Merge pull request #965 from igorjnzl/main

Removing duplicate or very similar checks and performing consolidation
Azure · Oct 24, 2024 · 1ff7c26 · 1ff7c26
2 parents ea8be32 + 10173ab
commit 1ff7c26
Showing 1 changed file with 26 additions and 50 deletions.
diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json
@@ -1,17 +1,5 @@
 {
     "items": [
-        {
-            "category": "Network Topology and Connectivity",
-            "subcategory": "Hub and spoke",
-            "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.",
-            "waf": "Reliability",
-            "service": "VNet",
-            "guid": "7bc1c396-2461-4698-b57f-30ca69525252",
-            "id": "",
-            "severity": "Medium",
-            "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions",
-            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/"
-        },
         {
             "category": "Azure Billing and Microsoft Entra ID Tenants",
             "subcategory": "Microsoft Entra ID Tenants",
@@ -642,34 +630,34 @@
             "waf": "Security",
             "service": "VNet",
             "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "id": "D01.01",
+            "id": "D01.02",
             "severity": "Medium",
             "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity"
         },
         {
             "category": "Network Topology and Connectivity",
             "subcategory": "Hub and spoke",
-            "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.",
-            "waf": "Cost",
+            "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.",
+            "waf": "Reliability",
             "service": "VNet",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "id": "D01.02",
-            "severity": "High",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
+            "guid": "7bc1c396-2461-4698-b57f-30ca69525252",
+            "id": "D01.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions",
             "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/"
         },
         {
             "category": "Network Topology and Connectivity",
-            "subcategory": "App delivery",
-            "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.",
-            "waf": "Security",
+            "subcategory": "Hub and spoke",
+            "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.",
+            "waf": "Cost",
             "service": "VNet",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "id": "D01.03",
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "id": "D01.04",
             "severity": "High",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
+            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/"
         },
         {
             "category": "Network Topology and Connectivity",
@@ -678,7 +666,7 @@
             "waf": "Reliability",
             "service": "NVA",
             "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "id": "D01.03",
+            "id": "D01.06",
             "severity": "Medium",
             "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha"
         },
@@ -689,7 +677,7 @@
             "waf": "Security",
             "service": "ExpressRoute",
             "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "id": "D01.04",
+            "id": "D01.07",
             "severity": "Low",
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
             "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/"
@@ -701,7 +689,7 @@
             "waf": "Security",
             "service": "ARS",
             "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "id": "D01.05",
+            "id": "D01.08",
             "severity": "Low",
             "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
             "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
@@ -714,7 +702,7 @@
             "waf": "Performance",
             "service": "VNet",
             "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "id": "D01.06",
+            "id": "D01.09",
             "severity": "Medium",
             "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region"
@@ -726,7 +714,7 @@
             "waf": "Operations",
             "service": "VNet",
             "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "id": "D01.07",
+            "id": "D01.10",
             "severity": "Medium",
             "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
             "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview"
@@ -738,7 +726,7 @@
             "waf": "Reliability",
             "service": "VNet",
             "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "id": "D01.08",
+            "id": "D01.11",
             "severity": "Medium",
             "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
@@ -751,7 +739,7 @@
             "waf": "Reliability",
             "service": "VNet",
             "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "id": "D01.09",
+            "id": "D01.12",
             "severity": "Medium",
             "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
@@ -764,7 +752,7 @@
             "waf": "Reliability",
             "service": "VNet",
             "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "id": "D01.10",
+            "id": "D01.13",
             "severity": "High",
             "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
@@ -777,7 +765,7 @@
             "waf": "Reliability",
             "service": "Load Balancer",
             "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe",
-            "id": "D01.11",
+            "id": "D01.14",
             "severity": "High",
             "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)",
             "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant"
@@ -789,7 +777,7 @@
             "waf": "Reliability",
             "service": "Load Balancer",
             "guid": "48682fb1-1e86-4458-a686-518ebd47393d",
-            "id": "D01.12",
+            "id": "D01.15",
             "severity": "High",
             "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))",
             "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant"
@@ -1005,7 +993,7 @@
         {
             "category": "Network Topology and Connectivity",
             "subcategory": "Internet",
-            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
+            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks including application landing zones.",
             "waf": "Security",
             "service": "VNet",
             "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
@@ -2408,7 +2396,7 @@
         {
             "category": "Security",
             "subcategory": "Encryption and keys",
-            "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
+            "text": "Use different Azure Key Vaults for different applications, environments and regions to avoid transaction scale limits and restrict access to secrets.",
             "waf": "Security",
             "service": "Key Vault",
             "guid": "a0477a20-9945-4bda-9333-4f2491163418",
@@ -2513,18 +2501,6 @@
             "link": "https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest",
             "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/"
         },
-        {
-            "category": "Security",
-            "subcategory": "Encryption and keys",
-            "text": "Use an Azure Key Vault per application per environment per region.",
-            "waf": "Security",
-            "service": "Key Vault",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "id": "G02.11",
-            "severity": "Medium",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/"
-        },
         {
             "category": "Security",
             "subcategory": "Encryption and keys",