diff --git a/checklists-ext/fullwaf_checklist.en.json b/checklists-ext/fullwaf_checklist.en.json new file mode 100644 index 000000000..80f95a1d5 --- /dev/null +++ b/checklists-ext/fullwaf_checklist.en.json @@ -0,0 +1,24113 @@ +{ + "items": [ + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", + "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", + "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", + "service": "ACR", + "severity": "High", + "text": "Disable Azure Container Registry image export", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", + "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", + "service": "ACR", + "severity": "High", + "text": "Enable Azure Policies for Azure Container Registry", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", + "guid": "d345293c-7639-4637-a551-c5c04e401955", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", + "service": "ACR", + "severity": "High", + "text": "Sign and Verify containers with notation (Notary v2)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", + "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", + "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", + "service": "ACR", + "severity": "Medium", + "text": "Encrypt registry with a customer managed key", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", + "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", + "severity": "High", + "text": "Use Managed Identities to connect instead of Service Principals", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", + "guid": "be0e38ce-e297-411b-b363-caaab79b198d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", + "severity": "High", + "text": "Disable local authentication for management plane access", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", + "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", + "service": "ACR", + "severity": "High", + "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable anonymous pull/push access", + "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", + "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", + "service": "ACR", + "severity": "Medium", + "text": "Disable Anonymous pull access", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", + "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", + "service": "ACR", + "severity": "High", + "text": "Disable repository-scoped access tokens", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", + "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", + "service": "ACR", + "severity": "High", + "text": "Deploy images from a trusted environment", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", + "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", + "service": "ACR", + "severity": "Medium", + "text": "Disable Azure ARM audience tokens for authentication", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", + "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", + "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", + "service": "ACR", + "severity": "Medium", + "text": "Enable diagnostics logging", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", + "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", + "service": "ACR", + "severity": "Medium", + "text": "Control inbound network access with Private Link", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable public network access if inbound network access is secured using Private Link", + "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", + "service": "ACR", + "severity": "Medium", + "text": "Disable Public Network access", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Only the ACR Premium SKU supports Private Link access", + "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", + "service": "ACR", + "severity": "Medium", + "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", + "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", + "service": "ACR", + "severity": "Low", + "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", + "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", + "service": "ACR", + "severity": "Medium", + "text": "Deploy validated container images", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", + "guid": "4e401955-387e-45ce-b126-cd132af5b20c", + "service": "ACR", + "severity": "High", + "text": "Use up-to-date platforms, languages, protocols and frameworks", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "High", + "text": "Use zone redundant pipelines in regions that support Availability Zones", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "severity": "Low", + "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", + "guid": "ba7da7be-9951-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", + "service": "Azure Data Explorer", + "text": "Leverage External Tables and Continuous data export overview to reduce costs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", + "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", + "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", + "service": "Azure Data Explorer", + "text": "To share data, explore Leader-follower cluster configuration", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", + "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", + "service": "Azure Data Explorer", + "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "436b0635-cb45-4e57-a603-324ace8cc123", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", + "service": "Azure Data Explorer", + "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", + "service": "Azure Data Explorer", + "text": "Ingest data into each cluster in parallel", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", + "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", + "service": "Azure Data Explorer", + "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", + "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", + "service": "Azure Data Explorer", + "text": "For critical applications, create Active-Active configuration in two paired regions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", + "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", + "service": "Azure Data Explorer", + "text": "For applications, which required only read during failure, create Active-Hot standby configuration", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", + "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", + "service": "Azure Data Explorer", + "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", + "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Wrap DevOps and source control around all your code", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", + "severity": "Low", + "text": "If required for AKS Windows workloads HostProcess containers can be used", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", + "severity": "Low", + "text": "Use KEDA if running event-driven workloads", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", + "severity": "Low", + "text": "Use Dapr to ease microservice development", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", + "severity": "High", + "text": "Use the SLA-backed AKS offering", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "Low", + "text": "Use Disruption Budgets in your pod and deployment definitions", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", + "severity": "High", + "text": "If using a private registry, configure region replication to store images in multiple regions", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", + "severity": "Low", + "text": "Use an external application such as kubecost to allocate costs to different users", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", + "severity": "Low", + "text": "Use scale down mode to delete/deallocate nodes", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", + "severity": "Medium", + "text": "When required use multi-instance partitioning GPU on AKS Clusters", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", + "severity": "Low", + "text": "If running a Dev/Test cluster use NodePool Start/Stop", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", + "severity": "Medium", + "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "Medium", + "text": "Separate applications from the control plane with user/system node pools", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "Low", + "text": "Add taint to your system nodepool to make it dedicated", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", + "severity": "Medium", + "text": "Use a private registry for your images, such as ACR", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", + "severity": "Medium", + "text": "Scan your images for vulnerabilities", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", + "severity": "High", + "text": "Define app separation requirements (namespace/nodepool/cluster)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", + "severity": "Medium", + "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", + "severity": "High", + "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", + "severity": "Medium", + "text": "If required add Key Management Service etcd encryption", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", + "severity": "Low", + "text": "If required consider using Confidential Compute for AKS", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", + "severity": "Medium", + "text": "Consider using Defender for Containers", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", + "severity": "High", + "text": "Use managed identities instead of Service Principals", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", + "severity": "Medium", + "text": "Integrate authentication with AAD (using the managed integration)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", + "severity": "Medium", + "text": "Limit access to admin kubeconfig (get-credentials --admin)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", + "severity": "Medium", + "text": "Integrate authorization with AAD RBAC", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", + "severity": "High", + "text": "Use namespaces for restricting RBAC privilege in Kubernetes", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", + "severity": "Medium", + "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", + "severity": "Medium", + "text": "For AKS non-interactive logins use kubelogin (preview)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", + "severity": "Medium", + "text": "Disable AKS local accounts", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required Just-in-time cluster access", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required AAD conditional access for AKS", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "Low", + "text": "If required for Windows AKS workloads configure gMSA ", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", + "severity": "Medium", + "text": "For finer control consider using a managed Kubelet Identity", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", + "severity": "Medium", + "text": "If using AGIC, do not share an AppGW across clusters", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", + "severity": "High", + "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", + "severity": "Medium", + "text": "For Windows workloads use Accelerated Networking", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "High", + "text": "Use the standard ALB (as opposed to the basic one)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", + "severity": "Medium", + "text": "If using Azure CNI, consider using different Subnets for NodePools", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", + "severity": "Medium", + "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "High", + "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "If using Azure CNI, check the maximum pods/node (default 30)", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "Low", + "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "severity": "Low", + "text": "If required add your own CNI plugin", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "Low", + "text": "If required configure Public IP per node in AKS", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", + "severity": "Medium", + "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", + "severity": "Low", + "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", + "severity": "Medium", + "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", + "severity": "High", + "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", + "severity": "Medium", + "text": "If using a public API endpoint, restrict the IP addresses that can access it", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", + "severity": "High", + "text": "Use private clusters if your requirements mandate it", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", + "severity": "Medium", + "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", + "severity": "High", + "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "High", + "text": "Use Kubernetes network policies to increase intra-cluster security", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "High", + "text": "Use a WAF for web workloads (UIs or APIs)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", + "severity": "Medium", + "text": "Use DDoS Standard in the AKS Virtual Network", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", + "severity": "Low", + "text": "If required add company HTTP Proxy", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", + "severity": "Medium", + "text": "Consider using a service mesh for advanced microservice communication management", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", + "severity": "High", + "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "Low", + "text": "Check regularly Azure Advisor for recommendations on your cluster", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "Low", + "text": "Enable AKS auto-certificate rotation", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", + "severity": "High", + "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", + "severity": "High", + "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", + "severity": "High", + "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "Low", + "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", + "severity": "Low", + "text": "Consider using AKS command invoke on private clusters", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", + "severity": "Low", + "text": "For planned events consider using Node Auto Drain", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", + "severity": "High", + "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "Low", + "text": "Use custom Node RG (aka 'Infra RG') name", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", + "severity": "Medium", + "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", + "severity": "Low", + "text": "Taint Windows nodes", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", + "severity": "Low", + "text": "Keep windows containers patch level in sync with host patch level", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Via Diagnostic Settings at the cluster level", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "Low", + "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "Low", + "text": "If required use nodePool snapshots", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "Low", + "text": "Consider spot node pools for non time-sensitive workloads", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Low", + "text": "Consider AKS virtual node for quick bursting", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "High", + "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "High", + "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", + "severity": "Medium", + "text": "Monitor CPU and memory utilization of the nodes", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "Medium", + "text": "If using Azure CNI, monitor % of pod IPs consumed per node", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", + "severity": "Medium", + "text": "Monitor OS disk queue depth in nodes", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "Medium", + "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", + "severity": "Medium", + "text": "Subscribe to resource health notifications for your AKS cluster", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "High", + "text": "Configure requests and limits in your pod specs", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "Medium", + "text": "Enforce resource quotas for namespaces", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", + "severity": "High", + "text": "Ensure your subscription has enough quota to scale out your nodepools", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", + "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "service": "AKS", + "severity": "High", + "text": "Configure Liveness and Readiness probes for all deployments", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Medium", + "text": "Use the Cluster Autoscaler", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "severity": "Low", + "text": "Customize node configuration for AKS node pools", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Medium", + "text": "Use the Horizontal Pod Autoscaler when required", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", + "severity": "High", + "text": "Consider an appropriate node size, not too large or too small", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", + "severity": "Low", + "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", + "severity": "Low", + "text": "Consider subscribing to EventGrid Events for AKS automation", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "severity": "Low", + "text": "For long running operation on an AKS cluster consider event termination", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "severity": "Low", + "text": "If required consider using Azure Dedicated Hosts for AKS nodes", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "High", + "text": "Use ephemeral OS disks", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", + "severity": "High", + "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", + "severity": "Low", + "text": "For hyper performance storage option use Ultra Disks on AKS", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", + "severity": "Medium", + "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", + "severity": "Medium", + "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", + "severity": "Medium", + "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", + "waf": "Performance" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", + "severity": "Medium", + "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", + "waf": "Operations" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "Low", + "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants", + "waf": "Operations" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "severity": "Low", + "text": "Leverage Azure Lighthouse for Multi-Tenant Management", + "waf": "Operations" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", + "severity": "Medium", + "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner", + "waf": "Cost" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", + "severity": "High", + "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Reliability" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", + "severity": "High", + "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", + "severity": "Medium", + "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", + "severity": "Low", + "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Reliability" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", + "severity": "High", + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", + "severity": "Medium", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "Entra", + "severity": "Medium", + "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", + "severity": "Medium", + "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", + "waf": "Reliability" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", + "severity": "High", + "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", + "severity": "Medium", + "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", + "severity": "Medium", + "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", + "severity": "Medium", + "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute", + "service": "VNet", + "severity": "High", + "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", + "severity": "Medium", + "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "severity": "Medium", + "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "severity": "Low", + "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "Low", + "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", + "severity": "Medium", + "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", + "severity": "Medium", + "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "Medium", + "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "Medium", + "text": "Consider the limit of routes per route table (400).", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "severity": "High", + "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", + "severity": "Low", + "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", + "severity": "High", + "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "Low", + "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "High", + "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Performance" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", + "severity": "High", + "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "Medium", + "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", + "severity": "Medium", + "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "Low", + "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", + "waf": "Operations" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", + "severity": "High", + "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", + "severity": "Medium", + "text": "Consider using Azure Bastion to securely connect to your network.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", + "severity": "Medium", + "text": "Use Azure Bastion in a subnet /26 or larger.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", + "severity": "Medium", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "Low", + "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "High", + "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "High", + "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "severity": "High", + "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "High", + "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "ammp": true, + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", + "severity": "High", + "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", + "waf": "Cost" + }, + { + "ammp": true, + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", + "severity": "High", + "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "severity": "Medium", + "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/vpnGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", + "severity": "Medium", + "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/vpnGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", + "severity": "Medium", + "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", + "severity": "High", + "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use ExpressRoute circuits from different peering locations for redundancy.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", + "severity": "High", + "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", + "severity": "High", + "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", + "severity": "High", + "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/app-service/networking-features", + "service": "Firewall", + "severity": "High", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "Medium", + "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "severity": "Low", + "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", + "severity": "High", + "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "High", + "text": "Use Azure Firewall Premium for additional security and protection.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "High", + "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "severity": "High", + "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", + "severity": "High", + "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", + "severity": "Medium", + "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", + "severity": "Important", + "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", + "severity": "High", + "text": "Use a /26 prefix for your Azure Firewall subnets.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", + "severity": "Medium", + "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", + "severity": "Medium", + "text": "Use IP Groups or IP prefixes to reduce number of IP table rules", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", + "severity": "Medium", + "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall", + "service": "Firewall", + "severity": "Medium", + "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", + "severity": "High", + "text": "Enable TLS Inspection", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "severity": "Low", + "text": "Use web categories to allow or deny outbound access to specific topics.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", + "severity": "Medium", + "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", + "severity": "Medium", + "text": "Enable Azure Firewall DNS proxy configuration ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Firewall", + "severity": "Medium", + "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", + "severity": "Low", + "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "Low", + "text": "Implement backups for your firewall rules", + "waf": "Operations" + }, + { + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", + "severity": "High", + "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/app-service/networking-features", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/app-service/networking-features", + "service": "VNet", + "severity": "Medium", + "text": "Don't enable virtual network service endpoints by default on all subnets.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "https://learn.microsoft.com/azure/app-service/networking-features", + "service": "Firewall", + "severity": "Medium", + "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", + "severity": "High", + "text": "Use at least a /27 prefix for your Gateway subnets", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", + "severity": "Medium", + "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", + "severity": "Medium", + "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)", + "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563", + "service": "NSG", + "severity": "Medium", + "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", + "severity": "Medium", + "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", + "severity": "Medium", + "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", + "severity": "Medium", + "text": "Consider the limit of NSG rules per NSG (1000).", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", + "severity": "Medium", + "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "VWAN", + "severity": "Medium", + "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "VWAN", + "severity": "Low", + "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "VWAN", + "severity": "Medium", + "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "VWAN", + "severity": "Medium", + "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", + "severity": "Medium", + "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", + "severity": "Medium", + "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", + "severity": "Medium", + "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", + "severity": "Medium", + "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", + "severity": "High", + "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "High", + "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "Low", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Use built-in policies where possible to minimize operational overhead.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", + "severity": "Medium", + "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", + "severity": "Medium", + "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", + "severity": "Medium", + "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", + "severity": "Medium", + "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "service": "Policy", + "severity": "Medium", + "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", + "severity": "Medium", + "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", + "severity": "Medium", + "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", + "severity": "Medium", + "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", + "severity": "Medium", + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", + "severity": "Medium", + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", + "severity": "Medium", + "text": "Use Network Watcher to proactively monitor traffic flows", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", + "severity": "Medium", + "text": "Use Azure Monitor Logs for insights and reporting.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", + "severity": "Medium", + "text": "Use Azure Monitor alerts for the generation of operational alerts.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", + "severity": "Medium", + "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "Medium", + "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", + "severity": "Medium", + "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", + "severity": "Medium", + "text": "Monitor VM security configuration drift via Azure Policy.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "Medium", + "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", + "severity": "Medium", + "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", + "waf": "Operations" + }, + { + "ammp": true, + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "VM", + "severity": "High", + "text": "Leverage Availability Zones for your VMs in regions where they are supported.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "VM", + "severity": "High", + "text": "Avoid running a production workload on a single VM.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "84101f59-1941-4195-a270-e28034290e3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "severity": "Medium", + "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", + "severity": "High", + "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", + "severity": "Medium", + "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", + "waf": "Operations" + }, + { + "ammp": true, + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", + "severity": "High", + "text": "Use Azure Key Vault to store your secrets and credentials", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", + "severity": "Medium", + "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Establish an automated process for key and certificate rotation.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", + "severity": "Medium", + "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Use an Azure Key Vault per application per environment per region.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", + "severity": "Medium", + "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", + "severity": "Medium", + "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", + "waf": "Reliability" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", + "waf": "Reliability" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", + "severity": "High", + "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", + "waf": "Reliability" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "severity": "High", + "text": "Enable Endpoint Protection on IaaS Servers.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", + "severity": "Medium", + "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", + "severity": "Medium", + "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", + "severity": "Medium", + "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", + "severity": "Medium", + "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "High", + "text": "Secure transfer to storage accounts should be enabled", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", + "severity": "High", + "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", + "severity": "High", + "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", + "severity": "Medium", + "text": "Implement an error handling policy at the global level", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", + "severity": "Medium", + "text": "Ensure all APIs policies include a element.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", + "severity": "Medium", + "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", + "severity": "Medium", + "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", + "severity": "High", + "text": "Enable Diagnostics Settings to export logs to Azure Monitor", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", + "severity": "Medium", + "text": "Enable Application Insights for more detailed telemetry", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", + "severity": "High", + "text": "Configure alerts on the most critical metrics", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", + "severity": "High", + "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", + "severity": "High", + "text": "Protect incoming requests to APIs (data plane) with Azure AD", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", + "severity": "Medium", + "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", + "severity": "Medium", + "text": "Create appropriate groups to control the visibility of the products", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", + "severity": "Medium", + "text": "Use Backends feature to eliminate redundant API backend configurations", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", + "severity": "Medium", + "text": "Use Named Values to store common values that can be used in policies", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", + "severity": "Medium", + "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", + "severity": "Medium", + "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", + "severity": "High", + "text": "Ensure there is an automated backup routine", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", + "severity": "Medium", + "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", + "severity": "Low", + "text": "If you need to log at high performance levels, consider Event Hubs policy", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", + "severity": "Medium", + "text": "Apply throttling policies to control the number of requests per second", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", + "severity": "Medium", + "text": "Configure autoscaling to scale out the number of instances when the load increases", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", + "severity": "Medium", + "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", + "severity": "Medium", + "text": "Use the premium tier for production workloads.