory": "Hub & Spoke", + "text": "VPN Gateway", + "description": "Create a VPN gateway on the hub Gateway subnet", + "waf": "Performance", + "guid": "d4806549-0913-3e79-b580-ac2d3706e65a", + "id": "B03.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings" + }, + { + "category": "Connectivity", + "subcategory": "Hub & Spoke", + "text": "ExR Gateway", + "description": "Create an ExR Gateway in the hub Gateway subnet.", + "waf": "Performance", + "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2", + "id": "B03.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings" + }, + { + "category": "Connectivity", + "subcategory": "Internet", + "text": "Egress point", + "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?", + "waf": "Performance", + "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad", + "id": "B04.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access" + }, + { + "category": "Connectivity", + "subcategory": "Jumpbox & Bastion", + "text": "Remote connectivity to AVS", + "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX", + "waf": "Performance", + "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f", + "id": "B05.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html" + }, + { + "category": "Connectivity", + "subcategory": "Jumpbox & Bastion", + "text": "Configure a jumbox and Azure Bastion", + "description": "Name the jumpbox and identify the subnet where it will be hosted", + "waf": "Performance", + "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857", + "id": "B05.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal" + }, + { + "category": "Connectivity", + "subcategory": "Jumpbox & Bastion", + "text": "Security measure allowing RDP access via the portal", + "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.", + "waf": "Performance", + "guid": "ba430d58-4541-085c-3641-068c00be9bc5", + "id": "B05.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview" + }, + { + "category": "Connectivity", + "subcategory": "VPN", + "text": "Connect to Azure using a VPN", + "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)", + "waf": "Performance", + "guid": "9988598f-2a9f-6b12-9b46-488415ceb325", + "id": "B06.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway" + }, + { + "category": "Connectivity", + "subcategory": "VPN", + "text": "Bandwidth sizing", + "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)", + "waf": "Performance", + "guid": "956ce5e9-a862-fe2b-a50d-a22923569357", + "id": "B06.02", + "severity": "Medium", + "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed." + }, + { + "category": "Connectivity", + "subcategory": "VPN", + "text": "Traffic routing ", + "description": "What traffic is routed through a firewall, what goes directly into Azure", + "waf": "Performance", + "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59", + "id": "B06.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking" + }, + { + "category": "Connectivity", + "subcategory": "vWAN hub", + "text": "vWAN name, hub name and address space", + "description": "Name and unique address space for the vWAN, name for the vWAN hub", + "waf": "Performance", + "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab", + "id": "B07.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan" + }, + { + "category": "Connectivity", + "subcategory": "vWAN hub", + "text": "ExR and/or VPN gateway provisioned", + "description": "Select either boh or the appropriate connection type.", + "waf": "Performance", + "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076", + "id": "B07.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal" + }, + { + "category": "Connectivity", + "subcategory": "vWAN hub", + "text": "Secure vWAN", + "description": "Add Azure firewall to vWAN (recommended)", + "waf": "Security", + "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b", + "id": "B07.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal" + }, + { + "category": "Identity", + "subcategory": "Access", + "text": "External Identity (user accounts)", + "description": "Active directory or other identity provider servers", + "waf": "Security", + "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3", + "id": "C01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter" + }, + { + "category": "Identity", + "subcategory": "Access", + "text": "If using AD domain, ensure Sites & Services has been configured", + "description": "Not required for LDAPS, required for Kerberos", + "waf": "Security", + "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997", + "id": "C01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology" + }, + { + "category": "Identity", + "subcategory": "Access", + "text": "Use LDAPS not ldap ( vCenter)", + "description": "Authentication for users, must be secure.", + "waf": "Security", + "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1", + "id": "C01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter" + }, + { + "category": "Identity", + "subcategory": "Access", + "text": "Use LDAPS not ldap (NSX-T)", + "description": "Authentication for users, must be secure.", + "waf": "Security", + "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635", + "id": "C01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t" + }, + { + "category": "Identity", + "subcategory": "Security", + "text": "Security certificate installed on LDAPS servers ", + "description": "CN or SAN names, no wildcards, contains private key - CER or PFX", + "waf": "Security", + "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c", + "id": "C02.01", + "severity": "Medium", + "link": "https://youtu.be/4jvfbsrhnEs" + }, + { + "category": "Identity", + "subcategory": "Security", + "text": "RBAC applied to Azure roles", + "description": "Standard Azure Roles Based Access Controls", + "waf": "Security", + "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73", + "id": "C02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity" + }, + { + "category": "Identity", + "subcategory": "Security", + "text": "RBAC model in vCenter", + "description": "Create roles in vCenter required to meet minimum viable access guidelines", + "waf": "Security", + "guid": "b04ca129-83a9-3494-7512-347dd2d766db", + "id": "C02.