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", + "severity": "Medium", + "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", + "severity": "High", + "text": "Be aware of APIM's limits", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", + "severity": "High", + "text": "Ensure that the self-hosted gateway deployments are resilient.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", + "severity": "Medium", + "text": "Use Azure Front Door in front of APIM for multi-region deployment", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", + "severity": "Medium", + "text": "Deploy the service within a Virtual Network (VNet)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", + "severity": "Medium", + "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", + "severity": "Medium", + "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", + "severity": "High", + "text": "Disable Public Network Access", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", + "severity": "Medium", + "text": "Simplify management with PowerShell automation scripts", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", + "severity": "Medium", + "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", + "severity": "Medium", + "text": "Promote usage of Visual Studio Code APIM extension for faster API development", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", + "severity": "Medium", + "text": "Implement DevOps and CI/CD in your workflow", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", + "severity": "Medium", + "text": "Secure APIs using client certificate authentication", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", + "severity": "Medium", + "text": "Secure backend services using client certificate authentication", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", + "severity": "Medium", + "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", + "severity": "Medium", + "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", + "severity": "High", + "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", + "severity": "High", + "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", + "severity": "Medium", + "text": "Use managed identities to authenticate to other Azure resources whenever possible", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", + "severity": "High", + "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", + "severity": "Low", + "text": "Refer to baseline highly available zone-redundant web application architecture for best practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Medium", + "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", + "service": "App Services", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Medium", + "text": "Implement health checks", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", + "service": "App Services", + "severity": "High", + "text": "Refer to backup and restore best practices for Azure App Service", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", + "severity": "High", + "text": "Implement Azure App Service reliability best practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", + "severity": "Low", + "text": "Familiarize with how to move an App Service app to another region During a disaster", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", + "service": "App Services", + "severity": "High", + "text": "Familiarize with reliability support in Azure App Service", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", + "severity": "Medium", + "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Medium", + "text": "Monitor App Service instances using Health checks", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", + "service": "App Services", + "severity": "Medium", + "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", + "severity": "Low", + "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "High", + "text": "Use Key Vault to store secrets", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "High", + "text": "Use Managed Identity to connect to Key Vault", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Store the App Service TLS certificate in Key Vault.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", + "severity": "High", + "text": "Use Key Vault to store TLS certificate.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Medium", + "text": "Isolate systems that process sensitive information", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", + "severity": "Medium", + "text": "Do not store sensitive data on local disk", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", + "severity": "Medium", + "text": "Use an established Identity Provider for authentication", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", + "severity": "High", + "text": "Deploy from a trusted environment", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", + "severity": "High", + "text": "Disable basic authentication", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", + "severity": "High", + "text": "Use Managed Identity to connect to resources", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", + "severity": "High", + "text": "Pull containers using a Managed Identity", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", + "severity": "Medium", + "text": "Send App Service runtime logs to Log Analytics", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", + "severity": "Medium", + "text": "Send App Service activity logs to Log Analytics", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", + "severity": "Medium", + "text": "Outbound network access should be controlled", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", + "severity": "Low", + "text": "Ensure a stable IP for outbound communications towards internet addresses", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "High", + "text": "Inbound network access should be controlled", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", + "severity": "High", + "text": "Use a WAF in front of App Service", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "High", + "text": "Avoid for WAF to be bypassed", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Set minimum TLS policy to 1.2 in App Service configuration.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", + "severity": "Medium", + "text": "Set minimum TLS policy to 1.2", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", + "severity": "High", + "text": "Use HTTPS only", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", + "severity": "High", + "text": "Wildcards must not be used for CORS", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", + "severity": "High", + "text": "Turn off remote debugging", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", + "severity": "Medium", + "text": "Enable Defender for Cloud - Defender for App Service", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", + "severity": "Medium", + "text": "Enable DDOS Protection Standard on the WAF VNet", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", + "severity": "Medium", + "text": "Pull containers over a Virtual Network", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", + "severity": "Medium", + "text": "Conduct a penetration test", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", + "severity": "Medium", + "text": "Deploy validated code", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure App Service Review", + "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "High", + "text": "Use up-to-date platforms, languages, protocols and frameworks", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", + "severity": "High", + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", + "severity": "Medium", + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", + "severity": "High", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", + "severity": "Medium", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", + "severity": "High", + "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", + "severity": "Medium", + "text": "Has an RBAC model been created for use within VMware vSphere", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", + "severity": "Medium", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", + "severity": "High", + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", + "severity": "High", + "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", + "severity": "High", + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", + "severity": "High", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", + "severity": "Medium", + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", + "severity": "Medium", + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", + "severity": "High", + "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", + "severity": "High", + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", + "severity": "High", + "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", + "severity": "Medium", + "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", + "severity": "High", + "text": "Limit use of CloudAdmin account to emergency access only", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", + "severity": "Medium", + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", + "severity": "Medium", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", + "severity": "High", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", + "severity": "Medium", + "text": "Is East-West traffic filtering implemented within NSX-T", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", + "severity": "High", + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", + "severity": "High", + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", + "severity": "Medium", + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", + "severity": "Medium", + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", + "severity": "Medium", + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", + "severity": "Medium", + "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "severity": "Low", + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", + "severity": "Low", + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", + "severity": "Medium", + "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", + "severity": "High", + "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", + "severity": "High", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", + "severity": "High", + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", + "severity": "Medium", + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", + "severity": "Low", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", + "severity": "Medium", + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", + "severity": "High", + "text": "Ensure all required resource reside within the same Azure availability zone(s)", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", + "severity": "Medium", + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", + "severity": "High", + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", + "severity": "Medium", + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", + "severity": "Medium", + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", + "severity": "Medium", + "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", + "severity": "Medium", + "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", + "severity": "High", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", + "severity": "High", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", + "severity": "Medium", + "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", + "severity": "High", + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", + "severity": "High", + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", + "severity": "High", + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", + "severity": "High", + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", + "severity": "Medium", + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", + "severity": "Low", + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", + "severity": "High", + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", + "severity": "Medium", + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", + "severity": "Medium", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", + "severity": "Medium", + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", + "severity": "Medium", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", + "severity": "Medium", + "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", + "severity": "High", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", + "severity": "Medium", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", + "severity": "High", + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", + "severity": "Medium", + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", + "severity": "Medium", + "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", + "severity": "Medium", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", + "severity": "Medium", + "text": "Deploy your backup solution outside of vSan, on Azure native components", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", + "severity": "Low", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", + "severity": "Low", + "text": "For manual deployments, all configuration and deployments must be documented", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", + "severity": "Low", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", + "severity": "Low", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "service": "AVS", + "severity": "Low", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "service": "AVS", + "severity": "Low", + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "service": "AVS", + "severity": "Low", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", + "severity": "Low", + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", + "severity": "Medium", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "service": "AVS", + "severity": "Medium", + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "service": "AVS", + "severity": "Medium", + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "service": "AVS", + "severity": "Medium", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "service": "AVS", + "severity": "Medium", + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "service": "AVS", + "severity": "Medium", + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", + "severity": "High", + "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", + "severity": "High", + "text": "When using MON, you cannot enable MON on more than 100 Network extensions", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "service": "AVS", + "severity": "Medium", + "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "service": "AVS", + "severity": "Medium", + "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "AVS", + "severity": "Medium", + "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "AVS", + "severity": "High", + "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "AVS", + "severity": "High", + "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "AVS", + "severity": "High", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "AVS", + "severity": "High", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "AVS", + "severity": "High", + "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "severity": "High", + "text": "Select the right Function hosting plan based on your business & SLO requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", + "severity": "Medium", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "Azure Functions", + "severity": "High", + "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", + "severity": "Medium", + "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", + "severity": "Medium", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", + "severity": "Medium", + "text": "Follow reliability support recommendations in Azure Bot Service", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", + "severity": "Medium", + "text": "Deploying bots with local data residency and regional compliance", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", + "severity": "Medium", + "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", + "severity": "Medium", + "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", + "severity": "Medium", + "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", + "severity": "Medium", + "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", + "severity": "Medium", + "text": "Use more than 1 app instance for your apps", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", + "severity": "Medium", + "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", + "severity": "Medium", + "text": "Set up autoscaling in Spring Cloud Gateway", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", + "severity": "Low", + "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", + "severity": "Medium", + "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider the 'Azure security baseline for storage'", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", + "severity": "High", + "text": "Consider using private endpoints for Azure Storage", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "Medium", + "text": "Ensure older storage accounts are not using 'classic deployment model'", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", + "severity": "High", + "text": "Enable Microsoft Defender for all of your storage accounts", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", + "severity": "Medium", + "text": "Enable 'soft delete' for blobs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", + "severity": "Medium", + "text": "Disable 'soft delete' for blobs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", + "severity": "High", + "text": "Enable 'soft delete' for containers", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "Medium", + "text": "Disable 'soft delete' for containers", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "severity": "High", + "text": "Enable resource locks on storage accounts", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", + "severity": "High", + "text": "Consider immutable blobs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "High", + "text": "Require HTTPS, i.e. disable port 80 on the storage account", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", + "severity": "High", + "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", + "severity": "Medium", + "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "AAD tokens should be favored over shared access signatures, wherever possible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "High", + "text": "Use Azure Active Directory (Azure AD) tokens for blob access", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", + "severity": "Medium", + "text": "Least privilege in IaM permissions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "High", + "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", + "severity": "High", + "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "High", + "text": "Consider using Azure Monitor to audit control plane operations on the storage account", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", + "severity": "Medium", + "text": "When using storage account keys, consider enabling a 'key expiration policy'", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider configuring an SAS expiration policy", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider linking SAS to a stored access policy", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", + "severity": "High", + "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "High", + "text": "Strive for short validity periods for ad-hoc SAS", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "Medium", + "text": "Apply a narrow scope to a SAS", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider scoping SAS to a specific client IP address, wherever possible", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "Low", + "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", + "severity": "High", + "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", + "severity": "Medium", + "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", + "severity": "High", + "text": "Avoid overly broad CORS policies", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", + "severity": "High", + "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", + "severity": "Medium", + "text": "Determine which/if platform encryption should be used.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", + "severity": "Medium", + "text": "Determine which/if client-side encryption should be used.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", + "severity": "High", + "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", + "severity": "High", + "text": "Leverage a storagev2 account type for better performance and reliability", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", + "severity": "High", + "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", + "severity": "Medium", + "text": "For write operation after failover, use customer-Managed Failover ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", + "severity": "Medium", + "text": "Understand Microsoft-Managed Failover details", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", + "severity": "Medium", + "text": "Enable Soft Delete", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "High", + "text": "Enable 2 replicas to have 99.9% availability for read operations", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "Medium", + "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "severity": "High", + "text": "Leverage Availability Zones by enabling read and/or write replicas", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", + "severity": "Medium", + "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", + "severity": "Medium", + "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", + "severity": "Medium", + "text": "Use Azure Traffic Manager to coordinate requests", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", + "severity": "High", + "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", + "service": "Cognitive Services", + "severity": "Medium", + "text": "Leverage FTA HandBook for Cognitive Services", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Cognitive Services", + "severity": "Medium", + "text": "Backup Your Prompts", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Cognitive Services", + "severity": "High", + "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", + "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", + "service": "Cognitive Services", + "severity": "Medium", + "text": "Backup Your ChatGPT conversations", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", + "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", + "service": "Cognitive Services", + "severity": "Medium", + "text": "CI/CD for custom speech", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "3687a046-7a1f-4893-9bda-43324f248116", + "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", + "service": "Cognitive Services", + "severity": "Low", + "text": "Move a knowledge base using export-import", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "af416482-663c-4ed6-b195-b44c7068e09c", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", + "service": "Container Apps", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", + "service": "Container Apps", + "severity": "High", + "text": "Use more than one replica and enable Zone Redundancy.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", + "severity": "High", + "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", + "severity": "High", + "text": "Use Front Door or Traffic Manager to route traffic to the closest region", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", + "service": "CosmosDB", + "severity": "Medium", + "text": "FTA Resiliency Playbook", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", + "severity": "High", + "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", + "service": "CosmosDB", + "severity": "Medium", + "text": "Run multiple replicas of the database (>1 ) in Prod", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", + "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", + "service": "CosmosDB", + "severity": "Medium", + "text": "Leverage Multi-Region Writes", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Span Cosmos account across two or more regions with multi-region writes", + "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", + "severity": "Medium", + "text": "Distribute your data globally", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", + "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", + "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", + "service": "CosmosDB", + "severity": "High", + "text": "Choose from several well-defined consistency models", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", + "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", + "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", + "service": "CosmosDB", + "severity": "Medium", + "text": "Enable Service managed failover", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", + "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", + "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", + "service": "CosmosDB", + "severity": "Medium", + "text": "Enable Automatic Backups", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", + "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", + "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", + "service": "CosmosDB", + "severity": "Medium", + "text": "Perform Periodic Backups", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", + "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", + "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", + "service": "CosmosDB", + "severity": "Medium", + "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", + "severity": "Medium", + "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", + "severity": "Medium", + "text": "check backup instances with the underlying datasource not found", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", + "severity": "Medium", + "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", + "severity": "Medium", + "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", + "severity": "Medium", + "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", + "severity": "Medium", + "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", + "severity": "Medium", + "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", + "severity": "Medium", + "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "severity": "Medium", + "text": "Make sure advisor is configured for VM right sizing ", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "check by searching the Meter Category Licenses in the Cost analysys", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", + "severity": "Medium", + "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "severity": "Medium", + "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", + "severity": "Medium", + "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", + "severity": "Medium", + "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "severity": "Medium", + "text": "Only larger disks can be reserved => 1 TiB -", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", + "severity": "Medium", + "text": "After the right-sizing optimization", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", + "severity": "Medium", + "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", + "severity": "Medium", + "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", + "severity": "Medium", + "text": "Consider using a VMSS to match demand rather than flat sizing", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", + "severity": "Medium", + "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", + "severity": "Medium", + "text": "Move recovery points to vault-archive where applicable (Validate)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", + "severity": "Medium", + "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", + "severity": "Medium", + "text": "Functions - Reuse connections", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", + "severity": "Medium", + "text": "Functions - Cache data locally", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", + "severity": "Medium", + "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", + "severity": "Medium", + "text": "Functions - Keep your functions warm", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", + "severity": "Medium", + "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", + "severity": "Medium", + "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", + "severity": "Medium", + "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", + "severity": "Medium", + "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", + "severity": "Medium", + "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", + "severity": "Medium", + "text": "Consider archiving tiers for less used data", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", + "severity": "Medium", + "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", + "severity": "Medium", + "text": "Consider using standard SSD rather than Premium or Ultra where possible", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", + "severity": "Medium", + "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", + "severity": "Medium", + "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", + "severity": "Medium", + "text": "Storage accounts: check hot tier and/or GRS necessary", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "severity": "Medium", + "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "severity": "Medium", + "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "severity": "Medium", + "text": "Export cost data to a storage account for additional data analysis.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "severity": "Medium", + "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "severity": "Medium", + "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", + "severity": "Medium", + "text": "Create multiple Apache Spark pool definitions of various sizes.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", + "severity": "Medium", + "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", + "severity": "Medium", + "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "severity": "Medium", + "text": "Right-sizing all VMs", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", + "severity": "Medium", + "text": "Swap VM sized with normalized and most recent sizes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "severity": "Medium", + "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "severity": "Medium", + "text": "Containerizing an application can improve VM density and save money on scaling it", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", + "severity": "Medium", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", + "severity": "Medium", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", + "severity": "Medium", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", + "severity": "Medium", + "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", + "severity": "High", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", + "severity": "Medium", + "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", + "severity": "Medium", + "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", + "severity": "Medium", + "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", + "severity": "Medium", + "text": "Leverage FTA Resillency HandBook", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", + "severity": "Medium", + "text": "Use the Premium or Dedicated SKUs for predicable performance", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", + "severity": "High", + "text": "Plan for Geo Disaster Recovery using Active Passive configuration", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", + "severity": "Medium", + "text": "For Business Critical Applications, use Active Active configuration", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", + "severity": "Medium", + "text": "Design Resilient Event Hubs", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", + "severity": "Medium", + "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", + "severity": "Medium", + "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", + "severity": "Medium", + "text": "Custom brand assets should be hosted on a CDN", + "waf": "Performance" + }, + { + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "Low", + "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Medium", + "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Medium", + "text": "Don't replicate! Replication can create issues with directory synchronization", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Medium", + "text": "Have active-active for multi-regions", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", + "severity": "Medium", + "text": "Add Azure AD Domain service stamps to additional regions and locations", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", + "severity": "Medium", + "text": "Use Replica Sets for DR", + "waf": "Reliability" + }, + { + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", + "waf": "Reliability" + }, + { + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "Medium", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" + }, + { + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "High", + "text": "Learn how to trigger a manual failover.", + "waf": "Reliability" + }, + { + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", + "severity": "High", + "text": "Learn how to fail back after a failover.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "High", + "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", + "severity": "Medium", + "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", + "severity": "Medium", + "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", + "severity": "Medium", + "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", + "severity": "Medium", + "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "High", + "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "Low", + "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Low", + "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Low", + "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", + "severity": "Medium", + "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", + "severity": "High", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", + "severity": "Medium", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", + "severity": "Medium", + "text": "Leverage Flexible Server", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", + "severity": "Medium", + "text": "Leverage Data-in replication for cross-region DR scenarios", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", + "severity": "Medium", + "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", + "severity": "Medium", + "text": "Ensure you are using Application Gateway v2 SKU", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", + "severity": "Medium", + "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", + "severity": "Medium", + "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", + "severity": "Medium", + "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", + "severity": "Medium", + "text": "Configure autoscaling with a minimum amount of instances of two.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", + "severity": "Medium", + "text": "Deploy Application Gateway across Availability Zones", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", + "severity": "Medium", + "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", + "severity": "Medium", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", + "severity": "High", + "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "Low", + "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Reliability" + }, + { + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "Medium", + "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", + "severity": "High", + "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", + "severity": "High", + "text": "Avoid combining Azure Traffic Manager and Azure Front Door.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", + "severity": "High", + "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "Low", + "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", + "severity": "Medium", + "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", + "severity": "Low", + "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", + "waf": "Performance" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", + "severity": "High", + "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", + "severity": "High", + "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", + "severity": "Medium", + "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", + "severity": "High", + "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", + "severity": "Medium", + "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", + "severity": "High", + "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", + "severity": "High", + "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", + "severity": "High", + "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", + "severity": "High", + "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", + "severity": "High", + "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", + "severity": "Medium", + "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", + "severity": "Medium", + "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", + "severity": "Medium", + "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", + "severity": "Medium", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", + "severity": "High", + "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", + "severity": "High", + "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", + "severity": "High", + "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "App Gateway", + "severity": "High", + "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", + "severity": "Medium", + "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", + "severity": "Medium", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", + "severity": "Medium", + "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", + "severity": "Medium", + "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", + "severity": "Medium", + "text": "Add diagnostic settings to save your Azure Front Door WAF logs.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", + "severity": "Medium", + "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", + "severity": "Medium", + "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", + "severity": "Medium", + "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Use WAF Policies instead of the legacy WAF configuration.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", + "severity": "Medium", + "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions", + "service": "Front Door", + "severity": "Medium", + "text": "Make sure your origins only take traffic from your Azure Front Door instance.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", + "severity": "High", + "text": "You should encrypt traffic to the backend servers.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", + "severity": "High", + "text": "You should use a Web Application Firewall.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Redirect HTTP to HTTPS", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", + "severity": "Medium", + "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", + "severity": "High", + "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", + "severity": "Low", + "text": "Create custom error pages to display a personalized user experience", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", + "severity": "Medium", + "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Use transport layer load balancing", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", + "severity": "Medium", + "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", + "severity": "Low", + "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", + "service": "PostgreSQL", + "severity": "Medium", + "text": "Leverage Flexible Server", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", + "service": "PostgreSQL", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "31b67c67-be59-4519-8083-845d587cb391", + "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", + "service": "PostgreSQL", + "severity": "Medium", + "text": "Leverage cross-region read replicas for BCDR", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", + "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", + "service": "Purview", + "severity": "Medium", + "text": "Leverage FTA Resillency Handbook", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", + "severity": "High", + "text": "Plan for Data Center level outage", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", + "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", + "severity": "Medium", + "text": "Practice Failover for BCDR", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "97b15b8a-219a-44ab-bb57-879024d22678", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", + "severity": "High", + "text": "Plan a backup strategy and take regular backups", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", + "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", + "service": "Purview", + "severity": "Low", + "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", + "link": "https://learn.microsoft.com/purview/deployment-best-practices", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview accounts architectures and deployment best practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", + "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", + "service": "Purview", + "severity": "Medium", + "text": "Follow Collection Architectures and best practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", + "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", + "service": "Purview", + "severity": "Medium", + "text": "Follow Assest lifecycle best practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", + "service": "Purview", + "severity": "Medium", + "text": "Follow automation best practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", + "severity": "Medium", + "text": "Follow Backup and Migration Best practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", + "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Glossary Best Practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", + "link": "https://learn.microsoft.com/purview/concept-workflow", + "service": "Purview", + "severity": "Low", + "text": "Leverage Workflows ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Security Best Practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", + "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Data Lineage Best Practices", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", + "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", + "service": "Purview", + "severity": "Medium", + "text": "Follow Best Practices for Scanning Registered Sources", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", + "service": "Purview", + "severity": "Medium", + "text": "Follow Classification Best Practices in Governance Portal", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", + "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", + "service": "Purview", + "severity": "Medium", + "text": "Perform Sensitivity Labelling in the Purview Data Map", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", + "link": "https://learn.microsoft.com/purview/concept-data-share", + "service": "Purview", + "severity": "Low", + "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Data Estate Insights", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", + "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Data stewardship and Catalog adoption", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Inventory and Ownership", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", + "link": "https://learn.microsoft.com/purview/glossary-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b130a888-9579-4e76-a896-e710a7da7be9", + "link": "https://learn.microsoft.com/purview/compliance-manager", + "service": "Purview", + "severity": "Medium", + "text": "Generate assessment scores", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", + "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", + "service": "Purview", + "severity": "Medium", + "text": "Profiling- get summaries of data content", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", + "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", + "service": "Purview", + "severity": "Low", + "text": "Follow Microsoft Purview Data Owner access policies", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", + "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", + "service": "Purview", + "severity": "Low", + "text": "Follow Self-service access policies", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", + "link": "https://learn.microsoft.com/purview/concept-policies-devops", + "service": "Purview", + "severity": "Low", + "text": "Follow DevOps policies", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", + "severity": "High", + "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", + "severity": "Medium", + "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", + "severity": "Medium", + "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", + "severity": "Medium", + "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachineScaleSets", + "checklist": "Resiliency Review", + "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", + "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", + "service": "VMSS", + "severity": "Low", + "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", + "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", + "service": "VM", + "severity": "High", + "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", + "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "VM", + "severity": "High", + "text": "Use Premium or Ultra disks for production VMs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", + "guid": "b31e38c3-f298-412b-8363-cffe179b599d", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", + "service": "VM", + "severity": "High", + "text": "Ensure Managed Disks are used for all VMs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", + "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", + "service": "VM", + "severity": "Medium", + "text": "Do not use the Temp disk for anything that is not acceptable to be lost", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", + "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "VM", + "severity": "Medium", + "text": "Leverage Availability Zones for your VMs in regions where they are supported", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", + "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "VM", + "severity": "Medium", + "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", + "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "VM", + "severity": "High", + "text": "Avoid running a production workload on a single VM", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", + "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "High", + "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", + "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", + "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", + "service": "VM", + "severity": "Low", + "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", + "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", + "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", + "service": "VM", + "severity": "Medium", + "text": "Increase quotas in DR region before testing failover with ASR", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", + "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", + "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", + "service": "VM", + "severity": "Low", + "text": "Utilize Scheduled Events to prepare for VM maintenance", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", + "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", + "severity": "Medium", + "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", + "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "severity": "Low", + "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", + "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "Low", + "text": "Enable soft delete for Storage Account Containers", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", + "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", + "severity": "Low", + "text": "Enable soft delete for blobs", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", + "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", + "service": "Azure Backup", + "severity": "Medium", + "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", + "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", + "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", + "service": "Azure Backup", + "severity": "Low", + "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", + "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", + "service": "Azure Backup", + "severity": "Low", + "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Resiliency Review", + "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", + "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", + "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", + "service": "DNS", + "severity": "Low", + "text": "Implement DNS Failover using Azure DNS Private Resolvers", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.PowerBI/gateways", + "checklist": "Resiliency Review", + "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", + "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", + "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", + "service": "Data Gateways", + "severity": "Medium", + "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", + "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "severity": "High", + "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", + "severity": "Medium", + "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", + "severity": "Medium", + "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", + "severity": "Medium", + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", + "severity": "Medium", + "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", + "severity": "High", + "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "Medium", + "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", + "severity": "High", + "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", + "severity": "Low", + "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", + "severity": "Medium", + "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", + "severity": "Low", + "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "High", + "text": "Native database replication technology should be used to synchronize the database in a HA pair.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "High", + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", + "severity": "High", + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "High", + "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", + "severity": "High", + "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "High", + "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", + "severity": "High", + "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "severity": "High", + "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", + "severity": "High", + "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "severity": "High", + "text": "Make sure the Floating IP is enabled on the Load balancer", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", + "severity": "High", + "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "High", + "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "High", + "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", + "severity": "Medium", + "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "High", + "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "High", + "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "High", + "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "High", + "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", + "severity": "Medium", + "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "Medium", + "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", + "severity": "Medium", + "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "High", + "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", + "severity": "High", + "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "severity": "High", + "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "High", + "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", + "severity": "Medium", + "text": "Automate SAP System Start-Stop to manage costs.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Low", + "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Low", + "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", + "severity": "High", + "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "Medium", + "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", + "severity": "Medium", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", + "severity": "Medium", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP HANA", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", + "severity": "Medium", + "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", + "severity": "Medium", + "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP BTP", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", + "severity": "Medium", + "text": "enforce existing Management Group policies to SAP Subscriptions", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", + "severity": "High", + "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", + "severity": "Low", + "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", + "severity": "High", + "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "High", + "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", + "severity": "Medium", + "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "High", + "text": "Help protect your HANA database by using the Azure Backup service.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", + "severity": "Medium", + "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "High", + "text": "Ensure time-zone matches between the operating system and the SAP system.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", + "severity": "Medium", + "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", + "severity": "Low", + "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", + "severity": "Medium", + "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", + "severity": "Low", + "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", + "severity": "High", + "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", + "severity": "Medium", + "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "High", + "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", + "severity": "Medium", + "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", + "severity": "Medium", + "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", + "severity": "Medium", + "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "Low", + "text": "Use inter-VM latency monitoring for latency-sensitive applications.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "Medium", + "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", + "severity": "Low", + "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", + "severity": "Medium", + "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", + "severity": "Medium", + "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", + "severity": "High", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", + "severity": "Medium", + "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "Medium", + "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "Medium", + "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", + "severity": "Medium", + "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", + "severity": "High", + "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", + "training": "https://me.sap.com/notes/2731110", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", + "severity": "Medium", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", + "severity": "Medium", + "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", + "severity": "Medium", + "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "High", + "text": "Public IP assignment to VM running SAP Workload is not recommended.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", + "severity": "High", + "text": "Consider reserving IP address on DR side when configuring ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "High", + "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", + "severity": "Medium", + "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", + "severity": "Medium", + "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", + "severity": "Medium", + "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", + "severity": "Medium", + "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", + "severity": "High", + "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", + "severity": "Medium", + "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", + "severity": "Medium", + "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "Medium", + "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", + "severity": "High", + "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", + "severity": "Medium", + "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "High", + "text": "Review SAP HANA database backups for Azure VMs.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", + "severity": "Medium", + "text": "Review Site Recovery built-in monitoring, where used for SAP.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", + "severity": "High", + "text": "Review the Monitoring the SAP HANA System Landscape guidance.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", + "severity": "Medium", + "text": "Review Oracle Database in Azure Linux VM backup strategies.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", + "severity": "Medium", + "text": "Review the use of Azure Blob Storage with SQL Server 2016.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", + "severity": "Medium", + "text": "Review the use of Automated Backup v2 for Azure VMs.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", + "severity": "High", + "text": "Enabling Write accelerator for M series when using premium disks(V1)", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", + "severity": "Medium", + "text": "Test availability zone latency.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", + "severity": "Medium", + "text": "Activate SAP EarlyWatch Alert for all SAP components.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", + "severity": "Medium", + "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", + "severity": "Medium", + "text": "Review SQL Server performance monitoring using CCMS.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", + "severity": "Medium", + "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", + "severity": "Medium", + "text": "Review SAP HANA studio alerts.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", + "severity": "Medium", + "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "Medium", + "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "Medium", + "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "Low", + "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "High", + "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "High", + "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", + "severity": "Medium", + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", + "severity": "High", + "text": "Use Azure Key Vault to store your secrets and credentials", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", + "severity": "Medium", + "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", + "severity": "Medium", + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", + "severity": "High", + "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "High", + "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", + "severity": "High", + "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Low", + "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", + "severity": "Medium", + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", + "severity": "High", + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", + "severity": "High", + "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", + "severity": "High", + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", + "severity": "High", + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", + "severity": "Low", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", + "severity": "Low", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Low", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", + "severity": "Medium", + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", + "severity": "Medium", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", + "severity": "Medium", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", + "service": "Service Bus", + "severity": "Medium", + "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", + "severity": "High", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", + "severity": "Medium", + "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", + "severity": "Medium", + "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", + "severity": "Medium", + "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Reliability" + }, + { + "aprlGuid": "74fcb9f2-9a25-49a6-8c42-d32851c4afb7", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Ensure Azure Service Health notifications are set for Azure VMware Solution across all used regions and subscriptions. This communicates service/security issues and maintenance activities like host replacements and upgrades, reducing service request submissions.\n", + "guid": "8f84738c-506d-453b-b430-98da8175a959", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring#design-recommendations" + } + ], + "longDescription": "Ensure Azure Service Health notifications are set for Azure VMware Solution across all used regions and subscriptions. This communicates service/security issues and maintenance activities like host replacements and upgrades, reducing service request submissions.\n", + "pgVerified": true, + "potentialBenefits": "Prompt mitigation of issues.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "High", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Configure Azure Service Health notifications and alerts for Azure VMware Solution" + }, + { + "aprlGuid": "29d7a115-dfb6-4df1-9205-04824109548f", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Set an alert for when the node count in Azure VMware Solution Private Cloud hits or exceeds 90 hosts, enabling timely planning for a new private cloud.\n", + "guid": "e2dafdc5-0a99-4bf0-bc67-b4c9bfd4bdc2", + "learnMoreLink": [ + { + "name": "Configure and streamline alerts", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts" + } + ], + "longDescription": "Set an alert for when the node count in Azure VMware Solution Private Cloud hits or exceeds 90 hosts, enabling timely planning for a new private cloud.\n", + "pgVerified": true, + "potentialBenefits": "Proactive capacity planning", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "Medium", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Monitor when Azure VMware Solution Private Cloud is reaching the capacity limit" + }, + { + "aprlGuid": "f86355e3-de7c-4dad-8080-1b0b411e66c8", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Alert when the cluster size reaches 14 hosts. Set up periodic alerts for planning new clusters or datastores due to growth, especially from storage needs. Beyond 14 hosts, trigger alerts for each new host addition for proactive resource monitoring.\n", + "guid": "3cee34d5-c894-4d31-93e8-57d64401655d", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts" + } + ], + "longDescription": "Alert when the cluster size reaches 14 hosts. Set up periodic alerts for planning new clusters or datastores due to growth, especially from storage needs. Beyond 14 hosts, trigger alerts for each new host addition for proactive resource monitoring.\n", + "pgVerified": true, + "potentialBenefits": "Proactive resource management", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "Medium", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Monitor when Azure VMware Solution Cluster Size is approaching the host limit" + }, + { + "aprlGuid": "9ec5b4c8-3dd8-473a-86ee-3273290331b9", + "automationAvailable": "arg", + "category": "High Availability", + "description": "For Azure VMware Solution, enabling Stretched Clusters offers 99.99% SLA, synchronous storage replication (RPO=0), and spreads vSAN datastore across two AZs. Must be done at initial setup, needing double quota due to extension across AZs.\n", + "guid": "b7ac4843-740a-495b-9144-00d2d5e5d879", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/infrastructure#implement-high-availability" + }, + { + "name": "Stretched Clusters", + "url": "https://learn.microsoft.com/en-us/azure/azure-vmware/deploy-vsan-stretched-clusters" + } + ], + "longDescription": "For Azure VMware Solution, enabling Stretched Clusters offers 99.99% SLA, synchronous storage replication (RPO=0), and spreads vSAN datastore across two AZs. Must be done at initial setup, needing double quota due to extension across AZs.\n", + "pgVerified": true, + "potentialBenefits": "99.99% SLA, 0 RPO, Multi-AZ", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "Low", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore" + }, + { + "aprlGuid": "4232eb32-3241-4049-9e14-9b8005817b56", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Ensure VMware vSAN datastore slack space is maintained for SLA by monitoring storage utilization and setting alerts at 70% and 75% utilization to allow for capacity planning. To expand, add hosts or external storage like Azure Elastic SAN, Azure NetApp Files, if CPU and RAM requirements are met.\n", + "guid": "b5dd53be-22f3-4aec-84c9-5936d2efd5a9", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-alerts-for-azure-vmware-solution#supported-metrics-and-activities" + } + ], + "longDescription": "Ensure VMware vSAN datastore slack space is maintained for SLA by monitoring storage utilization and setting alerts at 70% and 75% utilization to allow for capacity planning. To expand, add hosts or external storage like Azure Elastic SAN, Azure NetApp Files, if CPU and RAM requirements are met.\n", + "pgVerified": true, + "potentialBenefits": "Optimized capacity planning for vSAN", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "High", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization" + }, + { + "aprlGuid": "fa4ab927-bced-429a-971a-53350de7f14b", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Ensure Diagnostic Settings are configured for each private cloud to send syslogs to external sources for analysis and/or archiving. Azure VMware Solution Syslogs contain data for troubleshooting and performance, aiding quicker issue resolution and early detection of issues.\n", + "guid": "5caad448-df24-4a8e-889d-4ff04ab676a9", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#manage-logs-and-archives" + } + ], + "longDescription": "Ensure Diagnostic Settings are configured for each private cloud to send syslogs to external sources for analysis and/or archiving. Azure VMware Solution Syslogs contain data for troubleshooting and performance, aiding quicker issue resolution and early detection of issues.\n", + "pgVerified": true, + "potentialBenefits": "Faster issue resolution, early detection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "High", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Configure Syslog in Diagnostic Settings for Azure VMware Solution" + }, + { + "aprlGuid": "4ee5d535-c47b-470a-9557-4a3dd297d62f", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Ensure sufficient compute resources to avoid host resource exhaustion in Azure VMware Solution, which utilizes vSphere DRS and HA for dynamic workload resource management. However, sustained CPU utilization over 95% may increase CPU Ready times, impacting workloads.\n", + "guid": "699cecb2-4168-4731-b792-1ae9bd45b1f4", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts" + } + ], + "longDescription": "Ensure sufficient compute resources to avoid host resource exhaustion in Azure VMware Solution, which utilizes vSphere DRS and HA for dynamic workload resource management. However, sustained CPU utilization over 95% may increase CPU Ready times, impacting workloads.\n", + "pgVerified": true, + "potentialBenefits": "Avoids resource exhaustion, optimizes performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "Medium", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Monitor CPU Utilization to ensure sufficient resources for workloads" + }, + { + "aprlGuid": "029208c8-5186-4a76-8ee8-6e3445fef4dd", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Ensure sufficient memory resources to prevent host resource exhaustion in Azure VMware Solution. It uses vSphere DRS and vSphere HA for dynamic workload management. Yet, continuous memory use over 95% leads to disk swapping, affecting workloads.\n", + "guid": "446bde8c-c798-446c-a006-5c0d24833cdd", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts" + } + ], + "longDescription": "Ensure sufficient memory resources to prevent host resource exhaustion in Azure VMware Solution. It uses vSphere DRS and vSphere HA for dynamic workload management. Yet, continuous memory use over 95% leads to disk swapping, affecting workloads.\n", + "pgVerified": true, + "potentialBenefits": "Avoids host exhaustion and swapping", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "Medium", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Monitor Memory Utilization to ensure sufficient resources for workloads" + }, + { + "aprlGuid": "a5ef7c05-c611-4842-9af5-11efdc99123a", + "automationAvailable": false, + "category": "Governance", + "description": "Applying a resource delete lock to the Azure VMware Solution Private Cloud resource group prevents unauthorized or accidental deletion by anyone with contributor access, ensuring the protection and reliability of the Azure VMware Solution Private Cloud.