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges" + }, + { + "category": "Identity", + "subcategory": "Security", + "text": "CloudAdmin role usage", + "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "waf": "Security", + "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb", + "id": "C02.04", + "severity": "Medium", + "link": "Best practice" + }, + { + "category": "Identity", + "subcategory": "Security ", + "text": "Is Privileged Identity Management implemented", + "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "waf": "Security", + "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63", + "id": "C03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure" + }, + { + "category": "Identity", + "subcategory": "Security ", + "text": "Is Privileged Identity Management audit reporting implemented", + "description": "For the Azure VMware Solution PIM roles", + "waf": "Security", + "guid": "0842d45f-41a8-8274-1155-2f6ed554d315", + "id": "C03.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure" + }, + { + "category": "Identity", + "subcategory": "Security ", + "text": "Limit use of CloudAdmin account to emergency access only", + "description": "Best practice, also see Monitoring/Alerts", + "waf": "Security", + "guid": "915cbcd7-0640-eb7c-4162-9f33775de559", + "id": "C03.03", + "severity": "Medium", + "link": "Best practice" + }, + { + "category": "Identity", + "subcategory": "Security ", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "description": "Operational procedure", + "waf": "Security", + "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a", + "id": "C03.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "AVS VM Management (Azure Arc)", + "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "waf": "Operations", + "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82", + "id": "D01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Azure policy", + "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations", + "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0", + "id": "D01.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/governance/policy/overview" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Resource locks", + "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations", + "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db", + "id": "D01.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Run books", + "description": "For manual deployments, all configuration and deployments must be documented", + "waf": "Operations", + "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e", + "id": "D01.04", + "severity": "Medium", + "link": "Make sure to create your own runbook on the deployment of AVS." + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Naming conventions for auth keys", + "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "waf": "Operations", + "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030", + "id": "D01.05", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations" + }, + { + "category": "Monitoring", + "subcategory": "Alerts", + "text": "Create warning alerts for critical thresholds ", + "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations", + "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443", + "id": "E01.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution" + }, + { + "category": "Monitoring", + "subcategory": "Alerts", + "text": "Create critical alert vSAN consumption", + "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations", + "guid": "6d02f159-627d-79bf-a931-fab6d947eda2", + "id": "E01.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution" + }, + { + "category": "Monitoring", + "subcategory": "Alerts", + "text": "Configured for Azure Service Health alerts and notifications", + "description": "Provides platform alerts (generated by Microsoft)", + "waf": "Operations", + "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951", + "id": "E01.03", + "severity": "Medium", + "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/" + }, + { + "category": "Monitoring", + "subcategory": "Backup", + "text": "Backup policy", + "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations", + "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509", + "id": "E02.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution" + }, + { + "category": "Monitoring", + "subcategory": "Capacity", + "text": "Policy around ESXi host density and efficiency", + "description": "Keep in mind the lead time for requesting new nodes", + "waf": "Operations", + "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6", + "id": "E03.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution" + }, + { + "category": "Monitoring", + "subcategory": "Costs", + "text": "Ensure a good cost management process is in place for Azure VMware Solution - ", + "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ", + "waf": "Operations", + "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279", + "id": "E04.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern" + }, + { + "category": "Monitoring", + "subcategory": "Dashboard", + "text": "Connection monitor dashboard", + "description": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations", + "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74", + "id": "E05.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards" + }, + { + "category": "Monitoring", + "subcategory": "Logs & Metrics", + "text": "Configure Azure VMware Solution logging ", + "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)", + "waf": "Operations", + "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d", + "id": "E06.