\n", + "guid": "b2e1a5a8-1723-4457-a20f-428ecf5415d9", + "learnMoreLink": [ + { + "name": "Lock your resources to protect your infrastructure", + "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources" + } + ], + "longDescription": "Applying a resource delete lock to the Azure VMware Solution Private Cloud resource group prevents unauthorized or accidental deletion by anyone with contributor access, ensuring the protection and reliability of the Azure VMware Solution Private Cloud.\n", + "pgVerified": true, + "potentialBenefits": "Prevents accidental deletion", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "High", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Apply Resource delete lock on the resource group hosting the private cloud" + }, + { + "aprlGuid": "e0ac2f57-c8c0-4b8c-a7c8-19e5797828b5", + "automationAvailable": false, + "category": "Security", + "description": "When using customer-managed keys for encrypting vSAN datastores, leveraging Azure Key Vault for central management and accessing them via a managed identity linked to the private cloud is advised. The expiration of these keys can render the vSAN datastore and its associated workloads inaccessible.\n", + "guid": "853a6747-b050-4baf-b01b-01958d129d6a", + "learnMoreLink": [ + { + "name": "Configure Customer Managed Keys", + "url": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-customer-managed-keys?tabs=azure-portal" + } + ], + "longDescription": "When using customer-managed keys for encrypting vSAN datastores, leveraging Azure Key Vault for central management and accessing them via a managed identity linked to the private cloud is advised. The expiration of these keys can render the vSAN datastore and its associated workloads inaccessible.\n", + "pgVerified": true, + "potentialBenefits": "Avoid outages with key auto-rotation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "High", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Use key autorotation for vSAN datastore customer-managed keys" + }, + { + "aprlGuid": "fcc2e257-23af-4c68-aac8-9cc03033c939", + "automationAvailable": false, + "category": "High Availability", + "description": "Azure VMware Solution private clouds support up to three DNS servers for a single FQDN, preventing a single DNS server from becoming a point of failure. It's crucial to use multiple DNS servers for on-premises FQDN resolution from each private cloud.\n", + "guid": "8e2b2686-42ea-4bc1-a567-ee580eaa6d37", + "learnMoreLink": [ + { + "name": "Configure DNS forwarder", + "url": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-dns-azure-vmware-solution#configure-dns-forwarder" + } + ], + "longDescription": "Azure VMware Solution private clouds support up to three DNS servers for a single FQDN, preventing a single DNS server from becoming a point of failure. It's crucial to use multiple DNS servers for on-premises FQDN resolution from each private cloud.\n", + "pgVerified": true, + "potentialBenefits": "Enhances reliability and avoids failure", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AVS/privateClouds", + "recommendationTypeId": null, + "service": "Microsoft.AVS/privateClouds", + "severity": "High", + "source": "azure-resources/AVS/privateClouds/recommendations.yaml", + "tags": null, + "text": "Use multiple DNS servers per private FQDN zone" + }, + { + "aprlGuid": "baf3bfc0-32a2-4c0c-926d-c9bf0b49808e", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Upgrading the API Management instance to the Premium SKU adds support for Availability Zones, enhancing availability and resilience by distributing services across physically separate locations within Azure regions.\n", + "guid": "3389e6f5-d6c2-4348-9fc4-a6082db5a2bc", + "learnMoreLink": [ + { + "name": "Change your API Management service tier", + "url": "https://learn.microsoft.com/en-us/azure/api-management/upgrade-and-scale#change-your-api-management-service-tier" + }, + { + "name": "Migrate Azure API Management to availability zone support", + "url": "https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt" + } + ], + "longDescription": "Upgrading the API Management instance to the Premium SKU adds support for Availability Zones, enhancing availability and resilience by distributing services across physically separate locations within Azure regions.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced availability and resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ApiManagement/service", + "recommendationTypeId": null, + "service": "Microsoft.ApiManagement/service", + "severity": "High", + "source": "azure-resources/ApiManagement/service/recommendations.yaml", + "tags": null, + "text": "Migrate API Management services to Premium SKU to support Availability Zones" + }, + { + "aprlGuid": "740f2c1c-8857-4648-80eb-47d2c56d5a50", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Zone redundancy for APIM instances ensures the gateway and control plane (Management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, boosting resilience to zone failures.\n", + "guid": "14a7d4a6-ad0f-4863-ac5b-3295452c8fdf", + "learnMoreLink": [ + { + "name": "Ensure API Management availability and reliability", + "url": "https://learn.microsoft.com/en-us/azure/api-management/high-availability#availability-zones" + }, + { + "name": "Migrate Azure API Management to availability zone support", + "url": "https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt" + } + ], + "longDescription": "Zone redundancy for APIM instances ensures the gateway and control plane (Management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, boosting resilience to zone failures.\n", + "pgVerified": false, + "potentialBenefits": "Improved resilience to zone failures", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ApiManagement/service", + "recommendationTypeId": null, + "service": "Microsoft.ApiManagement/service", + "severity": "High", + "source": "azure-resources/ApiManagement/service/recommendations.yaml", + "tags": null, + "text": "Enable Availability Zones on Premium API Management instances" + }, + { + "aprlGuid": "e35cf148-8eee-49d1-a1c9-956160f99e0b", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Upgrading to API Management stv2 is required as stv1 retires on 31 Aug 2024, offering enhanced capabilities with the new platform version.\n", + "guid": "4b6ce8f0-7243-4339-8907-3aa82f9e9c3a", + "learnMoreLink": [ + { + "name": "Azure API Management - stv1 platform retirement (August 2024)", + "url": "https://learn.microsoft.com/en-us/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024" + }, + { + "name": "Azure API Management compute platform", + "url": "https://learn.microsoft.com/en-us/azure/api-management/compute-infrastructure" + } + ], + "longDescription": "Upgrading to API Management stv2 is required as stv1 retires on 31 Aug 2024, offering enhanced capabilities with the new platform version.\n", + "pgVerified": false, + "potentialBenefits": "Ensures service continuity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ApiManagement/service", + "recommendationTypeId": "e5f60ef8-3fcc-4fb5-bee7-7aaeb44c1509", + "service": "Microsoft.ApiManagement/service", + "severity": "High", + "source": "azure-resources/ApiManagement/service/recommendations.yaml", + "tags": null, + "text": "Azure API Management platform version should be stv2" + }, + { + "aprlGuid": "c79680ea-de85-44fa-a596-f31fa17a952f", + "automationAvailable": false, + "category": "High Availability", + "description": "Use API Management with auto-scale for high availability in workloads that experience variable traffic patterns. There are several limitations with auto-scale, so review the documentation to ensure it meets your requirements.\n", + "guid": "03b78016-cb19-485b-ab71-607ecc22cf62", + "learnMoreLink": [ + { + "name": "Setting up auto-scale for Azure API Management", + "url": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale" + } + ], + "longDescription": "Use API Management with auto-scale for high availability in workloads that experience variable traffic patterns. There are several limitations with auto-scale, so review the documentation to ensure it meets your requirements.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced availability and resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ApiManagement/service", + "recommendationTypeId": null, + "service": "Microsoft.ApiManagement/service", + "severity": "Low", + "source": "azure-resources/ApiManagement/service/recommendations.yaml", + "tags": null, + "text": "Enable auto-scale for production workloads on API Management services" + }, + { + "aprlGuid": "8dbcd94b-0948-4df3-b608-1946726c3abf", + "automationAvailable": false, + "category": "High Availability", + "description": "Enable container health probes to monitor the health of your container apps and ensure that unhealthy containers are restarted automatically.\n", + "guid": "5255e1b7-dae1-4b59-a062-4d97edb62b94", + "learnMoreLink": [ + { + "name": "Health probes for Azure Container Apps", + "url": "https://learn.microsoft.com/azure/container-apps/health-probes?tabs=arm-template" + } + ], + "longDescription": "Enable container health probes to monitor the health of your container apps and ensure that unhealthy containers are restarted automatically.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced availability and resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.App/containerApps", + "recommendationTypeId": null, + "service": "Microsoft.App/containerApps", + "severity": "High", + "source": "azure-resources/App/containerApps/recommendations.yaml", + "tags": null, + "text": "Enable container health probes" + }, + { + "aprlGuid": "f4201965-a88d-449d-b3b4-021394719eb2", + "automationAvailable": "arg", + "category": "High Availability", + "description": "To take advantage of availability zones, you must enable zone redundancy when you create a Container Apps environment. The environment must include a virtual network with an available subnet. To ensure proper distribution of replicas, set your app's minimum replica count to three.\n", + "guid": "11db5296-3fee-46dd-a8a6-60a1192612e3", + "learnMoreLink": [ + { + "name": "Reliability in Azure Container Apps", + "url": "https://learn.microsoft.com/en-us/azure/reliability/reliability-azure-container-apps" + } + ], + "longDescription": "To take advantage of availability zones, you must enable zone redundancy when you create a Container Apps environment. The environment must include a virtual network with an available subnet. To ensure proper distribution of replicas, set your app's minimum replica count to three.\n", + "pgVerified": false, + "potentialBenefits": "Enhances app resiliency and reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.App/managedenvironments", + "recommendationTypeId": null, + "service": "Microsoft.App/managedenvironments", + "severity": "High", + "source": "azure-resources/App/managedEnvironments/recommendations.yaml", + "tags": null, + "text": "Deploy zone redundant Container app environments" + }, + { + "aprlGuid": "bb4c8db4-f821-475b-b1ea-16e95358665e", + "automationAvailable": "arg", + "category": "Governance", + "description": "With Purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires.\n", + "guid": "ae22cfdf-62cf-4b90-89ac-f7fe366fccee", + "learnMoreLink": [ + { + "name": "Purge protection", + "url": "https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-soft-delete#purge-protection" + } + ], + "longDescription": "With Purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires.\n", + "pgVerified": false, + "potentialBenefits": "Prevent accidental deletion of configuration stores.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AppConfiguration/configurationStores", + "recommendationTypeId": null, + "service": "Microsoft.AppConfiguration/configurationStores", + "severity": "Low", + "source": "azure-resources/AppConfiguration/configurationStores/recommendations.yaml", + "tags": null, + "text": "Enable Purge protection for Azure App Configuration" + }, + { + "aprlGuid": "2102a57a-a056-4d5e-afe5-9df9f92177ca", + "automationAvailable": "arg", + "category": "High Availability", + "description": "SLA is not available for Free tier. Upgrade to the Standard tier to get an SLA of 99.9%\n", + "guid": "fbcda2f3-1411-4617-a689-7bbba710cb55", + "learnMoreLink": [ + { + "name": "Choose App Configuration tier", + "url": "https://learn.microsoft.com/en-us/azure/azure-app-configuration/faq#which-app-configuration-tier-should-i-use" + } + ], + "longDescription": "SLA is not available for Free tier. Upgrade to the Standard tier to get an SLA of 99.9%\n", + "pgVerified": false, + "potentialBenefits": "High availability, more storage, higher request quota.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.AppConfiguration/configurationStores", + "recommendationTypeId": null, + "service": "Microsoft.AppConfiguration/configurationStores", + "severity": "High", + "source": "azure-resources/AppConfiguration/configurationStores/recommendations.yaml", + "tags": null, + "text": "Upgrade to App Configuration Standard tier" + }, + { + "aprlGuid": "67205887-0733-466e-b50e-b1cd7316c514", + "automationAvailable": false, + "category": "High Availability", + "description": "Set up disaster recovery for Automation accounts and resources like Modules, Connections, Credentials, Certificates, Variables, and Schedules to deal with region or zone failures. A replica Automation account should be ready in a secondary region for failover.\n", + "guid": "08ba3cb3-f55f-4add-afae-2334134c9e78", + "learnMoreLink": [ + { + "name": "Disaster recovery for Automation accounts", + "url": "https://learn.microsoft.com/en-us/azure/automation/automation-disaster-recovery?tabs=win-hrw%2Cps-script%2Coption-one" + }, + { + "name": "Disaster recovery scenarios for cloud and hybrid jobs", + "url": "https://learn.microsoft.com/en-us/azure/automation/automation-disaster-recovery?tabs=win-hrw%2Cps-script%2Coption-one#scenarios-for-cloud-and-hybrid-jobs" + } + ], + "longDescription": "Set up disaster recovery for Automation accounts and resources like Modules, Connections, Credentials, Certificates, Variables, and Schedules to deal with region or zone failures. A replica Automation account should be ready in a secondary region for failover.\n", + "pgVerified": false, + "potentialBenefits": "Ensures continuity during outages", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Automation/automationAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Automation/automationAccounts", + "severity": "High", + "source": "azure-resources/Automation/automationAccounts/recommendations.yaml", + "tags": null, + "text": "Set up disaster recovery of Automation accounts and its dependent resources" + }, + { + "aprlGuid": "3464854d-6f75-4922-95e4-a2a308b53ce6", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "To ensure cross-region disaster recovery and business continuity, set the right quotas for all Batch accounts to allocate necessary core numbers upfront, preventing execution interruptions from reaching quota limits.\n", + "guid": "a27de03b-7832-4a37-a241-b5a2dab25ccd", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/azure/reliability/reliability-batch#cross-region-disaster-recovery-and-business-continuity" + } + ], + "longDescription": "To ensure cross-region disaster recovery and business continuity, set the right quotas for all Batch accounts to allocate necessary core numbers upfront, preventing execution interruptions from reaching quota limits.\n", + "pgVerified": false, + "potentialBenefits": "Ensures business continuity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Batch/batchAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Batch/batchAccounts", + "severity": "Medium", + "source": "azure-resources/Batch/batchAccounts/recommendations.yaml", + "tags": null, + "text": "Monitor Batch Account quota" + }, + { + "aprlGuid": "71cfab8f-d588-4742-b175-b6e07ae48dbd", + "automationAvailable": false, + "category": "High Availability", + "description": "When using Virtual Machine Configuration for Azure Batch pools, opting to distribute your pool across Availability Zones bolsters your compute nodes against Azure datacenter failures.\n", + "guid": "eaea5227-2c86-4c03-99ce-d541cde382a4", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/azure/batch/create-pool-availability-zones" + } + ], + "longDescription": "When using Virtual Machine Configuration for Azure Batch pools, opting to distribute your pool across Availability Zones bolsters your compute nodes against Azure datacenter failures.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced reliability and failure protection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Batch/batchAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Batch/batchAccounts", + "severity": "High", + "source": "azure-resources/Batch/batchAccounts/recommendations.yaml", + "tags": null, + "text": "Create an Azure Batch pool across Availability Zones" + }, + { + "aprlGuid": "5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure Cache for Redis offers zone redundancy in Premium and Enterprise tiers, using VMs across multiple Availability Zones to ensure greater resilience and availability.\n", + "guid": "659e036b-8699-4704-afcf-aa1cb7245f64", + "learnMoreLink": [ + { + "name": "Enable zone redundancy for Azure Cache for Redis", + "url": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy" + } + ], + "longDescription": "Azure Cache for Redis offers zone redundancy in Premium and Enterprise tiers, using VMs across multiple Availability Zones to ensure greater resilience and availability.\n", + "pgVerified": false, + "potentialBenefits": "Higher resilience and availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cache/Redis", + "recommendationTypeId": null, + "service": "Microsoft.Cache/Redis", + "severity": "High", + "source": "azure-resources/Cache/Redis/recommendations.yaml", + "tags": null, + "text": "Enable zone redundancy for Azure Cache for Redis" + }, + { + "aprlGuid": "cabc1f98-c8a7-44f7-ab24-977982ef3f70", + "automationAvailable": false, + "category": "High Availability", + "description": "Azure Cache for Redis allows for specifying maintenance windows. A maintenance window allows you to control the days and times of a week during which the VMs hosting your cache can be updated.\n", + "guid": "998d2fbe-eb71-41d6-aae4-f6ec3eeb8eef", + "learnMoreLink": [ + { + "name": "Schedule Redis Updates", + "url": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-administration#update-channel-and-schedule-updates" + } + ], + "longDescription": "Azure Cache for Redis allows for specifying maintenance windows. A maintenance window allows you to control the days and times of a week during which the VMs hosting your cache can be updated.\n", + "pgVerified": false, + "potentialBenefits": "Higher resilience and availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cache/redis", + "recommendationTypeId": null, + "service": "Microsoft.Cache/redis", + "severity": "Medium", + "source": "azure-resources/Cache/Redis/recommendations.yaml", + "tags": null, + "text": "Schedule updates by setting a maintenance window" + }, + { + "aprlGuid": "c474fc96-4e6a-4fb0-95d0-a26b3f35933c", + "automationAvailable": "arg", + "category": "Security", + "description": "Use private endpoints for secure connection to cache via a private link, avoiding the public internet.\n", + "guid": "2bcda5be-43f0-40c8-9cc5-252add4927c6", + "learnMoreLink": [ + { + "name": "Configure private endpoints for Azure Redis Cache", + "url": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation" + } + ], + "longDescription": "Use private endpoints for secure connection to cache via a private link, avoiding the public internet.\n", + "pgVerified": false, + "potentialBenefits": "Secure, private VNet ingress, efficient data transfer", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cache/redis", + "recommendationTypeId": null, + "service": "Microsoft.Cache/redis", + "severity": "Medium", + "source": "azure-resources/Cache/Redis/recommendations.yaml", + "tags": null, + "text": "Configure Private Endpoints" + }, + { + "aprlGuid": "9437634c-d69e-2747-b13e-631c13182150", + "automationAvailable": "arg", + "category": "Business Continuity", + "description": "For most solutions, choose either Azure Front Door for content caching, CDN, TLS termination, and WAF, or Traffic Manager for simple global load balancing.\n", + "guid": "52a258e4-52d1-45e6-b97a-0dd2010bacd1", + "learnMoreLink": [ + { + "name": "Azure Load Balancing Options", + "url": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/load-balancing-overview" + }, + { + "name": "Azure Traffic Manager", + "url": "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-overview" + }, + { + "name": "Azure Front Door", + "url": "https://learn.microsoft.com/azure/frontdoor/front-door-overview" + }, + { + "name": "Mission-critical global content delivery", + "url": "https://learn.microsoft.com/en-us/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery" + } + ], + "longDescription": "For most solutions, choose either Azure Front Door for content caching, CDN, TLS termination, and WAF, or Traffic Manager for simple global load balancing.\n", + "pgVerified": true, + "potentialBenefits": "Optimized network routing and security", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Business Continuity", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "High", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Avoid combining Traffic Manager and Front Door" + }, + { + "aprlGuid": "6c40b7ae-2bea-5748-be1a-9e9e3b834649", + "automationAvailable": false, + "category": "Security", + "description": "Front Door's features perform optimally when traffic exclusively comes through Front Door. It's advised to set up your origin to deny access to traffic that bypasses Front Door.\n", + "guid": "3f15e936-cd8d-4e92-94fe-f46da9e33bad", + "learnMoreLink": [ + { + "name": "Secure traffic to Azure Front Door origins", + "url": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-standard-premium" + } + ], + "longDescription": "Front Door's features perform optimally when traffic exclusively comes through Front Door. It's advised to set up your origin to deny access to traffic that bypasses Front Door.\n", + "pgVerified": true, + "potentialBenefits": "Enhances security and performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "High", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Restrict traffic to your origins" + }, + { + "aprlGuid": "52bc9a7b-23c8-bc4c-9d2a-7bc43b50104a", + "automationAvailable": false, + "category": "Scalability", + "description": "When working with Azure Front Door through APIs, ARM templates, Bicep, or SDKs, using the latest API or SDK version is crucial. Updates bring new functions, important security patches, and bug fixes.\n", + "guid": "ffb8d6c4-e8d3-483f-a51e-72392fdba731", + "learnMoreLink": [ + { + "name": "REST API Reference", + "url": "https://learn.microsoft.com/rest/api/frontdoor/" + }, + { + "name": "Client library for Java", + "url": "https://learn.microsoft.com/java/api/overview/azure/resourcemanager-frontdoor-readme?view=azure-java-preview" + }, + { + "name": "SDK for Python", + "url": "https://learn.microsoft.com/python/api/overview/azure/front-door?view=azure-python" + } + ], + "longDescription": "When working with Azure Front Door through APIs, ARM templates, Bicep, or SDKs, using the latest API or SDK version is crucial. Updates bring new functions, important security patches, and bug fixes.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and features", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": "e607041e-3194-42ad-9994-b6ea5ec12f5e", + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use the latest API version and SDK version" + }, + { + "aprlGuid": "1ad74c3c-e3d7-0046-b83f-a2199974ef15", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Front Door logs offer comprehensive telemetry on each request, crucial for understanding your solution's performance and responses, especially when caching is enabled, as origin servers might not receive every request.\n", + "guid": "db5e8f82-a270-4e4b-a55a-ba40fcac4990", + "learnMoreLink": [ + { + "name": "Monitor metrics and logs in Azure Front Door", + "url": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-standard-premium" + }, + { + "name": "WAF logs", + "url": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium#waf-logs" + }, + { + "name": "Configure Azure Front Door logs", + "url": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-logs" + } + ], + "longDescription": "Front Door logs offer comprehensive telemetry on each request, crucial for understanding your solution's performance and responses, especially when caching is enabled, as origin servers might not receive every request.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced insights and solution monitoring", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Configure logs" + }, + { + "aprlGuid": "d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1", + "automationAvailable": "arg", + "category": "Security", + "description": "Front Door terminates TCP and TLS connections from clients and establishes new connections from each PoP to the origin. Securing these connections with TLS, even for Azure-hosted origins, ensures data is always encrypted during transit.\n", + "guid": "456993fa-41d1-4ef5-8661-91579eea1ac3", + "learnMoreLink": [ + { + "name": "End-to-end TLS with Azure Front Door", + "url": "https://learn.microsoft.com/azure/frontdoor/end-to-end-tls?pivots=front-door-standard-premium" + } + ], + "longDescription": "Front Door terminates TCP and TLS connections from clients and establishes new connections from each PoP to the origin. Securing these connections with TLS, even for Azure-hosted origins, ensures data is always encrypted during transit.\n", + "pgVerified": true, + "potentialBenefits": "Ensures data encryption in transit", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "High", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use end-to-end TLS" + }, + { + "aprlGuid": "24ab9f11-a3e4-3043-a985-22cf94c4933a", + "automationAvailable": "arg", + "category": "Security", + "description": "Using HTTPS is ideal for secure connections. However, for compatibility with older clients, HTTP requests may be necessary. Azure Front Door enables auto redirection of HTTP to HTTPS, enhancing security without sacrificing accessibility.\n", + "guid": "18b4fe5a-8a35-4049-98d7-9ef026606f05", + "learnMoreLink": [ + { + "name": "Create HTTP to HTTPS redirect rule", + "url": "https://learn.microsoft.com/azure/frontdoor/front-door-how-to-redirect-https#create-http-to-https-redirect-rule" + } + ], + "longDescription": "Using HTTPS is ideal for secure connections. However, for compatibility with older clients, HTTP requests may be necessary. Azure Front Door enables auto redirection of HTTP to HTTPS, enhancing security without sacrificing accessibility.\n", + "pgVerified": true, + "potentialBenefits": "Enhances security and compliance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "High", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use HTTP to HTTPS redirection" + }, + { + "aprlGuid": "29d65c41-2fad-d142-95eb-9eab95f6c0a5", + "automationAvailable": false, + "category": "Security", + "description": "When Front Door manages your TLS certificates, it reduces your operational costs and helps you to avoid costly outages caused by forgetting to renew a certificate. Front Door automatically issues and rotates the managed TLS certificates.\n", + "guid": "24c55171-191a-49e8-92a1-f21a64008ecd", + "learnMoreLink": [ + { + "name": "Configure HTTPS on an Azure Front Door custom domain using the Azure portal", + "url": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell" + } + ], + "longDescription": "When Front Door manages your TLS certificates, it reduces your operational costs and helps you to avoid costly outages caused by forgetting to renew a certificate. Front Door automatically issues and rotates the managed TLS certificates.\n", + "pgVerified": true, + "potentialBenefits": "Lowers costs, avoids outages", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "High", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use managed TLS certificates" + }, + { + "aprlGuid": "4638c2c0-03de-6d42-9e09-82ee4478cbf3", + "automationAvailable": false, + "category": "High Availability", + "description": "If you use your own TLS certificates, set the Key Vault certificate version to 'Latest' to avoid reconfiguring Azure Front Door for new certificate versions and waiting for deployment across Front Door's environments.\n", + "guid": "87cb66c7-f96e-45d4-a05d-a6d1868f5760", + "learnMoreLink": [ + { + "name": "Select the certificate for Azure Front Door to deploy", + "url": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#select-the-certificate-for-azure-front-door-to-deploy" + } + ], + "longDescription": "If you use your own TLS certificates, set the Key Vault certificate version to 'Latest' to avoid reconfiguring Azure Front Door for new certificate versions and waiting for deployment across Front Door's environments.\n", + "pgVerified": true, + "potentialBenefits": "Saves time and automates TLS updates", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": "2c057605-4707-4d3e-bbb0-a7fe9b6a626b", + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use latest version for customer-managed certificates" + }, + { + "aprlGuid": "cd6a32af-747a-e649-82a7-a98f528ca842", + "automationAvailable": false, + "category": "Governance", + "description": "Front Door can rewrite Host headers for custom domain names routing to a single origin, useful for avoiding custom domain configuration at both Front Door and the origin.\n", + "guid": "22540876-5544-4945-abec-34fd02e98c18", + "learnMoreLink": [ + { + "name": "Preserve the original HTTP host name between a reverse proxy and its back-end web application", + "url": "https://learn.microsoft.com/azure/architecture/best-practices/host-name-preservation" + } + ], + "longDescription": "Front Door can rewrite Host headers for custom domain names routing to a single origin, useful for avoiding custom domain configuration at both Front Door and the origin.\n", + "pgVerified": true, + "potentialBenefits": "Improves session/auth handling", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use the same domain name on Front Door and your origin" + }, + { + "aprlGuid": "1bd2b7e8-400f-e64a-99a2-c572f7b08a62", + "automationAvailable": "arg", + "category": "Security", + "description": "For internet-facing applications, enabling the Front Door web application firewall (WAF) and configuring it to use managed rules is recommended for protection against a wide range of attacks using Microsoft-managed rules.\n", + "guid": "834e30c0-dd58-46b8-be0b-2e8df6dbef7e", + "learnMoreLink": [ + { + "name": "Web Application Firewall on Azure Front Door", + "url": "https://learn.microsoft.com/azure/frontdoor/web-application-firewall" + } + ], + "longDescription": "For internet-facing applications, enabling the Front Door web application firewall (WAF) and configuring it to use managed rules is recommended for protection against a wide range of attacks using Microsoft-managed rules.\n", + "pgVerified": true, + "potentialBenefits": "Enhances web app security", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Enable the WAF" + }, + { + "aprlGuid": "38f3d542-6de6-a44b-86c6-97e3be690281", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Front Door health probes help detect unavailable or unhealthy origins, directing traffic to alternate origins if needed.\n", + "guid": "19cea52b-6474-4d60-b6d7-09cb060f923f", + "learnMoreLink": [ + { + "name": "Health probes", + "url": "https://learn.microsoft.com/azure/frontdoor/health-probes" + } + ], + "longDescription": "Front Door health probes help detect unavailable or unhealthy origins, directing traffic to alternate origins if needed.\n", + "pgVerified": true, + "potentialBenefits": "Reduces unnecessary origin traffic", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Low", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Disable health probes when there is only one origin in an origin group" + }, + { + "aprlGuid": "5225bba3-28ec-1e43-8986-7eedfd466d65", + "automationAvailable": false, + "category": "High Availability", + "description": "Consider selecting a webpage or location specifically designed for health monitoring as the endpoint for Azure Front Door's health probes. This should encompass the status of critical components like application servers, databases, and caches to serve production traffic efficiently.\n", + "guid": "eeb2bd11-1f50-479b-806f-286973ea7d95", + "learnMoreLink": [ + { + "name": "Health Endpoint Monitoring pattern", + "url": "https://learn.microsoft.com/azure/architecture/patterns/health-endpoint-monitoring" + } + ], + "longDescription": "Consider selecting a webpage or location specifically designed for health monitoring as the endpoint for Azure Front Door's health probes. This should encompass the status of critical components like application servers, databases, and caches to serve production traffic efficiently.\n", + "pgVerified": true, + "potentialBenefits": "Improves traffic routing and uptime", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Select good health probe endpoints" + }, + { + "aprlGuid": "5783defe-b49e-d947-84f7-d8677593f324", + "automationAvailable": false, + "category": "Scalability", + "description": "Health probes in Azure Front Door can use GET or HEAD HTTP methods. Using the HEAD method for health probes is a recommended practice because it reduces the traffic load on your origins, being less resource-intensive.\n", + "guid": "000ec5ed-30ff-41a1-902f-8f532e513ef7", + "learnMoreLink": [ + { + "name": "Supported HTTP methods for health probes", + "url": "https://learn.microsoft.com/azure/frontdoor/health-probes#supported-http-methods-for-health-probes" + } + ], + "longDescription": "Health probes in Azure Front Door can use GET or HEAD HTTP methods. Using the HEAD method for health probes is a recommended practice because it reduces the traffic load on your origins, being less resource-intensive.\n", + "pgVerified": true, + "potentialBenefits": "Reduces traffic load on origins", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use HEAD health probes" + }, + { + "aprlGuid": "b515690d-3bf9-3a49-8d38-188e0fd45896", + "automationAvailable": false, + "category": "Security", + "description": "Azure Front Door's geo-filtering through WAF enables defining custom access rules by country/region to restrict or allow web app access.\n", + "guid": "42366561-5e2c-46de-a529-2603b44f72cf", + "learnMoreLink": [ + { + "name": "Geo filter WAF policy - GeoMatch", + "url": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-geo-filtering" + } + ], + "longDescription": "Azure Front Door's geo-filtering through WAF enables defining custom access rules by country/region to restrict or allow web app access.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced regional access control", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Use geo-filtering in Azure Front Door" + }, + { + "aprlGuid": "1cfe7834-56ec-ff41-b11d-993734705dba", + "automationAvailable": false, + "category": "Security", + "description": "Azure Private Link enables secure access to Azure PaaS and services over a private endpoint in your virtual network, ensuring traffic goes over the Microsoft backbone network, not the public internet.\n", + "guid": "0ed8c66e-ece7-47f8-83f7-d506bcdc443a", + "learnMoreLink": [ + { + "name": "Private link for Azure Front Door", + "url": "https://learn.microsoft.com/azure/frontdoor/private-link" + } + ], + "longDescription": "Azure Private Link enables secure access to Azure PaaS and services over a private endpoint in your virtual network, ensuring traffic goes over the Microsoft backbone network, not the public internet.