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs" + }, + { + "category": "Monitoring", + "subcategory": "Logs & Metrics", + "text": "vRealize Operations", + "description": "Must be on-premises, implement if available", + "waf": "Operations", + "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6", + "id": "E06.02", + "severity": "Medium", + "link": "Is vROPS or vRealize Network Insight going to be used? " + }, + { + "category": "Monitoring", + "subcategory": "Logs & Metrics", + "text": "AVS VM logging", + "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations", + "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2", + "id": "E06.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs" + }, + { + "category": "Monitoring", + "subcategory": "Network", + "text": "Monitor ExpressRoute and/or VPN connections ", + "description": "Between on-premises to Azure are monitored using 'connection monitor'", + "waf": "Operations", + "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3", + "id": "E07.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal" + }, + { + "category": "Monitoring", + "subcategory": "Network", + "text": "Monitor from an Azure native resource to an Azure VMware Solution VM", + "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)", + "waf": "Operations", + "guid": "99209143-60fe-19f0-5633-8b5671277ba5", + "id": "E07.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal" + }, + { + "category": "Monitoring", + "subcategory": "Network", + "text": "Monitor from an on-premises resource to an Azure VMware Solution VM", + "description": "To monitor end-to-end, on-premises to AVS workloads", + "waf": "Operations", + "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe", + "id": "E07.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal" + }, + { + "category": "Monitoring", + "subcategory": "Security", + "text": "Auditing and logging is implemented for inbound internet ", + "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads", + "waf": "Operations", + "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962", + "id": "E08.01", + "severity": "Medium", + "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)" + }, + { + "category": "Monitoring", + "subcategory": "Security", + "text": "Session monitoring ", + "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "waf": "Operations", + "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5", + "id": "E08.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity" + }, + { + "category": "Monitoring", + "subcategory": "VMWare", + "text": "Logging and diagnostics", + "description": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations", + "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e", + "id": "E09.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs" + }, + { + "category": "Monitoring", + "subcategory": "VMware", + "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads", + "description": "Monitor AVS workloads (each VM in AVS)", + "waf": "Operations", + "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a", + "id": "E10.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard" + }, + { + "category": "Networking", + "subcategory": "Hub & Spoke", + "text": "North/South routing through Az Firewall or 3rd party ", + "description": "Decision on traffic flow", + "waf": "Security", + "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971", + "id": "F01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke" + }, + { + "category": "Networking", + "subcategory": "Hub & Spoke", + "text": "East West (Internal to Azure)", + "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", + "waf": "Security", + "guid": "29a8a499-ec31-f336-3266-0895f035e379", + "id": "F01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke" + }, + { + "category": "Networking", + "subcategory": "Hub & Spoke", + "text": "ExR without Global Reach", + "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)", + "waf": "Operations", + "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523", + "id": "F01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity" + }, + { + "category": "Networking", + "subcategory": "Hub & Spoke", + "text": "Route server ", + "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", + "waf": "Operations", + "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506", + "id": "F01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/route-server/route-server-faq" + }, + { + "category": "Networking", + "subcategory": "Internet", + "text": "Egress point(s)", + "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP", + "waf": "Security", + "guid": "a4070dad-3def-818d-e9f7-be440d10e7de", + "id": "F02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-design-public-internet-access" + }, + { + "category": "Networking", + "subcategory": "Internet", + "text": "Internet facing applications", + "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ", + "waf": "Security", + "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937", + "id": "F02.02", + "severity": "Medium", + "link": "Research and choose optimal solution for each application" + }, + { + "category": "Networking", + "subcategory": "Routing", + "text": "When route server Route limit understood? ", + "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", + "waf": "Security", + "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37", + "id": "F03.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits" + }, + { + "category": "Networking", + "subcategory": "Security", + "text": "Is DDoS standard protection of public facing IP addresses? ", + "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)", + "waf": "Security", + "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a", + "id": "F04.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection" + }, + { + "category": "Networking", + "subcategory": "Security", + "text": "Use a dedicated privileged access workstation (PAW)", + "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "waf": "Security", + "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32", + "id": "F04.02", + "severity": "Medium", + "link": "Best practice: Bastion or 3rd party tool" + }, + { + "category": "Networking", + "subcategory": "Traffic Inspection", + "text": "East West (Internal to AVS)", + "description": "Use NSX-T for inter-vmware-traffic inspection", + "waf": "Security", + "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f", + "id": "F05.01", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html" + }, + { + "category": "Networking", + "subcategory": "Virtual WAN", + "text": "Use Secure Hub (Azure Firewall or 3rd party)", + "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach", + "waf": "Security", + "guid": "3f621543-dfac-c471-54a6-7b2849b6909a", + "id": "F06.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture" + }, + { + "category": "Networking", + "subcategory": "Virtual WAN", + "text": "East West (Internal to Azure)", + "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", + "waf": "Security", + "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b", + "id": "F06.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network" + }, + { + "category": "Other Services/Operations", + "subcategory": "Automated Scale", + "text": "Scale out operations planning", + "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance", + "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161", + "id": "G01.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal" + }, + { + "category": "Other Services/Operations", + "subcategory": "Automated Scale", + "text": "Scale in operations planning", + "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "waf": "Performance", + "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece", + "id": "G01.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale" + }, + { + "category": "Other Services/Operations", + "subcategory": "Automated Scale", + "text": "Scale serialized operations planning", + "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance", + "guid": "3233e49e-62ce-97f3-8737-8230e771b694", + "id": "G01.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale" + }, + { + "category": "Other Services/Operations", + "subcategory": "Automated Scale", + "text": "Scale rd operations planning", + "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance", + "guid": "68161d66-5707-319b-e77d-9217da892593", + "id": "G01.04", + "severity": "Medium", + "link": "Best practice (testing)" + }, + { + "category": "Other Services/Operations", + "subcategory": "Automated Scale", + "text": "Scale maximum operations planning", + "description": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance", + "guid": "c32cb953-e860-f204-957a-c79d61202669", + "id": "G01.05", + "severity": "Medium", + "link": "Operational planning - understand workload requirements" + }, + { + "category": "Other Services/Operations", + "subcategory": "Automated Scale", + "text": "Monitor scaling operations ", + "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Performance", + "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857", + "id": "G01.06", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring" + }, + { + "category": "Other Services/Operations", + "subcategory": "Networking", + "text": "Private link", + "description": "Consider the use of Azure Private-Link when using other Azure Native Services", + "waf": "Performance", + "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7", + "id": "G02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview" + }, + { + "category": "Other Services/Operations", + "subcategory": "Networking", + "text": "Provisioning Vmware VLANs", + "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "waf": "Performance", + "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2", + "id": "G02.02", + "severity": "Medium", + "link": "Best practice" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Region selected", + "description": "In which region will AVS be deployed", + "waf": "Reliability", + "guid": "04e3a2f9-83b7-968a-1044-2811811a924b", + "id": "H01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Data residency compliant with selected regions", + "description": "Are there regulatory or compliance policies in play", + "waf": "Reliability", + "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b", + "id": "H01.02", + "severity": "Medium", + "link": "Internal policy or regulatory compliance" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Request for number of AVS hosts submitted ", + "description": "Request through the support blade", + "waf": "Reliability", + "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b", + "id": "H01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/migrate/concepts-azure-vmware-solution-assessment-calculation" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Region and number of AVS nodes approved", + "description": "PG approval for deployment", + "waf": "Reliability", + "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa", + "id": "H01.04", + "severity": "Medium", + "link": "Support request through portal or get help from Account Team" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Resource provider for AVS registered", + "description": "Portal/subscription/resource providers/ Microsoft.AVS", + "waf": "Reliability", + "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa", + "id": "H01.05", + "severity": "Medium", + "link": "Done through the subscription/resource providers/ AVS register in the portal" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Landing zone architecture", + "description": "Connectivity, subscription & governanace model", + "waf": "Reliability", + "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63", + "id": "H01.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Resource group name selected", + "description": "The name of the RG where AVS will exist", + "waf": "Reliability", + "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea", + "id": "H01.