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and private connectivity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Cdn/profiles", + "recommendationTypeId": null, + "service": "Microsoft.Cdn/profiles", + "severity": "Medium", + "source": "azure-resources/Cdn/profiles/recommendations.yaml", + "tags": null, + "text": "Secure your Origin with Private Link in Azure Front Door" + }, + { + "aprlGuid": "b49a39fd-f431-4b61-9062-f2157849d845", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica.\n", + "guid": "85e82b5a-c774-43c1-aa2f-d564cde68a3f", + "learnMoreLink": [ + { + "name": "Compute Gallery best practices", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#best-practices" + } + ], + "longDescription": "Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica.\n", + "pgVerified": true, + "potentialBenefits": "Enhances scalability and avoids throttling", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/galleries", + "recommendationTypeId": null, + "service": "Microsoft.Compute/galleries", + "severity": "Medium", + "source": "azure-resources/Compute/galleries/recommendations.yaml", + "tags": null, + "text": "A minimum of three replicas should be kept for production image versions" + }, + { + "aprlGuid": "488dcc8b-f2e3-40ce-bf95-73deb2db095f", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Use ZRS for high availability when creating image/VM versions in Azure Compute Gallery, offering resilience against Availability Zone failures. ZRS accounts are advisable in regions with Availability Zones, with the choice of Standard_ZRS recommended over Standard_LRS for these regions.\n", + "guid": "0996a285-881a-4059-8fd9-a2fb3dcdf0ce", + "learnMoreLink": [ + { + "name": "Compute Gallery best practices", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#best-practices" + }, + { + "name": "Zone-redundant storage", + "url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy#zone-redundant-storage" + } + ], + "longDescription": "Use ZRS for high availability when creating image/VM versions in Azure Compute Gallery, offering resilience against Availability Zone failures. ZRS accounts are advisable in regions with Availability Zones, with the choice of Standard_ZRS recommended over Standard_LRS for these regions.\n", + "pgVerified": true, + "potentialBenefits": "Enhances image version availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/galleries", + "recommendationTypeId": null, + "service": "Microsoft.Compute/galleries", + "severity": "Medium", + "source": "azure-resources/Compute/galleries/recommendations.yaml", + "tags": null, + "text": "Zone redundant storage should be used for image versions" + }, + { + "aprlGuid": "1c5e1e58-4e56-491c-8529-10f37af9d4ed", + "automationAvailable": "arg", + "category": "High Availability", + "description": "We recommend creating Trusted Launch Supported Images for benefits like Secure Boot, vTPM, trusted launch VMs, large boot volume. These are Gen 2 Images by default and you cannot change a VM's generation after creation, so review the considerations first.\n", + "guid": "02bc85d0-ddd3-40b6-a02c-64f37b4e7173", + "learnMoreLink": [ + { + "name": "Compute Gallery best practices", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#best-practices" + }, + { + "name": "Generation 1 vs Generation 2 in Hyper-V", + "url": "https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v" + }, + { + "name": "Images in Compute gallery", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli" + } + ], + "longDescription": "We recommend creating Trusted Launch Supported Images for benefits like Secure Boot, vTPM, trusted launch VMs, large boot volume. These are Gen 2 Images by default and you cannot change a VM's generation after creation, so review the considerations first.\n", + "pgVerified": true, + "potentialBenefits": "Enhances VM security and features", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/galleries", + "recommendationTypeId": null, + "service": "Microsoft.Compute/galleries", + "severity": "Low", + "source": "azure-resources/Compute/galleries/recommendations.yaml", + "tags": null, + "text": "Consider creating TrustedLaunchSupported images where possible" + }, + { + "aprlGuid": "e7495e1c-0c75-0946-b266-b429b5c7f3bf", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Deploying even single instance VMs into a scale set with Flexible orchestration mode future-proofs applications for scaling and availability. This mode guarantees high availability (up to 1000 VMs) by distributing VMs across fault domains in a region or within an Availability Zone.\n", + "guid": "d4223696-c0c6-4e14-a89c-f9183bfd148e", + "learnMoreLink": [ + { + "name": "When to use VMSS instead of VMs", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-design-overview#when-to-use-scale-sets-instead-of-virtual-machines" + }, + { + "name": "Azure Well-Architected Framework review - Virtual Machines and Scale Sets", + "url": "https://learn.microsoft.com/azure/well-architected/services/compute/virtual-machines/virtual-machines-review" + } + ], + "longDescription": "Deploying even single instance VMs into a scale set with Flexible orchestration mode future-proofs applications for scaling and availability. This mode guarantees high availability (up to 1000 VMs) by distributing VMs across fault domains in a region or within an Availability Zone.\n", + "pgVerified": true, + "potentialBenefits": "Higher scalability and availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Deploy VMSS with Flex orchestration mode instead of Uniform" + }, + { + "aprlGuid": "94794d2a-eff0-2345-9b67-6f9349d0a627", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Monitoring application health in Azure Virtual Machine Scale Sets is crucial for deployment management. It supports rolling upgrades such as automatic OS-image upgrades and VM guest patching, leveraging health monitoring for upgrading.\n", + "guid": "2b65f6ec-9515-41d4-9960-fed589282719", + "learnMoreLink": [ + { + "name": "Using Application Health extension with Virtual Machine Scale Sets", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension?tabs=rest-api" + } + ], + "longDescription": "Monitoring application health in Azure Virtual Machine Scale Sets is crucial for deployment management. It supports rolling upgrades such as automatic OS-image upgrades and VM guest patching, leveraging health monitoring for upgrading.\n", + "pgVerified": true, + "potentialBenefits": "Enhances deployment management and upgrades", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": "3b587048-b04b-4f81-aaed-e43793652b0f", + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Enable Azure Virtual Machine Scale Set Application Health Monitoring" + }, + { + "aprlGuid": "820f4743-1f94-e946-ae0b-45efafd87962", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Enabling automatic instance repairs in Azure Virtual Machine Scale Sets enhances application availability through a continuous health check and maintenance process.\n", + "guid": "3122f70d-85af-4b3c-80c0-745abcb5ad1d", + "learnMoreLink": [ + { + "name": "Automatic instance repairs for Azure Virtual Machine Scale Sets", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs#requirements-for-using-automatic-instance-repairs" + } + ], + "longDescription": "Enabling automatic instance repairs in Azure Virtual Machine Scale Sets enhances application availability through a continuous health check and maintenance process.\n", + "pgVerified": true, + "potentialBenefits": "Boosts app availability by auto-repair", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": "b4d988a9-85e6-4179-b69c-549bdd8a55bb", + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "High", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets" + }, + { + "aprlGuid": "ee66ff65-9aa3-2345-93c1-25827cf79f44", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Use custom autoscale for VMSS based on metrics and schedules to improve performance and cost effectiveness, adjusting instances as demand changes.\n", + "guid": "1cd93272-91fc-48e6-bd44-eb95184b2029", + "learnMoreLink": [ + { + "name": "Get started with autoscale in Azure", + "url": "https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-get-started?WT.mc_id=Portal-Microsoft_Azure_Monitoring" + }, + { + "name": "Overview of autoscale in Azure", + "url": "https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-overview" + } + ], + "longDescription": "Use custom autoscale for VMSS based on metrics and schedules to improve performance and cost effectiveness, adjusting instances as demand changes.\n", + "pgVerified": true, + "potentialBenefits": "Enhances performance and cost-efficiency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "High", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Configure VMSS Autoscale to custom and configure the scaling metrics" + }, + { + "aprlGuid": "3f85a51c-e286-9f44-b4dc-51d00768696c", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Predictive autoscale utilizes machine learning to efficiently manage and scale Azure Virtual Machine Scale Sets by forecasting CPU load through historical usage analysis, ensuring timely scale-out to meet demand.\n", + "guid": "f96a902a-f308-4b68-96d2-702f34f44fe5", + "learnMoreLink": [ + { + "name": "Use predictive autoscale to scale out before load demands in virtual machine scale sets", + "url": "https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-predictive" + } + ], + "longDescription": "Predictive autoscale utilizes machine learning to efficiently manage and scale Azure Virtual Machine Scale Sets by forecasting CPU load through historical usage analysis, ensuring timely scale-out to meet demand.\n", + "pgVerified": true, + "potentialBenefits": "Optimizes scaling with ML predictions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Enable Predictive autoscale and configure at least for Forecast Only" + }, + { + "aprlGuid": "b5a63aa0-c58e-244f-b8a6-cbba0560a6db", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Microsoft advises disabling strictly even VM instance distribution across Availability Zones in VMSS to improve scalability and flexibility, noting that uneven distribution may better serve application load demands despite the potential trade-off in resilience.\n", + "guid": "dd01293c-e2b9-4888-9b49-f854fcaf82a7", + "learnMoreLink": [ + { + "name": "Use scale-in policies with Azure Virtual Machine Scale Sets", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-scale-in-policy" + } + ], + "longDescription": "Microsoft advises disabling strictly even VM instance distribution across Availability Zones in VMSS to improve scalability and flexibility, noting that uneven distribution may better serve application load demands despite the potential trade-off in resilience.\n", + "pgVerified": true, + "potentialBenefits": "Improves scaling, reduces fail attempts", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "High", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Disable Force strictly even balance across zones to avoid scale in and out fail attempts" + }, + { + "aprlGuid": "1422c567-782c-7148-ac7c-5fc14cf45adc", + "automationAvailable": "arg", + "category": "High Availability", + "description": "When creating VMSS, implement availability zones as a protection measure for your applications and data against the rare event of datacenter failure.\n", + "guid": "a7a2cd0d-f262-4bb3-8249-4a383ca3b957", + "learnMoreLink": [ + { + "name": "Create a Virtual Machine Scale Set that uses Availability Zones", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones" + }, + { + "name": "Update scale set to add availability zones", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones?tabs=cli-1%2Cportal-2#update-scale-set-to-add-availability-zones" + } + ], + "longDescription": "When creating VMSS, implement availability zones as a protection measure for your applications and data against the rare event of datacenter failure.\n", + "pgVerified": true, + "potentialBenefits": "Enhances disaster resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "High", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Deploy VMSS across availability zones with VMSS Flex" + }, + { + "aprlGuid": "e4ffd7b0-ba24-c84e-9352-ba4819f908c0", + "automationAvailable": "arg", + "category": "Other Best Practices", + "description": "Enabling automatic VM guest patching eases update management by safely, automatically patching virtual machines to maintain security compliance, while limiting blast radius of VMs. Note, the KQL will not return sets using Uniform orchestration.\n", + "guid": "3d63fb12-143c-48a6-ae22-bfc58e8c8236", + "learnMoreLink": [ + { + "name": "Automatic VM Guest Patching for Azure VMs", + "url": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching" + }, + { + "name": "Auto OS Image Upgrades", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade" + } + ], + "longDescription": "Enabling automatic VM guest patching eases update management by safely, automatically patching virtual machines to maintain security compliance, while limiting blast radius of VMs. Note, the KQL will not return sets using Uniform orchestration.\n", + "pgVerified": true, + "potentialBenefits": "Eases patch management, enhances security", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Set Patch orchestration options to Azure-orchestrated" + }, + { + "aprlGuid": "83d61669-7bd6-9642-a305-175db8adcdf4", + "automationAvailable": false, + "category": "Governance", + "description": "Ensure current versions of images are in use to avoid disruption after image deprecation. Please review the publisher, offer, sku information of the VM to ensure you are running on a supported image. Enable Auto Guest Patching or Image Upgrades, to get notifications about image deprecation.\n", + "guid": "99aa58f6-da15-4610-a0b6-a1cf3551fe86", + "learnMoreLink": [ + { + "name": "Deprecated Azure Marketplace images", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/deprecated-images" + } + ], + "longDescription": "Ensure current versions of images are in use to avoid disruption after image deprecation. Please review the publisher, offer, sku information of the VM to ensure you are running on a supported image. Enable Auto Guest Patching or Image Upgrades, to get notifications about image deprecation.\n", + "pgVerified": true, + "potentialBenefits": "Avoid disruptions by updating VMSS images.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachineScaleSets", + "recommendationTypeId": "3b739bd1-c193-4bb6-a953-1362ee3b03b2", + "service": "Microsoft.Compute/virtualMachineScaleSets", + "severity": "High", + "source": "azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml", + "tags": null, + "text": "Upgrade VMSS Image versions scheduled to be deprecated or already retired" + }, + { + "aprlGuid": "273f6b30-68e0-4241-85ea-acf15ffb60bf", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Production VM workloads should be deployed on multiple VMs and grouped in a VMSS Flex instance to intelligently distribute across the platform, minimizing the impact of platform faults and updates.\n", + "guid": "77c66d62-abd6-49af-a879-2d85c63620c3", + "learnMoreLink": [ + { + "name": "What has changed with Flexible orchestration mode", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#what-has-changed-with-flexible-orchestration-mode" + }, + { + "name": "Attach or detach a Virtual Machine to or from a Virtual Machine Scale Set", + "url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?branch=main&tabs=portal-1%2Cportal-2%2Cportal-3" + } + ], + "longDescription": "Production VM workloads should be deployed on multiple VMs and grouped in a VMSS Flex instance to intelligently distribute across the platform, minimizing the impact of platform faults and updates.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced fault/update resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Run production workloads on two or more VMs using VMSS Flex" + }, + { + "aprlGuid": "2bd0be95-a825-6f47-a8c6-3db1fb5eb387", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure Availability Zones, within each Azure region, are tolerant to local failures, protecting applications and data against unlikely Datacenter failures by being physically separate.\n", + "guid": "ea77da1a-2350-4b50-8aef-e2ff4d25e079", + "learnMoreLink": [ + { + "name": "Create virtual machines in an availability zone using the Azure portal", + "url": "https://learn.microsoft.com/azure/virtual-machines/create-portal-availability-zone?tabs=standard" + } + ], + "longDescription": "Azure Availability Zones, within each Azure region, are tolerant to local failures, protecting applications and data against unlikely Datacenter failures by being physically separate.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced VM resilience to failures", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "066a047a-9ace-45f4-ac50-6325840a6b00", + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Deploy VMs across Availability Zones" + }, + { + "aprlGuid": "a8d25876-7951-b646-b4e8-880c9031596b", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Availability sets will soon be retired. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.\n", + "guid": "9214470c-234f-42ce-8084-77bdccd2eade", + "learnMoreLink": [ + { + "name": "Resiliency checklist for Virtual Machines", + "url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#virtual-machines" + } + ], + "longDescription": "Availability sets will soon be retired. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.\n", + "pgVerified": true, + "potentialBenefits": "Enhances reliability and future-proofs VMs", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Migrate VMs using availability sets to VMSS Flex" + }, + { + "aprlGuid": "cfe22a65-b1db-fd41-9e8e-d573922709ae", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Replicating Azure VMs via Site Recovery entails continuous, asynchronous disk replication to a target region. Recovery points are generated every few minutes, ensuring a Recovery Point Objective (RPO) in minutes.\n", + "guid": "a826ba06-1778-4cb6-aa87-4aa703fa0c72", + "learnMoreLink": [ + { + "name": "Resiliency checklist for Virtual Machines", + "url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#virtual-machines" + }, + { + "name": "Run a test failover (disaster recovery drill) to Azure", + "url": "https://learn.microsoft.com/azure/site-recovery/site-recovery-test-failover-to-azure" + } + ], + "longDescription": "Replicating Azure VMs via Site Recovery entails continuous, asynchronous disk replication to a target region. Recovery points are generated every few minutes, ensuring a Recovery Point Objective (RPO) in minutes.\n", + "pgVerified": true, + "potentialBenefits": "Minimize downtime in disasters", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "ed651749-cd37-4fd5-9897-01b416926745", + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Replicate VMs using Azure Site Recovery" + }, + { + "aprlGuid": "122d11d7-b91f-8747-a562-f56b79bcfbdc", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure is retiring unmanaged disks on September 30, 2025. Users should plan the migration to avoid disruptions and maintain service reliability.\n", + "guid": "dfc1a2ab-e97e-4d66-9eba-b544996d69da", + "learnMoreLink": [ + { + "name": "Migrate your Azure unmanaged disks by Sep 30, 2025", + "url": "https://learn.microsoft.com/azure/virtual-machines/unmanaged-disks-deprecation" + }, + { + "name": "Migrate Windows VM from unmanaged disks to managed disks", + "url": "https://learn.microsoft.com/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks" + }, + { + "name": "Migrate Linux VM from unmanaged disks to managed disks", + "url": "https://learn.microsoft.com/azure/virtual-machines/linux/convert-unmanaged-to-managed-disks" + } + ], + "longDescription": "Azure is retiring unmanaged disks on September 30, 2025. Users should plan the migration to avoid disruptions and maintain service reliability.\n", + "pgVerified": true, + "potentialBenefits": "Avoid retirement disruption, enhance reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "57ecb3cd-f2b4-4cad-8b3a-232cca527a0b", + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Use Managed Disks for VM disks" + }, + { + "aprlGuid": "4ea2878f-0d69-8d4a-b715-afc10d1e538e", + "automationAvailable": "arg", + "category": "Scalability", + "description": "A data disk is a managed disk attached to a virtual machine for storing database or other essential data. These disks are SCSI drives labeled as per choice.\n", + "guid": "4ef3c093-cc0a-4075-9d77-11a85541b626", + "learnMoreLink": [ + { + "name": "Introduction to Azure managed disks - Data disks", + "url": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk" + }, + { + "name": "Azure managed disk types", + "url": "https://learn.microsoft.com/azure/virtual-machines/disks-types" + } + ], + "longDescription": "A data disk is a managed disk attached to a virtual machine for storing database or other essential data. These disks are SCSI drives labeled as per choice.\n", + "pgVerified": true, + "potentialBenefits": "Enhances performance, recovery, migration flexibility", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Host database data on a data disk" + }, + { + "aprlGuid": "1981f704-97b9-b645-9c57-33f8ded9261a", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Enable backups for your virtual machines with Azure Backup to secure and quickly recover your data. This service offers simple, secure, and cost-effective solutions for backing up and recovering data from the Microsoft Azure cloud.\n", + "guid": "8b9f64cc-678a-4710-b65d-6564ed685573", + "learnMoreLink": [ + { + "name": "What is the Azure Backup service?", + "url": "https://learn.microsoft.com/azure/backup/backup-overview" + } + ], + "longDescription": "Enable backups for your virtual machines with Azure Backup to secure and quickly recover your data. This service offers simple, secure, and cost-effective solutions for backing up and recovering data from the Microsoft Azure cloud.\n", + "pgVerified": true, + "potentialBenefits": "Secure data recovery and backup", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "651c7925-17a3-42e5-85cd-73bd095cf27f", + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Backup VMs with Azure Backup service" + }, + { + "aprlGuid": "98b334c0-8578-6046-9e43-b6e8fce6318e", + "automationAvailable": "arg", + "category": "Governance", + "description": "Azure Virtual Machines (VM) instances have various states, like provisioning and power states. A non-running VM may indicate issues or it being unnecessary, suggesting removal could help cut costs.\n", + "guid": "ab2fdb27-8c5c-4534-870c-be397d704267", + "learnMoreLink": [ + { + "name": "States and billing status of Azure Virtual Machines", + "url": "https://learn.microsoft.com/azure/virtual-machines/states-billing?context=%2Ftroubleshoot%2Fazure%2Fvirtual-machines%2Fcontext%2Fcontext#power-states-and-billing" + } + ], + "longDescription": "Azure Virtual Machines (VM) instances have various states, like provisioning and power states. A non-running VM may indicate issues or it being unnecessary, suggesting removal could help cut costs.\n", + "pgVerified": true, + "potentialBenefits": "Reduce costs by removing unused VMs", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Review VMs in stopped state" + }, + { + "aprlGuid": "dfedbeb1-1519-fc47-86a5-52f96cf07105", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Accelerated networking enables SR-IOV to a VM, greatly improving its networking performance by bypassing the host from the data path, which reduces latency, jitter, and CPU utilization for demanding network workloads on supported VM types.\n", + "guid": "34f95c8c-d382-44c1-b87c-051ab7a132da", + "learnMoreLink": [ + { + "name": "Accelerated Networking (AccelNet) overview", + "url": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview" + } + ], + "longDescription": "Accelerated networking enables SR-IOV to a VM, greatly improving its networking performance by bypassing the host from the data path, which reduces latency, jitter, and CPU utilization for demanding network workloads on supported VM types.\n", + "pgVerified": true, + "potentialBenefits": "Reduces latency, jitter and CPU use", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "3a3c1a2a-8597-4d3a-981a-0a24a0ee9de4", + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Enable Accelerated Networking (AccelNet)" + }, + { + "aprlGuid": "73d1bb04-7d3e-0d47-bc0d-63afe773b5fe", + "automationAvailable": false, + "category": "Governance", + "description": "When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility.\n", + "guid": "4151f32c-b6b4-482d-989b-6a6362987442", + "learnMoreLink": [ + { + "name": "Accelerated Networking (AccelNet) overview", + "url": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview" + } + ], + "longDescription": "When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced VM network efficiency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "When AccelNet is enabled, you must manually update the GuestOS NIC driver" + }, + { + "aprlGuid": "1f629a30-c9d0-d241-82ee-6f2eb9d42cb4", + "automationAvailable": "arg", + "category": "Security", + "description": "For outbound internet connectivity of Virtual Machines, using NAT Gateway or Azure Firewall is recommended to enhance security and service resilience, thanks to their higher availability and SNAT ports.\n", + "guid": "b54178af-5c1f-462b-baf5-8d7a905ca645", + "learnMoreLink": [ + { + "name": "Use Source Network Address Translation (SNAT) for outbound connections", + "url": "https://learn.microsoft.com/azure/load-balancer/load-balancer-outbound-connections" + } + ], + "longDescription": "For outbound internet connectivity of Virtual Machines, using NAT Gateway or Azure Firewall is recommended to enhance security and service resilience, thanks to their higher availability and SNAT ports.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and service resiliency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "VMs should not have a Public IP directly associated" + }, + { + "aprlGuid": "82b3cf6b-9ae2-2e44-b193-10793213f676", + "automationAvailable": "arg", + "category": "Security", + "description": "Unless you have a specific reason, it's advised to associate a network security group to a subnet or a network interface, but not both, to avoid unexpected communication issues and troubleshooting due to potential rule conflicts between the two associations.\n", + "guid": "fc0e557f-9a51-4ec2-a6de-ee2f06365cc8", + "learnMoreLink": [ + { + "name": "How network security groups filter network traffic", + "url": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic" + } + ], + "longDescription": "Unless you have a specific reason, it's advised to associate a network security group to a subnet or a network interface, but not both, to avoid unexpected communication issues and troubleshooting due to potential rule conflicts between the two associations.\n", + "pgVerified": true, + "potentialBenefits": "Reduces communication problems", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "VM network interfaces and associated subnets both have a Network Security Group associated" + }, + { + "aprlGuid": "41a22a5e-5e08-9647-92d0-2ffe9ef1bdad", + "automationAvailable": "arg", + "category": "Security", + "description": "IP forwarding allows a virtual machine network interface to receive and send network traffic not destined for or originating from its assigned IP addresses.\n", + "guid": "e4642cbb-a0dc-4cd2-875a-75f0f2d64c08", + "learnMoreLink": [ + { + "name": "Enable or disable IP forwarding", + "url": "https://learn.microsoft.com/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#enable-or-disable-ip-forwarding" + } + ], + "longDescription": "IP forwarding allows a virtual machine network interface to receive and send network traffic not destined for or originating from its assigned IP addresses.\n", + "pgVerified": true, + "potentialBenefits": "Enhances network appliance function", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "c3b51c94-588b-426b-a892-24696f9e54cc", + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "IP Forwarding should only be enabled for Network Virtual Appliances" + }, + { + "aprlGuid": "1cf8fe21-9593-1e4e-966b-779a294c0d30", + "automationAvailable": "arg", + "category": "Other Best Practices", + "description": "Configure the DNS Server at the Virtual Network level to prevent any inconsistency across the environment.\n", + "guid": "65886095-244a-4626-b8ef-16e281d04471", + "learnMoreLink": [ + { + "name": "Name resolution for resources in Azure virtual networks", + "url": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances" + } + ], + "longDescription": "Configure the DNS Server at the Virtual Network level to prevent any inconsistency across the environment.\n", + "pgVerified": true, + "potentialBenefits": "Ensures DNS consistency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Customer DNS Servers should be configured in the Virtual Network level" + }, + { + "aprlGuid": "3263a64a-c256-de48-9818-afd3cbc55c2a", + "automationAvailable": "arg", + "category": "Other Best Practices", + "description": "Azure shared disks let you attach a disk to multiple VMs at once for deploying or migrating clustered applications, suitable only when a disk is shared among VM cluster members.\n", + "guid": "9040430d-69e3-4131-8c3a-355b1791776f", + "learnMoreLink": [ + { + "name": "Azure Shared Disk Introduction", + "url": "https://learn.microsoft.com/azure/virtual-machines/disks-shared" + }, + { + "name": "Enable Shared Disks", + "url": "https://learn.microsoft.com/azure/virtual-machines/disks-shared-enable?tabs=azure-portal" + } + ], + "longDescription": "Azure shared disks let you attach a disk to multiple VMs at once for deploying or migrating clustered applications, suitable only when a disk is shared among VM cluster members.\n", + "pgVerified": true, + "potentialBenefits": "Enhances clustered server performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Shared disks should only be enabled in clustered servers" + }, + { + "aprlGuid": "70b1d2be-e6c4-b54e-9959-b1b690f9e485", + "automationAvailable": "arg", + "category": "Security", + "description": "Recommended changing to \"Disable public access and enable private access\" and creating a Private Endpoint to improve security by restricting direct public access and ensuring connections are made privately, enhancing data protection and minimizing potential external threats.\n", + "guid": "1848ac93-cb2f-4397-8284-1101745ce819", + "learnMoreLink": [ + { + "name": "Restrict import/export access for managed disks using Azure Private Link", + "url": "https://learn.microsoft.com/azure/virtual-machines/disks-enable-private-links-for-import-export-portal" + } + ], + "longDescription": "Recommended changing to \"Disable public access and enable private access\" and creating a Private Endpoint to improve security by restricting direct public access and ensuring connections are made privately, enhancing data protection and minimizing potential external threats.\n", + "pgVerified": true, + "potentialBenefits": "Enhances VM security and privacy", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Network access to the VM disk should be set to Disable public access and enable private access" + }, + { + "aprlGuid": "c42343ae-2712-2843-a285-3437eb0b28a1", + "automationAvailable": "arg", + "category": "Governance", + "description": "Keeping your virtual machine (VM) secure is crucial for the applications you run. This involves using various Azure services and features to ensure secure access to your VMs and the secure storage of your data, aiming for overall security of your VM and applications.\n", + "guid": "1ece2496-7a7c-4bec-8b79-7441a2db5673", + "learnMoreLink": [ + { + "name": "Policy-driven governance", + "url": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-principles#policy-driven-governance" + }, + { + "name": "Azure Policy Regulatory Compliance controls for Azure Virtual Machines", + "url": "https://learn.microsoft.com/azure/virtual-machines/security-policy" + } + ], + "longDescription": "Keeping your virtual machine (VM) secure is crucial for the applications you run. This involves using various Azure services and features to ensure secure access to your VMs and the secure storage of your data, aiming for overall security of your VM and applications.\n", + "pgVerified": true, + "potentialBenefits": "Secure VMs and applications", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Ensure that your VMs are compliant with Azure Policies" + }, + { + "aprlGuid": "f0a97179-133a-6e4f-8a49-8a44da73ffce", + "automationAvailable": false, + "category": "Security", + "description": "Consider enabling Azure Disk Encryption (ADE) for encrypting Azure VM disks using DM-Crypt (Linux) or BitLocker (Windows). Additionally, consider Encryption at host and Confidential disk encryption for enhanced data security.\n", + "guid": "425464f8-8468-4b85-8bd7-698827f930b6", + "learnMoreLink": [ + { + "name": "Overview of managed disk encryption options", + "url": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview" + } + ], + "longDescription": "Consider enabling Azure Disk Encryption (ADE) for encrypting Azure VM disks using DM-Crypt (Linux) or BitLocker (Windows). Additionally, consider Encryption at host and Confidential disk encryption for enhanced data security.\n", + "pgVerified": true, + "potentialBenefits": "Enhances data security and integrity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "a40cc620-e72c-fdf4-c554-c6ca2cd705c0", + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled" + }, + { + "aprlGuid": "b72214bb-e879-5f4b-b9cd-642db84f36f4", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "VM Insights monitors VM and scale set performance, health, running processes, and dependencies. It enhances the predictability of application performance and availability by pinpointing performance bottlenecks and network issues, and it clarifies if problems are related to other dependencies.\n", + "guid": "cc88b623-0ef0-496d-9398-90a0dbb51cdd", + "learnMoreLink": [ + { + "name": "Overview of VM insights", + "url": "https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-overview" + }, + { + "name": "Did the extension install properly?", + "url": "https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-troubleshoot#did-the-extension-install-properly" + } + ], + "longDescription": "VM Insights monitors VM and scale set performance, health, running processes, and dependencies. It enhances the predictability of application performance and availability by pinpointing performance bottlenecks and network issues, and it clarifies if problems are related to other dependencies.\n", + "pgVerified": true, + "potentialBenefits": "Improves VM performance and health", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Enable VM Insights" + }, + { + "aprlGuid": "4a9d8973-6dba-0042-b3aa-07924877ebd5", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection.\n", + "guid": "b45c1cd3-6ba8-48d4-8d44-e5229a208154", + "learnMoreLink": [ + { + "name": "Azure Monitor Agent overview", + "url": "https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview" + } + ], + "longDescription": "Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced diagnostics and auditing capability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Low", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Configure monitoring for all Azure Virtual Machines" + }, + { + "aprlGuid": "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870", + "automationAvailable": "arg", + "category": "High Availability", + "description": "The maintenance configuration settings let users schedule and manage updates, making sure the updates or interruptions on the VM are performed within a planned timeframe.