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Deployment prefix selected", + "description": "Each resource created as part of the deployment will also utilize this prefix in the name", + "waf": "Reliability", + "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6", + "id": "H01.08", + "severity": "Medium", + "link": "Best practice - naming standards" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Network space for AVS management layer", + "description": "/22 unique non-overlapping IPv4 address space", + "waf": "Reliability", + "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a", + "id": "H01.09", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Network space for AVS NSX-T segments", + "description": "vNets used by workloads running in AVS (non-stretched)", + "waf": "Reliability", + "guid": "0c87f999-e517-21ef-f355-f210ad4134d2", + "id": "H01.10", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "AVS SKU (region dependent)", + "description": "Choose AV36, AV36P, AV52, AV36T (AV36T = Trial)", + "waf": "Performance", + "guid": "946c8966-f902-6f53-4f37-00847e8895c2", + "id": "H01.11", + "severity": "Medium", + "link": "https://azure.microsoft.com/pricing/details/azure-vmware/" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Number of hosts to be deployed", + "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)", + "waf": "Performance", + "guid": "31833808-26ba-9c31-416f-d54a89a17f5d", + "id": "H01.12", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/migrate/how-to-assess" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Reserverd Instances", + "description": "Understand how and if you should be using reserved instances (cost control)", + "waf": "Cost", + "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f", + "id": "H01.13", + "severity": "Medium", + "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Capacity ", + "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "waf": "Performance", + "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070", + "id": "H01.14", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "Networking & Connectivity See docs describing scenrario 1 through 5", + "description": "Identify which of the networking scenarios make ", + "waf": "Reliability", + "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5", + "id": "H01.15", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity" + }, + { + "category": "Planning", + "subcategory": "Pre-deployment", + "text": "3rd party application compatibility ", + "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "waf": "Reliability", + "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9", + "id": "H01.16", + "severity": "Medium", + "link": "Please Check Partner Ecosystem" + }, + { + "category": "Security", + "subcategory": "Encryption", + "text": "Use Azure Key Vault with in-guest encryption ", + "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "waf": "Security", + "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646", + "id": "I01.01", + "severity": "Medium", + "link": "General recommendation for storing encryption keys." + }, + { + "category": "Security", + "subcategory": "Encryption", + "text": "Use in-guest encryption", + "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "waf": "Security", + "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392", + "id": "I01.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#data-at-rest-encryption" + }, + { + "category": "Security", + "subcategory": "Encryption", + "text": "Keyvault use for secrets", + "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "waf": "Security", + "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e", + "id": "I01.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/key-vault/general/authentication" + }, + { + "category": "Security", + "subcategory": "Extended support", + "text": "Ensure extended security update support ", + "description": "Older OS security patching configured for workloads running on Azure VMware Solution are eligible for ESU", + "waf": "Security", + "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08", + "id": "I02.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/windows-server/get-started/extended-security-updates-deploy" + }, + { + "category": "Security", + "subcategory": "Investigation", + "text": "Enable Azure Sentinel or 3rd party SIEM ", + "description": "Use a SIEM/SOAR", + "waf": "Security", + "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a", + "id": "I03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/sentinel/overview" + }, + { + "category": "Security", + "subcategory": "Security", + "text": "Enable Advanced Threat Detection ", + "description": "MS Defender For Cloud, for workloads running on Azure VMware Solution", + "waf": "Security", + "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2", + "id": "I04.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites" + }, + { + "category": "Security", + "subcategory": "Security", + "text": "Policy & Regulatory Compliance", + "description": "Are the applicable policies enabled (compliance baselines added to MDfC)", + "waf": "Security", + "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b", + "id": "I04.