\n", + "guid": "7a1a080e-f15f-4652-84bd-57d6ffb2f5c5", + "learnMoreLink": [ + { + "name": "Use maintenance configurations to control and manage the VM updates", + "url": "https://learn.microsoft.com/azure/virtual-machines/maintenance-configurations" + } + ], + "longDescription": "The maintenance configuration settings let users schedule and manage updates, making sure the updates or interruptions on the VM are performed within a planned timeframe.\n", + "pgVerified": true, + "potentialBenefits": "Scheduled updates for VMs", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Use maintenance configurations for the VMs" + }, + { + "aprlGuid": "3201dba8-d1da-4826-98a4-104066545170", + "automationAvailable": "arg", + "category": "Scalability", + "description": "A-series VMs are tailored for entry-level workloads like development and testing, including use cases such as development and test servers, low traffic web servers, and small to medium databases.\n", + "guid": "dc5ac969-91a2-4b0a-bdcc-796f04a26abb", + "learnMoreLink": [ + { + "name": "B-series burstable virtual machine sizes", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/sizes-b-series-burstable" + } + ], + "longDescription": "A-series VMs are tailored for entry-level workloads like development and testing, including use cases such as development and test servers, low traffic web servers, and small to medium databases.\n", + "pgVerified": true, + "potentialBenefits": "Ensures full CPU usage for heavy tasks", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Don't use A or B-Series VMs for production needing constant full CPU performance" + }, + { + "aprlGuid": "df0ff862-814d-45a3-95e4-4fad5a244ba6", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Compared to Standard HDD and SSD, Premium SSD, SSDv2, and Ultra SSDs offer improved performance, configurability, and higher single-instance Virtual Machine uptime SLAs. The lowest SLA of all disks on a Virtual Machine applies, so it is best to use Premium or Ultra Disks for the highest uptime SLA.\n", + "guid": "22632e52-8260-47c1-b5a4-ec8815bbef50", + "learnMoreLink": [ + { + "name": "Disk type comparison and decision tree", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison" + } + ], + "longDescription": "Compared to Standard HDD and SSD, Premium SSD, SSDv2, and Ultra SSDs offer improved performance, configurability, and higher single-instance Virtual Machine uptime SLAs. The lowest SLA of all disks on a Virtual Machine applies, so it is best to use Premium or Ultra Disks for the highest uptime SLA.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced performance, cost efficiency, and uptime SLA", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "58d6648d-32e8-4346-827c-4f288dd8ca24", + "service": "Microsoft.Compute/virtualMachines", + "severity": "High", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Mission Critical Workloads should consider using Premium or Ultra Disks" + }, + { + "aprlGuid": "9ab499d8-8844-424d-a2d4-8f53690eb8f8", + "automationAvailable": false, + "category": "High Availability", + "description": "If the workload is Maintenance sensitive, consider Azure Boost compatible VMs. Azure Boost is designed to lessen the impact on customers when Azure maintenance activities occur on the host, and the current list of compatible VM sizes are documented in the first link below.\n", + "guid": "5b6df6b2-e5a9-4dcb-92bf-2513de1db415", + "learnMoreLink": [ + { + "name": "Microsoft Azure Boost", + "url": "https://learn.microsoft.com/azure/azure-boost/overview" + }, + { + "name": "Announcing the general availability of Azure Boost", + "url": "https://aka.ms/AzureBoostGABlog" + } + ], + "longDescription": "If the workload is Maintenance sensitive, consider Azure Boost compatible VMs. Azure Boost is designed to lessen the impact on customers when Azure maintenance activities occur on the host, and the current list of compatible VM sizes are documented in the first link below.\n", + "pgVerified": true, + "potentialBenefits": "Less maintenance impact", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Use Azure Boost VMs for Maintenance sensitive workload" + }, + { + "aprlGuid": "2de8fa5e-14f4-4c4c-857f-1520f87a629f", + "automationAvailable": false, + "category": "High Availability", + "description": "If your workload is Maintenance sensitive, enable Scheduled Events. This Azure Metadata Service lets your app prepare for virtual machine maintenance by providing information on upcoming events like reboots, reducing disruptions.\n", + "guid": "46785ee5-acb8-4392-a1f9-dd1726b8de1e", + "learnMoreLink": [ + { + "name": "Monitor scheduled events for your Azure VMs", + "url": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-event-service" + }, + { + "name": "Azure Metadata Service Scheduled Events for Linux VMs", + "url": "https://learn.microsoft.com/azure/virtual-machines/linux/scheduled-events" + }, + { + "name": "Azure Metadata Service Scheduled Events for Windows VMs", + "url": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events" + } + ], + "longDescription": "If your workload is Maintenance sensitive, enable Scheduled Events. This Azure Metadata Service lets your app prepare for virtual machine maintenance by providing information on upcoming events like reboots, reducing disruptions.\n", + "pgVerified": true, + "potentialBenefits": "Minimize downtime for VMs", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Enable Scheduled Events for Maintenance sensitive workload VMs" + }, + { + "aprlGuid": "fa0cf4f5-0b21-47b7-89a9-ee936f193ce1", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure disks offers a zone-redundant storage (ZRS) option for workloads that need to be resilient to an entire zone being down. Due to the cross-zone data replication, ZRS disks have higher write latency when compared to the locally-redundant option (LRS), so make sure to benchmark your disks.\n", + "guid": "d6c738f1-f0e3-4d7a-93fb-a77b3eb8ca76", + "learnMoreLink": [ + { + "name": "Redundancy options for managed disks", + "url": "https://aka.ms/zrsdisksdoc" + } + ], + "longDescription": "Azure disks offers a zone-redundant storage (ZRS) option for workloads that need to be resilient to an entire zone being down. Due to the cross-zone data replication, ZRS disks have higher write latency when compared to the locally-redundant option (LRS), so make sure to benchmark your disks.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced Disk resilience to failures", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": "d4102c0f-ebe3-4b22-8fe0-e488866a87af", + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/Compute/virtualMachines/recommendations.yaml", + "tags": null, + "text": "Use Azure Disks with Zone Redundant Storage for higher resiliency and availability" + }, + { + "aprlGuid": "eb005943-40a8-194b-9db2-474d430046b7", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Choose a service tier of Azure Container Registry to meet your performance needs. Premium offers the most bandwidth and highest rate of read and write operations for high-volume deployments. Use Basic to start, Standard for production, and Premium for hyper-scale performance and geo-replication.\n", + "guid": "49d81a32-f0a7-4e92-8d95-e665b72f3b01", + "learnMoreLink": [ + { + "name": "Container Registry Best Practices", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices" + } + ], + "longDescription": "Choose a service tier of Azure Container Registry to meet your performance needs. Premium offers the most bandwidth and highest rate of read and write operations for high-volume deployments. Use Basic to start, Standard for production, and Premium for hyper-scale performance and geo-replication.\n", + "pgVerified": false, + "potentialBenefits": "High-volume support and geo-replication", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "High", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Use Premium tier for critical production workloads" + }, + { + "aprlGuid": "63491f70-22e4-3b4a-8b0c-845450e46fac", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones.\n", + "guid": "9b3464ee-3d84-4e9a-91ba-75c088e18a37", + "learnMoreLink": [ + { + "name": "Registry best practices - Enable zone redundancy", + "url": "https://review.learn.microsoft.com/en-us/azure/container-registry/zone-redundancy?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json&branch=main" + } + ], + "longDescription": "Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones.\n", + "pgVerified": false, + "potentialBenefits": "Enhances resiliency and high availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "High", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Enable zone redundancy" + }, + { + "aprlGuid": "36ea6c09-ef6e-d743-9cfb-bd0c928a430b", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Use Azure Container Registry's geo-replication for multi-region deployments to simplify registry management and minimize latency. It enables serving global customers from local data centers and supports distributed development teams. Regional webhooks can notify of events in replicas.\n", + "guid": "6f5ce438-0dcf-427b-a445-5d66e475d4b4", + "learnMoreLink": [ + { + "name": "Registry best practices - Enable geo-replication", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#geo-replicate-multi-region-deployments" + }, + { + "name": "Geo-Replicate Container Registry", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-geo-replication" + } + ], + "longDescription": "Use Azure Container Registry's geo-replication for multi-region deployments to simplify registry management and minimize latency. It enables serving global customers from local data centers and supports distributed development teams. Regional webhooks can notify of events in replicas.\n", + "pgVerified": false, + "potentialBenefits": "Simplifies management, reduces latency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "High", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Enable geo-replication" + }, + { + "aprlGuid": "a5a0101a-a240-8742-90ba-81dbde9a0c0c", + "automationAvailable": false, + "category": "Security", + "description": "Using repository namespaces allows a single registry to be shared across multiple groups and deployments within an organization, supporting nested namespaces for group isolation. However, repositories are managed independently, not hierarchically.\n", + "guid": "d475df44-ae22-4030-9afa-6d9ecd30555a", + "learnMoreLink": [ + { + "name": "Registry best practices - use repository namespaces", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#repository-namespaces" + } + ], + "longDescription": "Using repository namespaces allows a single registry to be shared across multiple groups and deployments within an organization, supporting nested namespaces for group isolation. However, repositories are managed independently, not hierarchically.\n", + "pgVerified": false, + "potentialBenefits": "Enables sharing and group isolation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "Low", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Use Repository namespaces" + }, + { + "aprlGuid": "8e389532-5db5-7e4c-9d4d-443b3e55ae82", + "automationAvailable": "arg", + "category": "Governance", + "description": "Container registries, used across multiple hosts, should be in their own resource group to prevent accidental deletion of images when container instances are deleted, preserving the image collection while experimenting with hosts.\n", + "guid": "a30e13eb-9c77-4cc9-8a23-400c49c82d4e", + "learnMoreLink": [ + { + "name": "Registry best practices - Use dedicated resource group", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#dedicated-resource-group" + } + ], + "longDescription": "Container registries, used across multiple hosts, should be in their own resource group to prevent accidental deletion of images when container instances are deleted, preserving the image collection while experimenting with hosts.\n", + "pgVerified": false, + "potentialBenefits": "Safeguards image collection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "Low", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Move Container Registry to a dedicated resource group" + }, + { + "aprlGuid": "3ef86f16-f65b-c645-9901-7830d6dc3a1b", + "automationAvailable": "arg", + "category": "Scalability", + "description": "The storage constraints of Azure Container Registry's service tiers align with usage scenarios: Basic for starters, Standard for production, and Premium for high-scale performance and geo-replication.\n", + "guid": "1241991c-7773-4011-8d37-2f236b2cd455", + "learnMoreLink": [ + { + "name": "Registry best practices - Manage registry size", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#manage-registry-size" + }, + { + "name": "Retention Policy", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-retention-policy#about-the-retention-policy" + } + ], + "longDescription": "The storage constraints of Azure Container Registry's service tiers align with usage scenarios: Basic for starters, Standard for production, and Premium for high-scale performance and geo-replication.\n", + "pgVerified": false, + "potentialBenefits": "Reduce costs, optimize storage", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "Medium", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Manage registry size" + }, + { + "aprlGuid": "03f4a7d8-c5b4-7842-8e6e-14997a34842b", + "automationAvailable": "arg", + "category": "Security", + "description": "By default, Azure container registry requires authentication for pull/push actions. Enabling anonymous pull access exposes all content for public read actions. This applies to all repositories, potentially allowing unrestricted access if repository-scoped tokens are used.\n", + "guid": "4fc2aa30-3887-4351-a4e6-26bdd1de44ce", + "learnMoreLink": [ + { + "name": "Enable anonymous pull access", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/anonymous-pull-access#about-anonymous-pull-access" + } + ], + "longDescription": "By default, Azure container registry requires authentication for pull/push actions. Enabling anonymous pull access exposes all content for public read actions. This applies to all repositories, potentially allowing unrestricted access if repository-scoped tokens are used.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced security and controlled access", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "Medium", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Disable anonymous pull access" + }, + { + "aprlGuid": "44107155-7a32-9348-89f3-d5aa7e7c5a1d", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.\n", + "guid": "e2dba237-7e47-45bc-bd38-501595371099", + "learnMoreLink": [ + { + "name": "Monitoring Azure Container Registry data reference - Resource Logs", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service-reference#resource-logs" + }, + { + "name": "Monitor Azure Container Registry - Enable diagnostic logs", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service#collection-and-routing" + } + ], + "longDescription": "Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced tracking and debugging", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "Medium", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Configure Diagnostic Settings for all Azure Container Registries" + }, + { + "aprlGuid": "d594cde6-4116-d143-a64a-25f63289a2f8", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources.\n", + "guid": "9df44bc1-f9c1-4e54-bfca-d06516823cba", + "learnMoreLink": [ + { + "name": "Monitoring Azure Container Registry data reference", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service-reference#metrics" + }, + { + "name": "Monitor Azure Container Registry", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service" + } + ], + "longDescription": "Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced monitoring and operation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "Medium", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Monitor Azure Container Registry with Azure Monitor" + }, + { + "aprlGuid": "e7f0fd54-fba0-054e-9ab8-e676f2851f88", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Enabling soft delete in Azure Container Registry (ACR) allows for the management of deleted artifacts with a specified retention period. Users can list, filter, and restore these artifacts until automatically purged post-retention.\n", + "guid": "23dfc056-b592-4a02-ad89-134ccd682443", + "learnMoreLink": [ + { + "name": "Enable soft delete policy", + "url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-soft-delete-policy" + } + ], + "longDescription": "Enabling soft delete in Azure Container Registry (ACR) allows for the management of deleted artifacts with a specified retention period. Users can list, filter, and restore these artifacts until automatically purged post-retention.\n", + "pgVerified": false, + "potentialBenefits": "Recovery of deleted artifacts", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerRegistry/registries", + "recommendationTypeId": null, + "service": "Microsoft.ContainerRegistry/registries", + "severity": "Medium", + "source": "azure-resources/ContainerRegistry/registries/recommendations.yaml", + "tags": null, + "text": "Enable soft delete policy" + }, + { + "aprlGuid": "4f63619f-5001-439c-bacb-8de891287727", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure Availability Zones ensure high availability by offering independent locations within regions, equipped with their own power, cooling, and networking to ensure applications and data are protected from datacenter-level failures.\n", + "guid": "32125f70-afc4-4495-bb94-630c1ee790fe", + "learnMoreLink": [ + { + "name": "AKS Availability Zones", + "url": "https://learn.microsoft.com/en-us/azure/aks/availability-zones" + }, + { + "name": "Zone Balancing", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones#zone-balancing" + } + ], + "longDescription": "Azure Availability Zones ensure high availability by offering independent locations within regions, equipped with their own power, cooling, and networking to ensure applications and data are protected from datacenter-level failures.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced fault tolerance for AKS", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Deploy AKS cluster across availability zones" + }, + { + "aprlGuid": "5ee083cd-6ac3-4a83-8913-9549dd36cf56", + "automationAvailable": "arg", + "category": "High Availability", + "description": "AKS assigns the kubernetes.azure.com/mode: system label to nodes in system node pools signaling the preference for system pods should be scheduled there. The CriticalAddonsOnly=true:NoSchedule taint can be added to your system nodes to prohibit application pods from being scheduled on them.\n", + "guid": "fb4a38e8-e25b-4864-ae73-b11c62c211b7", + "learnMoreLink": [ + { + "name": "System and user node pools", + "url": "https://learn.microsoft.com/en-us/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools" + } + ], + "longDescription": "AKS assigns the kubernetes.azure.com/mode: system label to nodes in system node pools signaling the preference for system pods should be scheduled there. The CriticalAddonsOnly=true:NoSchedule taint can be added to your system nodes to prohibit application pods from being scheduled on them.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced reliability via pod isolation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Isolate system and application pods" + }, + { + "aprlGuid": "ca324d71-54b0-4a3e-b9e4-10e767daa9fc", + "automationAvailable": "arg", + "category": "Security", + "description": "Local Kubernetes accounts in AKS, being non-auditable and legacy, are discouraged. Microsoft Entra's integration offers centralized management, multi-factor authentication, RBAC for detailed access, and a secure, scalable authentication system compatible with Azure and external identity providers.\n", + "guid": "845c113d-7e20-4f81-bdce-e2d818c06130", + "learnMoreLink": [ + { + "name": "Entra integration", + "url": "https://learn.microsoft.com/en-us/azure/aks/concepts-identity#azure-ad-integration" + }, + { + "name": "Use Azure role-based access control for AKS", + "url": "https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac?source=recommendations" + }, + { + "name": "Manage AKS local accounts", + "url": "https://learn.microsoft.com/en-us/azure/aks/manage-local-accounts-managed-azure-ad?source=recommendations" + } + ], + "longDescription": "Local Kubernetes accounts in AKS, being non-auditable and legacy, are discouraged. Microsoft Entra's integration offers centralized management, multi-factor authentication, RBAC for detailed access, and a secure, scalable authentication system compatible with Azure and external identity providers.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced security and access control", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Disable local accounts" + }, + { + "aprlGuid": "c22db132-399b-4e7c-995d-577a60881be8", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Azure CNI enhances cluster IP and network management, allowing dynamic IP allocation, scalable subnets, direct pod-VNET connectivity, and supports diverse network policies for pods and nodes with Azure Network Policies and Calico, optimizing network efficiency and security\n", + "guid": "fc5dc8fd-6bdc-4d07-9e18-cc8914d6be36", + "learnMoreLink": [ + { + "name": "Configure Azure CNI networking", + "url": "https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni-dynamic-ip-allocation" + }, + { + "name": "Configure Azure CNI Overlay networking", + "url": "https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay" + } + ], + "longDescription": "Azure CNI enhances cluster IP and network management, allowing dynamic IP allocation, scalable subnets, direct pod-VNET connectivity, and supports diverse network policies for pods and nodes with Azure Network Policies and Calico, optimizing network efficiency and security\n", + "pgVerified": false, + "potentialBenefits": "Dynamic IP allocation, scalable subnets, direct VNET access", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Medium", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Configure Azure CNI networking for dynamic allocation of IPs" + }, + { + "aprlGuid": "902c82ff-4910-4b61-942d-0d6ef7f39b67", + "automationAvailable": "arg", + "category": "Scalability", + "description": "The cluster auto-scaler in AKS adjusts node counts based on pod resource needs and available capacity, enabling scaling as per demand to prevent outages.\n", + "guid": "377564e8-ed7f-41c1-b76f-0a4e05138d05", + "learnMoreLink": [ + { + "name": "Use the Cluster Autoscaler on AKS", + "url": "https://learn.microsoft.com/azure/aks/cluster-autoscaler?tabs=azure-cli" + }, + { + "name": "Best practices for advanced scheduler features", + "url": "https://learn.microsoft.com/azure/aks/operator-best-practices-advanced-scheduler" + }, + { + "name": "Node pool scaling considerations and best practices", + "url": "https://learn.microsoft.com/azure/aks/best-practices-performance-scale-large#node-pool-scaling" + }, + { + "name": "Best practices for basic scheduler features", + "url": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler" + } + ], + "longDescription": "The cluster auto-scaler in AKS adjusts node counts based on pod resource needs and available capacity, enabling scaling as per demand to prevent outages.\n", + "pgVerified": true, + "potentialBenefits": "Optimizes scaling and prevents outages", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Enable the cluster auto-scaler on an existing cluster" + }, + { + "aprlGuid": "269a9f1a-6675-460a-831e-b05a887a8c4b", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "AKS, popular for stateful apps needing backups, can now use Azure Backup to secure clusters and attached volumes through an installed Backup Extension, enabling backup and restore operations via a Backup Vault.\n", + "guid": "02084fe3-362c-4766-b441-77a4b64f00e7", + "learnMoreLink": [ + { + "name": "AKS Backups", + "url": "https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup" + }, + { + "name": "Best Practices for AKS Backups", + "url": "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-storage" + } + ], + "longDescription": "AKS, popular for stateful apps needing backups, can now use Azure Backup to secure clusters and attached volumes through an installed Backup Extension, enabling backup and restore operations via a Backup Vault.\n", + "pgVerified": true, + "potentialBenefits": "Ensures data safety for AKS", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Low", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Back up Azure Kubernetes Service" + }, + { + "aprlGuid": "d3111036-355d-431b-ab49-8ddad042800b", + "automationAvailable": false, + "category": "High Availability", + "description": "ZRS ensures data replication across three zones, protecting against zonal outages. It's available for Azure Disks, Container Storage, Files, and Blob by setting the SKU to ZRS in storage classes, enhancing multi-zone AKS clusters from v1.29.\n", + "guid": "6260b0d2-533e-4058-82f2-cff2f02c8681", + "learnMoreLink": [ + { + "name": "Availability zones overview", + "url": "https://learn.microsoft.com/azure/reliability/availability-zones-overview?tabs=azure-cli" + }, + { + "name": "Zone-redundant storage", + "url": "https://learn.microsoft.com/azure/storage/common/storage-redundancy#zone-redundant-storage" + }, + { + "name": "ZRS disks", + "url": "https://learn.microsoft.com/azure/virtual-machines/disks-redundancy#zone-redundant-storage-for-managed-disks" + }, + { + "name": "Convert a disk from LRS to ZRS", + "url": "https://learn.microsoft.com/azure/virtual-machines/disks-migrate-lrs-zrs" + }, + { + "name": "Enable multi-zone storage redundancy in Azure Container Storage", + "url": "https://learn.microsoft.com/azure/storage/container-storage/enable-multi-zone-redundancy" + } + ], + "longDescription": "ZRS ensures data replication across three zones, protecting against zonal outages. It's available for Azure Disks, Container Storage, Files, and Blob by setting the SKU to ZRS in storage classes, enhancing multi-zone AKS clusters from v1.29.\n", + "pgVerified": true, + "potentialBenefits": "Increases data durability and availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Medium", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Use zone-redundant storage for persistent volumes when running multi-zone AKS" + }, + { + "aprlGuid": "b002c030-72e6-4a37-8217-1cb276c43169", + "automationAvailable": false, + "category": "Governance", + "description": "From Kubernetes 1.26, Azure Disk and Azure File in-tree drivers are deprecated in favor of CSI drivers. Existing deployments remain operational but untested; users should switch to CSI drivers for new features and SKUs.\n", + "guid": "c7bab089-7fbb-4f05-842a-75bbfb68f029", + "learnMoreLink": [ + { + "name": "CSI Storage Drivers", + "url": "https://learn.microsoft.com/azure/aks/csi-storage-drivers" + }, + { + "name": "CSI Migrate in Tree Volumes", + "url": "https://learn.microsoft.com/azure/aks/csi-migrate-in-tree-volumes" + } + ], + "longDescription": "From Kubernetes 1.26, Azure Disk and Azure File in-tree drivers are deprecated in favor of CSI drivers. Existing deployments remain operational but untested; users should switch to CSI drivers for new features and SKUs.\n", + "pgVerified": true, + "potentialBenefits": "Ensures future compatibility", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Upgrade Persistent Volumes using in-tree drivers to Azure CSI drivers" + }, + { + "aprlGuid": "9a1c17e5-c9a0-43db-b920-adaf54d1bcb7", + "automationAvailable": false, + "category": "Scalability", + "description": "A ResourceQuota object sets limits on resource use per namespace, controlling the number and type of objects created, and the total compute resources available.\n", + "guid": "dfb8b4f0-c741-431e-979d-c329898526bc", + "learnMoreLink": [ + { + "name": "Resource Quotas", + "url": "https://kubernetes.io/docs/concepts/policy/resource-quotas/" + } + ], + "longDescription": "A ResourceQuota object sets limits on resource use per namespace, controlling the number and type of objects created, and the total compute resources available.\n", + "pgVerified": false, + "potentialBenefits": "Limits AKS resource usage per namespace", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Low", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Implement Resource Quota to ensure that Kubernetes resources do not exceed hard resource limits" + }, + { + "aprlGuid": "b4639ca7-6308-429a-8b98-92f0bf9bf813", + "automationAvailable": false, + "category": "Scalability", + "description": "To rapidly scale AKS workloads, utilize virtual nodes for quick pod provisioning, unlike Kubernetes auto-scaler. For clusters with availability zones, ensure one nodepool per AZ due to persistent volumes not working across AZs, preventing auto-scaler pod creation failures if lacking access.\n", + "guid": "565157ec-c323-4cb8-8ff8-84ed4a2f039a", + "learnMoreLink": [ + { + "name": "Virtual Nodes", + "url": "https://learn.microsoft.com/azure/aks/virtual-nodes" + }, + { + "name": "Azure Container Instances", + "url": "https://learn.microsoft.com/azure/container-instances/container-instances-overview" + } + ], + "longDescription": "To rapidly scale AKS workloads, utilize virtual nodes for quick pod provisioning, unlike Kubernetes auto-scaler. For clusters with availability zones, ensure one nodepool per AZ due to persistent volumes not working across AZs, preventing auto-scaler pod creation failures if lacking access.\n", + "pgVerified": false, + "potentialBenefits": "Faster scaling with virtual nodes", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Low", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Attach Virtual Nodes (ACI) to the AKS cluster" + }, + { + "aprlGuid": "0611251f-e70f-4243-8ddd-cfe894bec2e7", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Production AKS clusters require the Standard tier for a financially backed SLA and enhanced node scalability, as the free service lacks these features.\n", + "guid": "0cec56bd-052a-434e-98e0-a648f12950b4", + "learnMoreLink": [ + { + "name": "Pricing Tiers", + "url": "https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers" + }, + { + "name": "AKS Baseline Architecture", + "url": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Faks%2Ftoc.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json#kubernetes-api-server-sla" + } + ], + "longDescription": "Production AKS clusters require the Standard tier for a financially backed SLA and enhanced node scalability, as the free service lacks these features.\n", + "pgVerified": true, + "potentialBenefits": "SLA guarantee and better scalability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Update AKS tier to Standard" + }, + { + "aprlGuid": "dcaf8128-94bd-4d53-9235-3a0371df6b74", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Azure Monitor enables real-time health and performance insights for AKS by collecting events, capturing container logs, and gathering CPU/Memory data from the Metrics API. It allows data visualization using Azure Monitor Container Insights, Prometheus, Grafana, or others.\n", + "guid": "7e17751e-3308-48ba-9804-0fd66958d745", + "learnMoreLink": [ + { + "name": "Monitor AKS", + "url": "https://learn.microsoft.com/azure/aks/monitor-aks" + } + ], + "longDescription": "Azure Monitor enables real-time health and performance insights for AKS by collecting events, capturing container logs, and gathering CPU/Memory data from the Metrics API. It allows data visualization using Azure Monitor Container Insights, Prometheus, Grafana, or others.\n", + "pgVerified": true, + "potentialBenefits": "Real-time AKS health/performance insights", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Enable AKS Monitoring" + }, + { + "aprlGuid": "a7bfcc18-b0d8-4d37-81f3-8131ed8bead5", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Ephemeral OS disks on AKS offer lower read/write latency due to local attachment, eliminating the need for replication seen with managed disks. This enhances performance and speeds up cluster operations such as scaling or upgrading due to quicker re-imaging and boot times.\n", + "guid": "f88fe1f6-9448-4e9a-90e6-bae483a57047", + "learnMoreLink": [ + { + "name": "Ephemeral OS disk", + "url": "https://learn.microsoft.com/azure/aks/concepts-storage#ephemeral-os-disk" + }, + { + "name": "Configure an AKS cluster", + "url": "https://learn.microsoft.com/azure/aks/cluster-configuration" + }, + { + "name": "Everything you want to know about ephemeral OS disks and AKS", + "url": "https://learn.microsoft.com/samples/azure-samples/aks-ephemeral-os-disk/aks-ephemeral-os-disk/" + } + ], + "longDescription": "Ephemeral OS disks on AKS offer lower read/write latency due to local attachment, eliminating the need for replication seen with managed disks. This enhances performance and speeds up cluster operations such as scaling or upgrading due to quicker re-imaging and boot times.\n", + "pgVerified": true, + "potentialBenefits": "Lower latency, faster re-imaging and booting", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Medium", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Use Ephemeral OS disks on AKS clusters" + }, + { + "aprlGuid": "26ebaf1f-c70d-4ebd-8641-4b60a0ce0094", + "automationAvailable": "arg", + "category": "Governance", + "description": "Azure Policies in AKS clusters help enforce governance best practices concerning security, authentication, provisioning, networking, and more, ensuring a robust and secure environment for operations.\n", + "guid": "7bde81d9-2f20-4da1-a373-371c3b53d9a6", + "learnMoreLink": [ + { + "name": "AKS Baseline - Policy Management", + "url": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Faks%2Ftoc.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json#policy-management" + }, + { + "name": "Built-in Policy Definitions for AKS", + "url": "https://learn.microsoft.com/en-us/azure/aks/policy-reference" + } + ], + "longDescription": "Azure Policies in AKS clusters help enforce governance best practices concerning security, authentication, provisioning, networking, and more, ensuring a robust and secure environment for operations.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced AKS governance and security", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Low", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Enable and remediate Azure Policies configured for AKS" + }, + { + "aprlGuid": "5f3cbd68-692a-4121-988c-9770914859a9", + "automationAvailable": "arg", + "category": "Other Best Practices", + "description": "GitOps, an operating model for cloud-native apps, uses Git for storing application and infrastructure code as a source of truth for continuous delivery.\n", + "guid": "b19051ee-ed62-414a-9671-55bb971c2c6c", + "learnMoreLink": [ + { + "name": "GitOps with AKS", + "url": "https://learn.microsoft.com/en-us/azure/architecture/guide/aks/aks-cicd-github-actions-and-gitops" + }, + { + "name": "GitOps for AKS - Reference Architecture", + "url": "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gitops-aks/gitops-blueprint-aks" + } + ], + "longDescription": "GitOps, an operating model for cloud-native apps, uses Git for storing application and infrastructure code as a source of truth for continuous delivery.\n", + "pgVerified": false, + "potentialBenefits": "Ensures AKS config consistency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Low", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Enable GitOps when using DevOps frameworks" + }, + { + "aprlGuid": "928fcc6f-5e9a-42d9-9bd4-260af42de2e5", + "automationAvailable": false, + "category": "High Availability", + "description": "Enhance availability and reliability by using pod topology spread constraints to control pod distribution based on node or zone topology, ensuring pods are spread across your cluster.\n", + "guid": "9b547960-a6b0-42a6-bbfe-e12cc59e8466", + "learnMoreLink": [ + { + "name": "Topology Spread Constraints", + "url": "https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/" + }, + { + "name": "Assign Pod Node", + "url": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/" + } + ], + "longDescription": "Enhance availability and reliability by using pod topology spread constraints to control pod distribution based on node or zone topology, ensuring pods are spread across your cluster.\n", + "pgVerified": true, + "potentialBenefits": "Ensures high availability and efficient use", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Use pod topology spread constraints to ensure that pods are spread across different nodes or zones" + }, + { + "aprlGuid": "cd6791b1-c60e-4b37-ac98-9897b1e6f4b8", + "automationAvailable": false, + "category": "High Availability", + "description": "AKS kubelet controller uses liveness probes to validate containers and applications health, ensuring the system knows when to restart a container based on its health status.\n", + "guid": "f25e7258-1eb8-4f3a-9e88-ce9400b7163a", + "learnMoreLink": [ + { + "name": "Configure probes", + "url": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/" + }, + { + "name": "Assign Pod Node", + "url": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/" + } + ], + "longDescription": "AKS kubelet controller uses liveness probes to validate containers and applications health, ensuring the system knows when to restart a container based on its health status.\n", + "pgVerified": true, + "potentialBenefits": "Enhances container health monitoring", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Configures Pods Liveness, Readiness, and Startup Probes" + }, + { + "aprlGuid": "bcfe71f1-ebed-49e5-a84a-193b81ad5d27", + "automationAvailable": false, + "category": "High Availability", + "description": "Configuring multiple replicas in Pod or Deployment manifests stabilizes the number of replica Pods, ensuring that a specified number of identical Pods are always available, thereby guaranteeing their availability.\n", + "guid": "5c2d5934-b823-4aa4-a5d3-5d1fa399a953", + "learnMoreLink": [ + { + "name": "Replica Sets", + "url": "https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/" + } + ], + "longDescription": "Configuring multiple replicas in Pod or Deployment manifests stabilizes the number of replica Pods, ensuring that a specified number of identical Pods are always available, thereby guaranteeing their availability.\n", + "pgVerified": true, + "potentialBenefits": "Ensures stable pod availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Use deployments with multiple replicas in production applications to guarantee availability" + }, + { + "aprlGuid": "7f7ae535-a5ba-4665-b7e0-c451dbdda01f", + "automationAvailable": "arg", + "category": "High Availability", + "description": "The system node pool should be configured with a minimum node count of two to ensure critical system pods are resilient to node outages.\n", + "guid": "ca6553ed-444b-4f0d-9c45-af874bd122d1", + "learnMoreLink": [ + { + "name": "System nodepools", + "url": "https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli" + } + ], + "longDescription": "The system node pool should be configured with a minimum node count of two to ensure critical system pods are resilient to node outages.\n", + "pgVerified": true, + "potentialBenefits": "Ensures pod resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Configure system nodepool count" + }, + { + "aprlGuid": "005ccbbd-aeab-46ef-80bd-9bd4479412ec", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Configuring the user node pool with at least two nodes is essential for applications needing high availability, ensuring they remain operational and accessible without interruption.\n", + "guid": "ed8bc45b-f25a-4096-86be-fdedd3864fe3", + "learnMoreLink": [ + { + "name": "Azure Well-Architected Framework review for Azure Kubernetes Service (AKS)", + "url": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-kubernetes-service#design-checklist" + } + ], + "longDescription": "Configuring the user node pool with at least two nodes is essential for applications needing high availability, ensuring they remain operational and accessible without interruption.\n", + "pgVerified": true, + "potentialBenefits": "Ensures high app availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Configure user nodepool count" + }, + { + "aprlGuid": "a08a06a0-e41a-4b99-83bb-69ce8bca54cb", + "automationAvailable": false, + "category": "High Availability", + "description": "A Pod Disruption Budget is a Kubernetes resource configuring the minimum number or percentage of pods that should remain available during disruptions like maintenance or scaling, ensuring a minimum number of pods are always available in the cluster.\n", + "guid": "01e07c94-8d13-465d-a3c1-a83b2aca3c52", + "learnMoreLink": [ + { + "name": "Configure PDBs", + "url": "https://kubernetes.io/docs/tasks/run-application/configure-pdb/" + }, + { + "name": "Plan availability using PDBs", + "url": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler#plan-for-availability-using-pod-disruption-budgets" + } + ], + "longDescription": "A Pod Disruption Budget is a Kubernetes resource configuring the minimum number or percentage of pods that should remain available during disruptions like maintenance or scaling, ensuring a minimum number of pods are always available in the cluster.\n", + "pgVerified": true, + "potentialBenefits": "Ensures cluster resiliency during disruptions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "Medium", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Configure pod disruption budgets (PDBs)" + }, + { + "aprlGuid": "e620fa98-7a40-41a0-bfc9-b4407297fb58", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Nodepool subnets sized for max auto-scale settings enable AKS to efficiently scale out nodes, meeting increased demand while reducing resource constraints and potential service disruptions.\n", + "guid": "6506b2ce-7120-4696-880d-dbc2e2ddf6f1", + "learnMoreLink": [ + { + "name": "Azure CNI Dynamic IP Allocation", + "url": "https://learn.microsoft.com/azure/aks/configure-azure-cni-dynamic-ip-allocation" + } + ], + "longDescription": "Nodepool subnets sized for max auto-scale settings enable AKS to efficiently scale out nodes, meeting increased demand while reducing resource constraints and potential service disruptions.\n", + "pgVerified": false, + "potentialBenefits": "Efficient scaling, reduced disruptions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Nodepool subnet size needs to accommodate maximum auto-scale settings" + }, + { + "aprlGuid": "a01afc4c-7439-4919-b2da-3565992ea2a7", + "automationAvailable": false, + "category": "High Availability", + "description": "Node pool settings should not exceed the subscription core quota to ensure AKS can scale out nodes efficiently, meeting increased demand while reducing resource constraints and potential service disruptions.\n", + "guid": "afcac329-ced4-41cd-a20f-951bfa9dad8e", + "learnMoreLink": [ + { + "name": "Azure Quotas", + "url": "https://learn.microsoft.com/azure/quotas/quotas-overview" + } + ], + "longDescription": "Node pool settings should not exceed the subscription core quota to ensure AKS can scale out nodes efficiently, meeting increased demand while reducing resource constraints and potential service disruptions.\n", + "pgVerified": false, + "potentialBenefits": "Reduced disruptions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Node pool auto-scale settings should not exceed subscription core quota" + }, + { + "aprlGuid": "f46b0d1d-56ef-4795-b98a-f6ee00cb341a", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure Linux on AKS boosts resiliency with a native image using validated, source-built components. It's lightweight, reducing the attack surface and maintenance. A Microsoft-hardened kernel, optimized for Azure, enhances stability and security for container workloads.\n", + "guid": "193ebfd3-ae6e-4069-99dc-2fe1b97e0c9e", + "learnMoreLink": [ + { + "name": "Azure Linux", + "url": "https://learn.microsoft.com/azure/aks/use-azure-linux" + } + ], + "longDescription": "Azure Linux on AKS boosts resiliency with a native image using validated, source-built components. It's lightweight, reducing the attack surface and maintenance. A Microsoft-hardened kernel, optimized for Azure, enhances stability and security for container workloads.\n", + "pgVerified": false, + "potentialBenefits": "Reduced disruptions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Use Azure Linux for Linux nodepools" + }, + { + "aprlGuid": "9200aca6-0e83-4749-a5eb-e3939367bdc2", + "automationAvailable": false, + "category": "High Availability", + "description": "Deploying at least two replicas of your application ensures that your application is highly available and can tolerate node failures.\n", + "guid": "4674df61-0bbe-40ed-b278-699449867bf9", + "learnMoreLink": [ + { + "name": "Multi-replica apps", + "url": "https://learn.microsoft.com/azure/aks/best-practices-app-cluster-reliability#multi-replica-applications" + } + ], + "longDescription": "Deploying at least two replicas of your application ensures that your application is highly available and can tolerate node failures.\n", + "pgVerified": false, + "potentialBenefits": "Ensures high app availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ContainerService/managedClusters", + "recommendationTypeId": null, + "service": "Microsoft.ContainerService/managedClusters", + "severity": "High", + "source": "azure-resources/ContainerService/managedClusters/recommendations.yaml", + "tags": null, + "text": "Deploy at least two replicas of your application" + }, + { + "aprlGuid": "88856605-53d8-4bbd-a75b-4a7b14939d32", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.\n", + "guid": "9c085dc3-8592-4848-81a0-17ba22cc4052", + "learnMoreLink": [ + { + "name": "High availability concepts in Azure Database for MySQL - Flexible Server", + "url": "https://learn.microsoft.com/azure/mysql/flexible-server/concepts-high-availability" + } + ], + "longDescription": "Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced uptime and data protection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforMySQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforMySQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Enable HA with zone redundancy" + }, + { + "aprlGuid": "82a9a0f2-24ee-496f-9ad2-25f81710942d", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.\n", + "guid": "05be89c2-c53a-4a05-9b74-b17eabcef66f", + "learnMoreLink": [ + { + "name": "Scheduled maintenance in Azure Database for MySQL - Flexible Server", + "url": "https://learn.microsoft.com/azure/mysql/flexible-server/concepts-maintenance" + } + ], + "longDescription": "Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.\n", + "pgVerified": true, + "potentialBenefits": "Control update timings", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforMySQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforMySQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Enable custom maintenance schedule" + }, + { + "aprlGuid": "5c96afc3-7d2e-46ff-a4c7-9c32850c441b", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "guid": "ebeb0d7b-6007-4611-959c-a530e15bacde", + "learnMoreLink": [ + { + "name": "Backup and restore in Azure Database for MySQL - Flexible Server", + "url": "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-backup-restore" + } + ], + "longDescription": "Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "pgVerified": false, + "potentialBenefits": "Recover from regional failure and/or disaster", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforMySQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforMySQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Configure geo redundant backup storage" + }, + { + "aprlGuid": "b49a8653-cc43-48c9-8513-a2d2e3f14dd1", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "guid": "0ddaeaa3-4f57-468e-aded-eaa690b7cd44", + "learnMoreLink": [ + { + "name": "Read replicas in Azure Database for MySQL - Flexible Server", + "url": "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-read-replicas" + } + ], + "longDescription": "Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "pgVerified": false, + "potentialBenefits": "Recover from regional failure and/or disaster", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforMySQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforMySQL/flexibleServers", + "severity": "Medium", + "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Configure one or more read replicas" + }, + { + "aprlGuid": "8176a79d-8645-4e52-96be-a10fc0204fe5", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Configure storage auto-grow to prevent the server from running out of storage and becoming read-only.\n", + "guid": "a4d5967e-1b0b-46e3-8b62-4bdb3bc58fda", + "learnMoreLink": [ + { + "name": "Azure Database for MySQL - Flexible Server service tiers - Storage auto grow", + "url": "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-service-tiers-storage#storage-auto-grow" + } + ], + "longDescription": "Configure storage auto-grow to prevent the server from running out of storage and becoming read-only.\n", + "pgVerified": false, + "potentialBenefits": "Scale storage automatically to meet increasing demand", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforMySQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforMySQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforMySQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Configure storage auto-grow" + }, + { + "aprlGuid": "ca87914f-aac4-4783-ab67-82a6f936f194", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.\n", + "guid": "b2bd50c9-2e2c-43ef-bad0-ee6b88387b2b", + "learnMoreLink": [ + { + "name": "Overview of high availability with Azure Database for PostgreSQL", + "url": "https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-high-availability" + } + ], + "longDescription": "Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced uptime and data protection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforPostgreSQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforPostgreSQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Enable HA with zone redundancy" + }, + { + "aprlGuid": "b2bad57d-7e03-4c0f-9024-597c9eb295bb", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.\n", + "guid": "b8c497ee-c97d-47b4-b29e-d2b4fc13b53d", + "learnMoreLink": [ + { + "name": "Scheduled maintenance in Azure Database for PostgreSQL - Flexible Server", + "url": "https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-maintenance" + } + ], + "longDescription": "Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.\n", + "pgVerified": true, + "potentialBenefits": "Control update timings", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforPostgreSQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforPostgreSQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Enable custom maintenance schedule" + }, + { + "aprlGuid": "31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "guid": "5da4c2fb-ed9f-48c8-a3d0-37de740858a6", + "learnMoreLink": [ + { + "name": "Backup and restore in Azure Database for PostgreSQL - Flexible Server", + "url": "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-backup-restore" + } + ], + "longDescription": "Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "pgVerified": false, + "potentialBenefits": "Recover from regional failure and/or disaster", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforPostgreSQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforPostgreSQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Configure geo redundant backup storage" + }, + { + "aprlGuid": "2ab85a67-26be-4ed2-a0bb-101b2513ec63", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "guid": "a68045f8-8821-4462-b8c2-42b90df36563", + "learnMoreLink": [ + { + "name": "Read replicas in Azure Database for PostgreSQL - Flexible Server", + "url": "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-read-replicas" + } + ], + "longDescription": "Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n", + "pgVerified": false, + "potentialBenefits": "Recover from regional failure and/or disaster", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforPostgreSQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforPostgreSQL/flexibleServers", + "severity": "Medium", + "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Configure one or more read replicas" + }, + { + "aprlGuid": "6293a3cc-6b4a-4c0f-9ea7-b8ae8d7dd3d5", + "automationAvailable": false, + "category": "Scalability", + "description": "Configure storage auto-grow to prevent the server from running out of storage and becoming read-only.\n", + "guid": "75f0ccdf-7c8b-49f3-a3a7-cb295ad5ae44", + "learnMoreLink": [ + { + "name": "Storage autogrow using Azure portal in Azure Database for PostgreSQL - Flexible Server", + "url": "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-auto-grow-storage-portal" + } + ], + "longDescription": "Configure storage auto-grow to prevent the server from running out of storage and becoming read-only.\n", + "pgVerified": false, + "potentialBenefits": "Scale storage automatically to meet increasing demand", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DBforPostgreSQL/flexibleServers", + "recommendationTypeId": null, + "service": "Microsoft.DBforPostgreSQL/flexibleServers", + "severity": "High", + "source": "azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml", + "tags": null, + "text": "Configure storage auto-grow" + }, + { + "aprlGuid": "0e835cc2-2551-a247-b1f1-3c5f25c9cb70", + "automationAvailable": false, + "category": "Governance", + "description": "Databricks recommends migrating workloads to the latest or LTS version of its runtime for enhanced stability and support. If on Runtime 11.3 LTS or above, move directly to the latest 12.x version. If below, first migrate to 11.3 LTS, then to the latest 12.x version as per the migration guide.\n", + "guid": "573a61dc-9473-457e-ac67-160f0a898d1f", + "learnMoreLink": [ + { + "name": "Databricks runtime support lifecycles", + "url": "https://learn.microsoft.com/en-us/azure/databricks/release-notes/runtime/databricks-runtime-ver" + } + ], + "longDescription": "Databricks recommends migrating workloads to the latest or LTS version of its runtime for enhanced stability and support. If on Runtime 11.3 LTS or above, move directly to the latest 12.x version. If below, first migrate to 11.3 LTS, then to the latest 12.x version as per the migration guide.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced stability and support", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Databricks runtime version is not latest or is not LTS version" + }, + { + "aprlGuid": "c166602e-0804-e34b-be8f-09b4d56e1fcd", + "automationAvailable": false, + "category": "Scalability", + "description": "Databricks pools pre-provision VMs, reducing risks of provisioning errors during cluster start or scale, enhancing reliability.\n", + "guid": "b66323f8-bbf7-4562-9931-b63d436deeb9", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Databricks pools pre-provision VMs, reducing risks of provisioning errors during cluster start or scale, enhancing reliability.\n", + "pgVerified": true, + "potentialBenefits": "Reduces provisioning errors", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use Databricks Pools" + }, + { + "aprlGuid": "5877a510-8444-7a4c-8412-a8dab8662f7e", + "automationAvailable": false, + "category": "Scalability", + "description": "Upgrade HDDs in premium VMs to SSDs for better speed and reliability. Premium SSDs boost IO-heavy apps; Standard SSDs balance cost and performance. Ideal for critical workloads, upgrading improves connectivity with brief reboot. Consider for vital VMs\n", + "guid": "90ca5376-fbce-4e3c-a5f9-557f5e54760f", + "learnMoreLink": [ + { + "name": "Azure managed disk types", + "url": "https://learn.microsoft.com/azure/virtual-machines/disks-types#premium-ssd" + } + ], + "longDescription": "Upgrade HDDs in premium VMs to SSDs for better speed and reliability. Premium SSDs boost IO-heavy apps; Standard SSDs balance cost and performance. Ideal for critical workloads, upgrading improves connectivity with brief reboot. Consider for vital VMs\n", + "pgVerified": true, + "potentialBenefits": "Faster, reliable VM performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use SSD backed VMs for Worker VM Type and Driver type" + }, + { + "aprlGuid": "5c72f0d6-55ec-d941-be84-36c194fa78c0", + "automationAvailable": false, + "category": "Scalability", + "description": "Autoscaling adjusts cluster sizes automatically based on workload demands, offering benefits for many use cases in terms of costs and performance. It includes guidance on when and how to best utilize Autoscaling. For streaming, Delta Live Tables with autoscaling is advised.\n", + "guid": "0e71304a-5854-4803-a9ef-72ccf8147b6f", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#enable-autoscaling-for-batch-workloadss" + } + ], + "longDescription": "Autoscaling adjusts cluster sizes automatically based on workload demands, offering benefits for many use cases in terms of costs and performance. It includes guidance on when and how to best utilize Autoscaling. For streaming, Delta Live Tables with autoscaling is advised.\n", + "pgVerified": true, + "potentialBenefits": "Cost and performance optimization", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Enable autoscaling for batch workloads" + }, + { + "aprlGuid": "362ad2b6-b92c-414f-980a-0cf69467ccce", + "automationAvailable": false, + "category": "Scalability", + "description": "The scaling parameter of a SQL warehouse defines the min and max number of clusters for distributing queries. By default, it's set to one. Increasing the cluster count can accommodate more concurrent users effectively.\n", + "guid": "c96d03c3-97d2-494d-ad61-f9b716642658", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#enable-autoscaling-for-sql-warehouse" + } + ], + "longDescription": "The scaling parameter of a SQL warehouse defines the min and max number of clusters for distributing queries. By default, it's set to one. Increasing the cluster count can accommodate more concurrent users effectively.\n", + "pgVerified": true, + "potentialBenefits": "Improves concurrency and efficiency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Enable autoscaling for SQL warehouse" + }, + { + "aprlGuid": "cd77db98-9b13-6e4b-bd2b-74c2cb538628", + "automationAvailable": false, + "category": "Scalability", + "description": "Databricks enhanced autoscaling optimizes cluster utilization by automatically allocating cluster resources based on workload volume, with minimal impact on the data processing latency of your pipelines.\n", + "guid": "33e8cf4d-db1e-46e6-b287-392831e9cb32", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/azure/databricks/lakehouse-architecture/reliability/best-practices" + }, + { + "name": "Databricks enhanced autoscaling", + "url": "https://learn.microsoft.com/azure/databricks/delta-live-tables/settings#use-autoscaling-to-increase-efficiency-and-reduce-resource-usage" + } + ], + "longDescription": "Databricks enhanced autoscaling optimizes cluster utilization by automatically allocating cluster resources based on workload volume, with minimal impact on the data processing latency of your pipelines.\n", + "pgVerified": true, + "potentialBenefits": "Optimized resource use and minimal latency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use Delta Live Tables enhanced autoscaling" + }, + { + "aprlGuid": "3d3e53b5-ebd1-db42-b43b-d4fad74824ec", + "automationAvailable": false, + "category": "High Availability", + "description": "To conserve cluster resources, you can terminate a cluster to store its configuration for future reuse or autostart jobs. Clusters can auto-terminate after inactivity, but this only tracks Spark jobs, not local processes, which might still be running even after Spark jobs end.\n", + "guid": "cc72a137-802d-4c6e-aca3-ff78c66540b2", + "learnMoreLink": [ + { + "name": "Best practices for reliability?", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "To conserve cluster resources, you can terminate a cluster to store its configuration for future reuse or autostart jobs. Clusters can auto-terminate after inactivity, but this only tracks Spark jobs, not local processes, which might still be running even after Spark jobs end.\n", + "pgVerified": true, + "potentialBenefits": "Saves cluster resources, avoids idle use", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Automatic Job Termination is enabled, ensure there are no user-defined local processes" + }, + { + "aprlGuid": "7fb90127-5364-bb4d-86fa-30778ed713fb", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "When creating a Databricks cluster, you can set a log delivery location for the Spark driver, worker nodes, and events. Logs are delivered every 5 mins and archived hourly. Upon cluster termination, all generated logs until that point are guaranteed to be delivered.\n", + "guid": "29f44ec4-06dc-4082-bfe6-a94767309889", + "learnMoreLink": [ + { + "name": "Create a cluster", + "url": "https://learn.microsoft.com/en-us/azure/databricks/clusters/configure#cluster-log-delivery" + } + ], + "longDescription": "When creating a Databricks cluster, you can set a log delivery location for the Spark driver, worker nodes, and events. Logs are delivered every 5 mins and archived hourly. Upon cluster termination, all generated logs until that point are guaranteed to be delivered.\n", + "pgVerified": true, + "potentialBenefits": "Improved troubleshooting and audit", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Enable Logging-Cluster log delivery" + }, + { + "aprlGuid": "da4ea916-4df3-8c4d-8060-17b49da45977", + "automationAvailable": false, + "category": "High Availability", + "description": "Delta Lake is an open source storage format enhancing data lakes' reliability with ACID transactions, schema enforcement, and scalable metadata handling.\n", + "guid": "3c2b29d3-a189-4ee3-b90f-9fead1a296b1", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Delta Lake is an open source storage format enhancing data lakes' reliability with ACID transactions, schema enforcement, and scalable metadata handling.\n", + "pgVerified": true, + "potentialBenefits": "Enhances data reliability and processing", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use Delta Lake for higher reliability" + }, + { + "aprlGuid": "892ca809-e2b5-9a47-924a-71132bf6f902", + "automationAvailable": false, + "category": "High Availability", + "description": "Apache Spark in Databricks Lakehouse ensures resilient distributed data processing by automatically rescheduling failed tasks, aiding in overcoming external issues like network problems or revoked VMs.\n", + "guid": "7dd06551-9725-489d-9c58-0f18fc728839", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#use-apache-spark-or-photon-for-distributed-compute" + } + ], + "longDescription": "Apache Spark in Databricks Lakehouse ensures resilient distributed data processing by automatically rescheduling failed tasks, aiding in overcoming external issues like network problems or revoked VMs.\n", + "pgVerified": true, + "potentialBenefits": "Boosts speed and reliability for Spark tasks", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Low", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use Photon Acceleration" + }, + { + "aprlGuid": "7e52d64d-8cc0-8548-a593-eb49ab45630d", + "automationAvailable": false, + "category": "Business Continuity", + "description": "Invalid or nonconforming data can crash workloads dependent on specific data formats. Best practices recommend filtering such data at ingestion to improve end-to-end resilience, ensuring no data is lost or missed.\n", + "guid": "c8d61539-df26-4c17-ad6d-8f2faf863c9d", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Invalid or nonconforming data can crash workloads dependent on specific data formats. Best practices recommend filtering such data at ingestion to improve end-to-end resilience, ensuring no data is lost or missed.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced data resilience and integrity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Business Continuity", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Low", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Automatically rescue invalid or nonconforming data with Databricks Auto Loader or Delta Live Tables" + }, + { + "aprlGuid": "84e44da6-8cd7-b349-b02c-c8bf72cf587c", + "automationAvailable": false, + "category": "High Availability", + "description": "Use Databricks and MLflow for deploying models as Spark UDFs for job scheduling, retries, autoscaling. Model serving offers scalable infrastructure, processes models using MLflow, and serves them via REST API using serverless compute managed in Databricks cloud.\n", + "guid": "a760b136-1d71-4e29-915e-b61e22845a97", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Use Databricks and MLflow for deploying models as Spark UDFs for job scheduling, retries, autoscaling. Model serving offers scalable infrastructure, processes models using MLflow, and serves them via REST API using serverless compute managed in Databricks cloud.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability and autoscaling", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Configure jobs for automatic retries and termination" + }, + { + "aprlGuid": "4cbb7744-ff3d-0447-badb-baf068c95696", + "automationAvailable": false, + "category": "Scalability", + "description": "Use Databricks and MLflow for deploying models as Apache Spark UDFs, benefiting from job scheduling, retries, autoscaling, etc.\n", + "guid": "85b5f6a4-a15e-4a2a-a041-fd8fc80e3869", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Use Databricks and MLflow for deploying models as Apache Spark UDFs, benefiting from job scheduling, retries, autoscaling, etc.\n", + "pgVerified": true, + "potentialBenefits": "Enhances scalability and reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use a scalable and production-grade model serving infrastructure" + }, + { + "aprlGuid": "1b0d0893-bf0e-8f4c-9dc6-f18f145c1ecf", + "automationAvailable": false, + "category": "High Availability", + "description": "Curate data by creating a layered architecture to increase data quality across layers. Start with a raw layer for ingested source data, continue with a curated layer for cleansed and refined data, and finish with a final layer catered to business needs, focusing on security and performance.\n", + "guid": "e95c6153-8b02-49c4-b07d-0c4c3fa1f553", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Curate data by creating a layered architecture to increase data quality across layers. Start with a raw layer for ingested source data, continue with a curated layer for cleansed and refined data, and finish with a final layer catered to business needs, focusing on security and performance.\n", + "pgVerified": true, + "potentialBenefits": "Enhances data quality and trust", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use a layered storage architecture" + }, + { + "aprlGuid": "e93fe702-e385-d741-ba37-1f1656482ecd", + "automationAvailable": false, + "category": "Business Continuity", + "description": "Copying data leads to redundancy, lost integrity, lineage, and access issues, affecting lakehouse data quality. Temporary copies are useful for agility and innovation but can become problematic operational data silos, questioning data's master status and currency.\n", + "guid": "f8a721f2-4500-4a0a-b812-366d02946d93", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Copying data leads to redundancy, lost integrity, lineage, and access issues, affecting lakehouse data quality. Temporary copies are useful for agility and innovation but can become problematic operational data silos, questioning data's master status and currency.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced data integrity and quality", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Business Continuity", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Low", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Improve data integrity by reducing data redundancy" + }, + { + "aprlGuid": "b7e1d13f-54c9-1648-8a52-34c0abe8ce16", + "automationAvailable": false, + "category": "Other Best Practices", + "description": "Uncontrolled schema changes can lead to invalid data and failing jobs. Databricks validates and enforces schema through Delta Lake, which prevents bad records during ingestion, and Auto Loader, which detects new columns and supports schema evolution to maintain data integrity.\n", + "guid": "0fb3f3ef-3a39-443c-9c47-0d55faa5aee0", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Uncontrolled schema changes can lead to invalid data and failing jobs. Databricks validates and enforces schema through Delta Lake, which prevents bad records during ingestion, and Auto Loader, which detects new columns and supports schema evolution to maintain data integrity.\n", + "pgVerified": true, + "potentialBenefits": "Prevents invalid data and job failures", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Actively manage schemas" + }, + { + "aprlGuid": "a42297c4-7e4f-8b41-8d4b-114033263f0e", + "automationAvailable": false, + "category": "Business Continuity", + "description": "Delta tables verify data quality automatically with SQL constraints, triggering an error for violations. Delta Live Tables enhance this by defining expectations for data quality, utilizing Python or SQL, to manage actions for record failures, ensuring data integrity and compliance.\n", + "guid": "7202b799-128d-4cdb-9399-fd32eab3262f", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#use-constraints-and-data-expectations" + } + ], + "longDescription": "Delta tables verify data quality automatically with SQL constraints, triggering an error for violations. Delta Live Tables enhance this by defining expectations for data quality, utilizing Python or SQL, to manage actions for record failures, ensuring data integrity and compliance.\n", + "pgVerified": true, + "potentialBenefits": "Ensures data quality and integrity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Business Continuity", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Low", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use constraints and data expectations" + }, + { + "aprlGuid": "932d45d6-b46d-e341-abfb-d97bce832f1f", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "To recover from a failure, regular backups are needed. The Databricks Labs project migrate lets admins create backups by exporting workspace assets using the Databricks CLI/API. These backups help in restoring or migrating workspaces.\n", + "guid": "ab31857b-cc0b-4a6a-b8a5-d0e8ac079b7e", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#create-regular-backups" + } + ], + "longDescription": "To recover from a failure, regular backups are needed. The Databricks Labs project migrate lets admins create backups by exporting workspace assets using the Databricks CLI/API. These backups help in restoring or migrating workspaces.