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration" + }, + { + "category": "VMware", + "subcategory": "Firewalls", + "text": "Azure / 3rd party firewall", + "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure", + "waf": "Security", + "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7", + "id": "J01.01", + "severity": "Medium", + "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling." + }, + { + "category": "VMware", + "subcategory": "Firewalls", + "text": "Firewalls allow for East/West traffic inside AVS", + "description": "To allow HCX appliance to connect/sync", + "waf": "Security", + "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27", + "id": "J01.02", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html" + }, + { + "category": "VMware", + "subcategory": "Networking", + "text": "HCX and/or SRM", + "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)", + "waf": "Reliability", + "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46", + "id": "J02.01", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html" + }, + { + "category": "VMware", + "subcategory": "Networking", + "text": "Configuring and Managing the HCX Interconnect", + "description": "Read up on requirements for Service Mesh requirements and how HCX ", + "waf": "Reliability", + "guid": "be2ced52-da08-d366-cf7c-044c19e29509", + "id": "J02.02", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html" + }, + { + "category": "VMware", + "subcategory": "Networking", + "text": "Restrictions and limitations for network extensions", + "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements", + "waf": "Performance", + "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37", + "id": "J02.03", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html" + }, + { + "category": "VMware", + "subcategory": "Networking", + "text": "Mobility optimized networking", + "description": "Do workloads require MoN?", + "waf": "Performance", + "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73", + "id": "J02.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/vmware-hcx-mon-guidance" + }, + { + "category": "VMware", + "subcategory": "On-premises pre-requisites", + "text": "Support matrix (OS versions etc).", + "description": "Operating system level of Vmware environment", + "waf": "Operations", + "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca", + "id": "J03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix" + }, + { + "category": "VMware", + "subcategory": "On-premises pre-requisites", + "text": "Standard switches converted to dynamic switches", + "description": "Required that all switches are dynamic", + "waf": "Operations", + "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf", + "id": "J03.02", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20" + }, + { + "category": "VMware", + "subcategory": "On-premises pre-requisites", + "text": "Capacity for HCX appliance", + "description": "See sections on sizing and capacity in the link.", + "waf": "Performance", + "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3", + "id": "J03.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/plan-private-cloud-deployment" + }, + { + "category": "VMware", + "subcategory": "On-premises pre-requisites", + "text": "Hardware compatibility", + "description": "Check hardware restrictions to ensure compatibility with AVS/OS ", + "waf": "Operations", + "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9", + "id": "J03.04", + "severity": "Medium", + "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "VSAN RDM disks are converted - not supported.", + "description": "Need to be converted", + "waf": "Operations", + "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7", + "id": "J04.01", + "severity": "Medium", + "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "VM with SCSI shared bus are not supported", + "description": "Need to be converted", + "waf": "Operations", + "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611", + "id": "J04.02", + "severity": "Medium", + "link": "3rd-Party tools" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "VM with Direct IO require removing DirectPath device", + "description": "Remove Direct IO before migration", + "waf": "Operations", + "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381", + "id": "J04.03", + "severity": "Medium", + "link": "Contact VMware" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "Shared VMDK files are not supported", + "description": "Cannot migrate clusters ", + "waf": "Operations", + "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266", + "id": "J04.04", + "severity": "Medium", + "link": "Contact VMware" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "RDM with 'physical compatibility mode' are not supported.", + "description": "Convert to a different format", + "waf": "Operations", + "guid": "ab6c89cd-a26f-b894-fe59-61863975458e", + "id": "J04.05", + "severity": "Medium", + "link": "Contact VMware" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "Default storage policy", + "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning", + "waf": "Operations", + "guid": "7628d446-6b10-9678-9cec-f407d990de43", + "id": "J04.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "Ensure that the appropriate VM template storage policy is used", + "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.", + "waf": "Operations", + "guid": "37fef358-7ab9-43a9-542c-22673955200e", + "id": "J04.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "Failure to tolerate policy", + "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "waf": "Operations", + "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7", + "id": "J04.08", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance" + }, + { + "category": "VMware", + "subcategory": "Storage", + "text": "Use ANF for external storage", + "description": "ANF can be used to extend storage for Azure VMware Solution,", + "waf": "Operations", + "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863", + "id": "J04.09", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution" + } + ], + "categories": [ + { + "name": "Planning" + }, + { + "name": "Connectivity" + }, + { + "name": "Identity" + }, + { + "name": "Networking" + }, + { + "name": "Security" + }, + { + "name": "Monitoring" + }, + { + "name": "BCDR" + }, + { + "name": "Other Services/Operations" + }, + { + "name": "Management" + } + ], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "yesno": [ + { + "name": "Yes" + }, + { + "name": "No" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Azure VMware Solution Implementation Checklist", + "state": "Preview" + } +} +