\n", + "pgVerified": true, + "potentialBenefits": "Ensures data recovery and migration", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Low", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Create regular backups" + }, + { + "aprlGuid": "12e9d852-5cdc-2743-bffe-ee21f2ef7781", + "automationAvailable": false, + "category": "High Availability", + "description": "Structured Streaming ensures fault-tolerance and data consistency in streaming queries. With Azure Databricks workflows, you can set up your queries to automatically restart after failure, picking up precisely where they left off.\n", + "guid": "3a35f33d-6630-47e9-b58e-b98666d5175c", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#recover-from-structured-streaming-query-failures" + } + ], + "longDescription": "Structured Streaming ensures fault-tolerance and data consistency in streaming queries. With Azure Databricks workflows, you can set up your queries to automatically restart after failure, picking up precisely where they left off.\n", + "pgVerified": true, + "potentialBenefits": "Fault-tolerance and auto-restart for queries", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Recover from Structured Streaming query failures" + }, + { + "aprlGuid": "a18d60f8-c98c-ba4e-ad6e-2fac72879df1", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Despite thorough testing, a production job can fail or yield unexpected data. Sometimes, repairs are done by adding jobs post-issue identification and pipeline correction.\n", + "guid": "3bb90df0-76b0-4e92-824e-9dc2a029a582", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#recover-etl-jobs-based-on-delta-time-travel" + } + ], + "longDescription": "Despite thorough testing, a production job can fail or yield unexpected data. Sometimes, repairs are done by adding jobs post-issue identification and pipeline correction.\n", + "pgVerified": true, + "potentialBenefits": "Easy rollback and fix for ETL jobs", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Recover ETL jobs based on Delta time travel" + }, + { + "aprlGuid": "c0e22580-3819-444d-8546-a80e4ed85c83", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Databricks Workflows enable efficient error recovery in multi-task jobs by offering a matrix view for issue examination. Fixes can be applied to initiate repair runs targeting only failed and dependent tasks, preserving successful outcomes and thereby saving time and money.\n", + "guid": "f46cc072-8799-4415-8118-13680a0f6cbd", + "learnMoreLink": [ + { + "name": "Best practices for reliability", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" + } + ], + "longDescription": "Databricks Workflows enable efficient error recovery in multi-task jobs by offering a matrix view for issue examination. Fixes can be applied to initiate repair runs targeting only failed and dependent tasks, preserving successful outcomes and thereby saving time and money.\n", + "pgVerified": true, + "potentialBenefits": "Saves time and money with smart recovery", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Low", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Use Databricks Workflows and built-in recovery" + }, + { + "aprlGuid": "4fdb7112-4531-6f48-b60e-c917a6068d9b", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Implementing a disaster recovery pattern is vital for Azure Databricks, a cloud-native data analytics platform, ensuring data teams' access even during rare regional outages caused by disasters like hurricanes or earthquakes.\n", + "guid": "7cf6657b-2b7f-4241-b61f-d27a0b8170dc", + "learnMoreLink": [ + { + "name": "Azure Databricks Best Practices", + "url": "https://github.com/Azure/AzureDatabricksBestPractices/tree/master" + } + ], + "longDescription": "Implementing a disaster recovery pattern is vital for Azure Databricks, a cloud-native data analytics platform, ensuring data teams' access even during rare regional outages caused by disasters like hurricanes or earthquakes.\n", + "pgVerified": false, + "potentialBenefits": "Ensures service continuity during disasters", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Configure a disaster recovery pattern" + }, + { + "aprlGuid": "42aedaa8-6151-424d-b782-b8666c779969", + "automationAvailable": false, + "category": "Other Best Practices", + "description": "The Databricks Terraform provider manages Azure Databricks workspaces and cloud infrastructure flexibly and powerfully.\n", + "guid": "398710c9-6033-484e-96dd-b83f72f7e063", + "learnMoreLink": [ + { + "name": "Best practices for operational excellence", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/operational-excellence/best-practices#2-automate-deployments-and-workloads" + } + ], + "longDescription": "The Databricks Terraform provider manages Azure Databricks workspaces and cloud infrastructure flexibly and powerfully.\n", + "pgVerified": false, + "potentialBenefits": "Efficient, reliable automation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Automate deployments and workloads" + }, + { + "aprlGuid": "20193ff9-dbcd-a74e-b197-71d7d9d3c1e6", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "The Databricks Terraform provider is a flexible, powerful tool for managing Azure Databricks workspaces and cloud infrastructure.\n", + "guid": "fffedad8-9cc3-4cb9-abf4-b67936919e3b", + "learnMoreLink": [ + { + "name": "Best practices for operational excellence", + "url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/operational-excellence/best-practices#system-monitoring" + } + ], + "longDescription": "The Databricks Terraform provider is a flexible, powerful tool for managing Azure Databricks workspaces and cloud infrastructure.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced reliability and automation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Set up monitoring, alerting, and logging" + }, + { + "aprlGuid": "397cdebb-9d6e-ab4f-83a1-8c481de0a3a7", + "automationAvailable": false, + "category": "Scalability", + "description": "Customers often naturally divide workspaces by teams or departments. However, it's crucial to also consider Azure Subscription and ADB Workspace limits when partitioning.\n", + "guid": "58cfc40d-061d-4345-b109-e79010d9c7b3", + "learnMoreLink": [ + { + "name": "Azure Databricks Best Practices", + "url": "https://github.com/Azure/AzureDatabricksBestPractices/blob/master/toc.md#deploy-workspaces-in-multiple-subscriptions-to-honor-azure-capacity-limits" + } + ], + "longDescription": "Customers often naturally divide workspaces by teams or departments. However, it's crucial to also consider Azure Subscription and ADB Workspace limits when partitioning.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced limits management, team separation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Deploy workspaces in separate Subscriptions" + }, + { + "aprlGuid": "5e722c4f-415a-9b4c-bd4c-96b74dce29ad", + "automationAvailable": false, + "category": "Scalability", + "description": "Deploying only one Databricks Workspace per VNet aligns with ADB's isolation model.\n", + "guid": "691fae3d-f16a-46b9-9c6b-2c184299b9f6", + "learnMoreLink": [ + { + "name": "Azure Databricks Best Practices", + "url": "https://github.com/Azure/AzureDatabricksBestPractices/blob/master/toc.md#consider-isolating-each-workspace-in-its-own-vnet" + } + ], + "longDescription": "Deploying only one Databricks Workspace per VNet aligns with ADB's isolation model.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced security and resource isolation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Isolate each workspace in its own Vnet" + }, + { + "aprlGuid": "14310ba6-77ad-3641-a2db-57a2218b9bc7", + "automationAvailable": false, + "category": "High Availability", + "description": "Driven by security and data availability concerns, each Azure Databricks Workspace comes with a default DBFS designed for system-level artifacts like libraries and Init scripts, not for production data.\n", + "guid": "3e6a462f-f9df-4e1f-beeb-c17e67b18f44", + "learnMoreLink": [ + { + "name": "Azure Databricks Best Practices", + "url": "https://github.com/Azure/AzureDatabricksBestPractices/blob/master/toc.md#do-not-store-any-production-data-in-default-dbfs-foldersr" + } + ], + "longDescription": "Driven by security and data availability concerns, each Azure Databricks Workspace comes with a default DBFS designed for system-level artifacts like libraries and Init scripts, not for production data.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced security, data protection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Do not Store any Production Data in Default DBFS Folders" + }, + { + "aprlGuid": "b5af7e26-3939-1b48-8fba-f8d4a475c67a", + "automationAvailable": false, + "category": "High Availability", + "description": "Azure Spot VMs are not suitable for critical production workloads needing high availability and reliability. They are meant for fault-tolerant tasks and can be evicted with 30-seconds notice if Azure needs the capacity, with no SLA guarantees.\n", + "guid": "9ca71264-d45e-4c68-8c7a-5a3a9f6bcfb3", + "learnMoreLink": [ + { + "name": "Use Azure Spot Virtual Machines", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms" + } + ], + "longDescription": "Azure Spot VMs are not suitable for critical production workloads needing high availability and reliability. They are meant for fault-tolerant tasks and can be evicted with 30-seconds notice if Azure needs the capacity, with no SLA guarantees.\n", + "pgVerified": false, + "potentialBenefits": "Ensures high reliability for production", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Do not use Azure Spot VMs for critical Production workloads" + }, + { + "aprlGuid": "8aa63c34-dd9d-49bd-9582-21ec310dfbdd", + "automationAvailable": false, + "category": "High Availability", + "description": "Move workspaces to in-region control plane for increased regional isolation. Identify current control plane region using the workspace URL and nslookup. When region from CNAME differs from workspace region and an in-region control is available, consider migration using tools provided below.\n", + "guid": "dc01f4b7-2827-4540-8fde-12d1b525c5b7", + "learnMoreLink": [ + { + "name": "Azure Databricks control plane addresses", + "url": "https://learn.microsoft.com/azure/databricks/resources/supported-regions#--azure-databricks-control-plane-addresses" + }, + { + "name": "Migrate - maintained by Databricks Inc.", + "url": "https://github.com/databrickslabs/migrate" + }, + { + "name": "Databricks Terraform Exporter - maintained by Databricks Inc. (Experimental)", + "url": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/guides/experimental-exporter" + } + ], + "longDescription": "Move workspaces to in-region control plane for increased regional isolation. Identify current control plane region using the workspace URL and nslookup. When region from CNAME differs from workspace region and an in-region control is available, consider migration using tools provided below.\n", + "pgVerified": false, + "potentialBenefits": "Improves resilience and data sovereignty", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "High", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Evaluate regional isolation for workspaces" + }, + { + "aprlGuid": "028593be-956e-4736-bccf-074cb10b92f4", + "automationAvailable": false, + "category": "Personalized", + "description": "Azure Databricks planning should include VM SKU swap strategies for capacity issues. VMs are regional, and allocation failures may occur, shown by a \"CLOUD PROVIDER\" error.\n", + "guid": "b8986a8c-d0f4-4714-a17a-47d04780c3d2", + "learnMoreLink": [ + { + "name": "Compute configuration best practices", + "url": "https://learn.microsoft.com/azure/databricks/compute/cluster-config-best-practices" + }, + { + "name": "GPU-enabled compute", + "url": "https://learn.microsoft.com/azure/databricks/compute/gpu" + } + ], + "longDescription": "Azure Databricks planning should include VM SKU swap strategies for capacity issues. VMs are regional, and allocation failures may occur, shown by a \"CLOUD PROVIDER\" error.\n", + "pgVerified": false, + "potentialBenefits": "Ensures service availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Personalized", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Databricks/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.Databricks/workspaces", + "severity": "Medium", + "source": "azure-resources/Databricks/workspaces/recommendations.yaml", + "tags": null, + "text": "Define alternate VM SKUs" + }, + { + "aprlGuid": "013ac34e-7c4b-425f-9e0c-216f0cc06181", + "automationAvailable": false, + "category": "Governance", + "description": "Create a Validation Pool for early issue detection with planned AVD updates. Adjust limits based on needs. Scale by adding multiple host pools for more users. Regularly test updates on host pools. Validate changes before applying to main environment to avoid downtime.\n", + "guid": "27eb3d24-24ab-44a6-803f-e5ab4530e24f", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/azure/virtual-desktop/configure-validation-environment?tabs=azure-portal" + } + ], + "longDescription": "Create a Validation Pool for early issue detection with planned AVD updates. Adjust limits based on needs. Scale by adding multiple host pools for more users. Regularly test updates on host pools. Validate changes before applying to main environment to avoid downtime.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced environment stability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DesktopVirtualization/hostPools", + "recommendationTypeId": null, + "service": "Microsoft.DesktopVirtualization/hostPools", + "severity": "Medium", + "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml", + "tags": null, + "text": "Create a validation host pool for testing of planned updates" + }, + { + "aprlGuid": "979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7", + "automationAvailable": false, + "category": "Governance", + "description": "Create maintenance schedules for AVD agent updates to avoid disruptions. Use Scheduled Agent Updates to set maintenance windows for updating Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent.\n", + "guid": "4f157309-2f5d-4b07-816a-4db0f4e6ed87", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates" + } + ], + "longDescription": "Create maintenance schedules for AVD agent updates to avoid disruptions. Use Scheduled Agent Updates to set maintenance windows for updating Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced environment stability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DesktopVirtualization/hostPools", + "recommendationTypeId": null, + "service": "Microsoft.DesktopVirtualization/hostPools", + "severity": "Medium", + "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml", + "tags": null, + "text": "Configure host pool scheduled agent updates" + }, + { + "aprlGuid": "939cb85c-102a-4e0a-ab82-5c92116d3778", + "automationAvailable": false, + "category": "Governance", + "description": "For optimized AVD configuration, place Hybrid VMs in unique OUs. Segregate Prod and DR units for environment-specific settings. This ensures targeted configurations for session hosts, including Fslogix, timeouts, and session controls.\n", + "guid": "8e8b940d-d684-4e41-9e3f-59e2fe1e0075", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services" + } + ], + "longDescription": "For optimized AVD configuration, place Hybrid VMs in unique OUs. Segregate Prod and DR units for environment-specific settings. This ensures targeted configurations for session hosts, including Fslogix, timeouts, and session controls.\n", + "pgVerified": true, + "potentialBenefits": "Improved AVD hostpool config & segmentation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DesktopVirtualization/hostPools", + "recommendationTypeId": null, + "service": "Microsoft.DesktopVirtualization/hostPools", + "severity": "Medium", + "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml", + "tags": null, + "text": "Ensure a unique OU is used when deploying host pools with domain joined session hosts" + }, + { + "aprlGuid": "38721758-2cc2-4d6b-b7b7-8b47dadbf7df", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Implement Azure Site Recovery (ASR) or Azure Backup for personal host pools to enable seamless failover and failback. This replicates VMs supporting personal desktops to a secondary Azure region, ensuring recovery from a known state in case of a disaster or outage.\n", + "guid": "84e3f84d-9040-442b-916a-a9dc328a5a4e", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview" + } + ], + "longDescription": "Implement Azure Site Recovery (ASR) or Azure Backup for personal host pools to enable seamless failover and failback. This replicates VMs supporting personal desktops to a secondary Azure region, ensuring recovery from a known state in case of a disaster or outage.\n", + "pgVerified": true, + "potentialBenefits": "Ensures VM recovery & failover", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Compute/virtualMachines", + "recommendationTypeId": null, + "service": "Microsoft.Compute/virtualMachines", + "severity": "Medium", + "source": "azure-resources/DesktopVirtualization/hostPools/recommendations.yaml", + "tags": null, + "text": "Use Azure Site Recovery or backups to protect VMs supporting personal desktops" + }, + { + "aprlGuid": "499769ae-67c9-492e-9ca5-cfd4cece5209", + "automationAvailable": false, + "category": "Scalability", + "description": "Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region.\n", + "guid": "53ebd860-9c96-424b-b8d2-37d75f6f876f", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scaling-plan?tabs=portal" + } + ], + "longDescription": "Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced scaling", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DesktopVirtualization/scalingPlans", + "recommendationTypeId": null, + "service": "Microsoft.DesktopVirtualization/scalingPlans", + "severity": "Medium", + "source": "azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml", + "tags": null, + "text": "Scaling plans should be created per region and not scaled across regions" + }, + { + "aprlGuid": "783c6c18-760b-4867-9ced-3010a0bc5aa3", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Device Identities should be copied to the failover region IoT-Hub for all IoT devices to ensure connectivity in case of a failover. Manual Failover to another region is quicker (RTO), suitable for mission critical workloads.\n", + "guid": "01c6b3a4-10d4-415f-befa-039908d60fe8", + "learnMoreLink": [ + { + "name": "Import and export IoT Hub device identities in bulk", + "url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-bulk-identity-mgmt" + }, + { + "name": "IoT Hub high availability and disaster recovery", + "url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr#manual-failover" + } + ], + "longDescription": "Device Identities should be copied to the failover region IoT-Hub for all IoT devices to ensure connectivity in case of a failover. Manual Failover to another region is quicker (RTO), suitable for mission critical workloads.\n", + "pgVerified": false, + "potentialBenefits": "Faster failover; Ensures device connectivity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Devices/IotHubs", + "recommendationTypeId": null, + "service": "Microsoft.Devices/IotHubs", + "severity": "High", + "source": "azure-resources/Devices/iotHubs/recommendations.yaml", + "tags": null, + "text": "Device Identities are exported to a secondary region" + }, + { + "aprlGuid": "eeba3a49-fef0-481f-a471-7ff01139b474", + "automationAvailable": "arg", + "category": "High Availability", + "description": "In a production scenario, the IoT Hub tier should not be Free because the Free tier does not provide the necessary Service Level Agreement.\n", + "guid": "881519ff-dbd8-49ba-8e1f-25cb359e10f2", + "learnMoreLink": [ + { + "name": "Choose the right IoT Hub tier and size for your solution", + "url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-scaling" + } + ], + "longDescription": "In a production scenario, the IoT Hub tier should not be Free because the Free tier does not provide the necessary Service Level Agreement.\n", + "pgVerified": false, + "potentialBenefits": "Ensures SLA for production", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Devices/IotHubs", + "recommendationTypeId": null, + "service": "Microsoft.Devices/IotHubs", + "severity": "High", + "source": "azure-resources/Devices/iotHubs/recommendations.yaml", + "tags": null, + "text": "Do not use free tier" + }, + { + "aprlGuid": "214cbc46-747e-4354-af6e-6bf0054196a5", + "automationAvailable": false, + "category": "High Availability", + "description": "In regions supporting Availability Zones for IoT Hub, using these zones boosts availability. They're automatically activated for new IoT Hubs in supported areas.\n", + "guid": "a1cde0e8-db57-4efa-83e2-d3ea655dd021", + "learnMoreLink": [ + { + "name": "Azure IoT Hub high availability and disaster recovery", + "url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr#availability-zones" + } + ], + "longDescription": "In regions supporting Availability Zones for IoT Hub, using these zones boosts availability. They're automatically activated for new IoT Hubs in supported areas.\n", + "pgVerified": false, + "potentialBenefits": "Boosts IoT Hub availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Devices/IotHubs", + "recommendationTypeId": null, + "service": "Microsoft.Devices/IotHubs", + "severity": "High", + "source": "azure-resources/Devices/iotHubs/recommendations.yaml", + "tags": null, + "text": "Use Availability Zones" + }, + { + "aprlGuid": "b1e1378d-4572-4414-bebd-b8872a6d4d1c", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Device Provisioning Service (DPS) enables easy redistribution of IoT devices for scaling and availability, allowing devices to be reassigned and not bound to specific IoT Hub instances. Devices in IoT Hubs using DPS should be verified for DPS utilization.\n", + "guid": "748f1f41-8e68-4be6-a05d-4030989d82a2", + "learnMoreLink": [ + { + "name": "IoT Hub Device Provisioning Service (DPS) terminology", + "url": "https://learn.microsoft.com/en-us/azure/iot-dps/concepts-service" + }, + { + "name": "Best practices for large-scale IoT device deployments", + "url": "https://learn.microsoft.com/en-us/azure/iot-dps/concepts-deploy-at-scale" + }, + { + "name": "IoT Hub Device Provisioning Service high availability and disaster recovery", + "url": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr" + } + ], + "longDescription": "Device Provisioning Service (DPS) enables easy redistribution of IoT devices for scaling and availability, allowing devices to be reassigned and not bound to specific IoT Hub instances. Devices in IoT Hubs using DPS should be verified for DPS utilization.\n", + "pgVerified": false, + "potentialBenefits": "Enhances scalability and availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Devices/IotHubs", + "recommendationTypeId": null, + "service": "Microsoft.Devices/IotHubs", + "severity": "High", + "source": "azure-resources/Devices/iotHubs/recommendations.yaml", + "tags": null, + "text": "Use Device Provisioning Service" + }, + { + "aprlGuid": "02568a5d-335e-4e51-9f7c-fe2ada977300", + "automationAvailable": false, + "category": "High Availability", + "description": "In case of a regional failure, an IoT Hub can failover to a second region, automatically or manually, to ensure your application continues working.\n", + "guid": "92d81ed2-d62c-4985-9a09-d34390f2c9e6", + "learnMoreLink": [ + { + "name": "IoT Hub high availability and disaster recovery", + "url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr" + } + ], + "longDescription": "In case of a regional failure, an IoT Hub can failover to a second region, automatically or manually, to ensure your application continues working.\n", + "pgVerified": false, + "potentialBenefits": "Ensures business continuity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Devices/IotHubs", + "recommendationTypeId": null, + "service": "Microsoft.Devices/IotHubs", + "severity": "High", + "source": "azure-resources/Devices/iotHubs/recommendations.yaml", + "tags": null, + "text": "Define Failover Guidelines" + }, + { + "aprlGuid": "e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Using message routing for custom endpoints in IoT Hub, messages might not reach these destinations if specific conditions are unmet. A default route ensures all messages are received, but disabling this safety net risks leaving some messages undelivered.\n", + "guid": "aff42ecc-61f7-4e35-92a7-61eb64ea2ae0", + "learnMoreLink": [ + { + "name": "Use message routing - Fallback route", + "url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-messages-d2c#fallback-route" + } + ], + "longDescription": "Using message routing for custom endpoints in IoT Hub, messages might not reach these destinations if specific conditions are unmet. A default route ensures all messages are received, but disabling this safety net risks leaving some messages undelivered.\n", + "pgVerified": false, + "potentialBenefits": "Prevents undelivered messages", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Devices/IotHubs", + "recommendationTypeId": null, + "service": "Microsoft.Devices/IotHubs", + "severity": "Low", + "source": "azure-resources/Devices/iotHubs/recommendations.yaml", + "tags": null, + "text": "Disabled Fallback Route" + }, + { + "aprlGuid": "43663217-a1d3-844b-80ea-571a2ce37c6c", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Enable a secondary region in Cosmos DB for higher SLA without downtime. Simple as pinning a location on a map. For Strong consistency, configure at least three regions for write availability in case of failure.\n", + "guid": "ac3cb97d-1d9c-4ab4-ad1c-ae92de33dd43", + "learnMoreLink": [ + { + "name": "Distribute data globally with Azure Cosmos DB | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/distribute-data-globally" + }, + { + "name": "Tips for building highly available applications | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/high-availability#tips-for-building-highly-available-applications" + } + ], + "longDescription": "Enable a secondary region in Cosmos DB for higher SLA without downtime. Simple as pinning a location on a map. For Strong consistency, configure at least three regions for write availability in case of failure.\n", + "pgVerified": true, + "potentialBenefits": "Enhances SLA and resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": "b57f7a29-dcc8-43de-86fa-18d3f9d3764d", + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "High", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Configure at least two regions for high availability" + }, + { + "aprlGuid": "9cabded7-a1fc-6e4a-944b-d7dd98ea31a2", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Cosmos DB boasts high uptime and resiliency. Even so, issues may arise. With Service-Managed failover, if a region is down, Cosmos DB automatically switches to the next available region, requiring no user action.\n", + "guid": "3b1522fb-f7dc-4dad-a134-9c32e88fb4d0", + "learnMoreLink": [ + { + "name": "Manage an Azure Cosmos DB account by using the Azure portal | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover" + } + ], + "longDescription": "Cosmos DB boasts high uptime and resiliency. Even so, issues may arise. With Service-Managed failover, if a region is down, Cosmos DB automatically switches to the next available region, requiring no user action.\n", + "pgVerified": true, + "potentialBenefits": "Auto failover for high uptime", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": "5de9f2e6-087e-40da-863a-34b7943beed4", + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "High", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Enable service-managed failover for multi-region accounts with single write region" + }, + { + "aprlGuid": "9ce78192-74a0-104c-b5bb-9a443f941649", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Multi-region write capability allows for designing applications that are highly available across multiple regions, though it demands careful attention to consistency requirements and conflict resolution. Improper setup may decrease availability and cause data corruption due to unhandled conflicts.\n", + "guid": "7ebea239-e281-4d7f-add5-feea9a3074e6", + "learnMoreLink": [ + { + "name": "Distribute data globally with Azure Cosmos DB | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/distribute-data-globally" + }, + { + "name": "Conflict resolution types and resolution policies in Azure Cosmos DB | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/conflict-resolution-policies" + } + ], + "longDescription": "Multi-region write capability allows for designing applications that are highly available across multiple regions, though it demands careful attention to consistency requirements and conflict resolution. Improper setup may decrease availability and cause data corruption due to unhandled conflicts.\n", + "pgVerified": true, + "potentialBenefits": "Enhances high availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": null, + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "High", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Evaluate multi-region write capability" + }, + { + "aprlGuid": "e544520b-8505-7841-9e77-1f1974ee86ec", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Cosmos DB's backup is always on, offering protection against data mishaps. Continuous mode allows for self-serve restoration to a pre-mishap point, unlike periodic mode which requires contacting Microsoft support, leading to longer restore times.\n", + "guid": "b6bf483f-f1dd-42fa-9630-4cc4ebbd46b6", + "learnMoreLink": [ + { + "name": "Continuous backup with point in time restore feature in Azure Cosmos DB | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction" + } + ], + "longDescription": "Cosmos DB's backup is always on, offering protection against data mishaps. Continuous mode allows for self-serve restoration to a pre-mishap point, unlike periodic mode which requires contacting Microsoft support, leading to longer restore times.\n", + "pgVerified": true, + "potentialBenefits": "Faster self-serve data restore", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": "52fef986-5897-4359-8b92-0f22749f0d73", + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "High", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Configure continuous backup mode" + }, + { + "aprlGuid": "c006604a-0d29-684c-99f0-9729cb40dac5", + "automationAvailable": false, + "category": "Scalability", + "description": "Cosmos DB has a 4 MB response limit, leading to paginated results for large or partition-spanning queries. Each page shows availability and provides a continuation token for the next. A while loop in code is necessary to traverse all pages until completion.\n", + "guid": "e6d29a59-fdc4-418e-bc46-3edf36c55e8b", + "learnMoreLink": [ + { + "name": "Pagination in Azure Cosmos DB | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/nosql/query/pagination#handling-multiple-pages-of-results" + } + ], + "longDescription": "Cosmos DB has a 4 MB response limit, leading to paginated results for large or partition-spanning queries. Each page shows availability and provides a continuation token for the next. A while loop in code is necessary to traverse all pages until completion.\n", + "pgVerified": true, + "potentialBenefits": "Maximizes data retrieval efficiency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": null, + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "High", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Ensure query results are fully drained" + }, + { + "aprlGuid": "7eb32cf9-9a42-1540-acf8-597cbba8a418", + "automationAvailable": false, + "category": "Scalability", + "description": "Using a single instance of the SDK client for each account and application is crucial as connections are tied to the client. Compute environments have a limit on open connections, affecting connectivity when exceeded.\n", + "guid": "3dcc75f1-25e7-4c5b-be48-69337cf4230c", + "learnMoreLink": [ + { + "name": "Designing resilient applications with Azure Cosmos DB SDKs | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/nosql/conceptual-resilient-sdk-applications" + } + ], + "longDescription": "Using a single instance of the SDK client for each account and application is crucial as connections are tied to the client. Compute environments have a limit on open connections, affecting connectivity when exceeded.\n", + "pgVerified": true, + "potentialBenefits": "Optimizes connections and efficiency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": null, + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "Medium", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Maintain singleton pattern in your client" + }, + { + "aprlGuid": "fa6ac22f-0584-bb4b-80e4-80f4755d1a97", + "automationAvailable": false, + "category": "High Availability", + "description": "Cosmos DB SDKs automatically manage many transient errors through retries. Despite this, it's crucial for applications to implement additional retry policies targeting specific cases that the SDKs can't generically address, ensuring more robust error handling.\n", + "guid": "b90f9b3f-9838-4ef8-bcdc-5ff265c2744a", + "learnMoreLink": [ + { + "name": "Designing resilient applications with Azure Cosmos DB SDKs | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/nosql/conceptual-resilient-sdk-applications" + } + ], + "longDescription": "Cosmos DB SDKs automatically manage many transient errors through retries. Despite this, it's crucial for applications to implement additional retry policies targeting specific cases that the SDKs can't generically address, ensuring more robust error handling.\n", + "pgVerified": true, + "potentialBenefits": "Enhances error handling resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": null, + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "Medium", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Implement retry logic in your client" + }, + { + "aprlGuid": "deaea200-013c-414b-ac9f-bfa7a7fb13f0", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Monitoring the availability and responsiveness of Azure Cosmos DB resources and having alerts set up for your workload is a good practice. This ensures you stay proactive in handling unforeseen events.\n", + "guid": "9d89ece2-c55a-4d92-ae10-608a51cebd99", + "learnMoreLink": [ + { + "name": "Create alerts for Azure Cosmos DB using Azure Monitor | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/cosmos-db/create-alerts" + } + ], + "longDescription": "Monitoring the availability and responsiveness of Azure Cosmos DB resources and having alerts set up for your workload is a good practice. This ensures you stay proactive in handling unforeseen events.\n", + "pgVerified": true, + "potentialBenefits": "Proactive issue management", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.DocumentDB/databaseAccounts", + "recommendationTypeId": null, + "service": "Microsoft.DocumentDB/databaseAccounts", + "severity": "Medium", + "source": "azure-resources/DocumentDB/databaseAccounts/recommendations.yaml", + "tags": null, + "text": "Monitor Cosmos DB health and set up alerts" + }, + { + "aprlGuid": "54c3191b-b535-1946-bba9-b754f44060f6", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Enabling diagnostic settings on Azure Event Grid resources like custom topics, system topics, and domains lets you capture and view diagnostic information to troubleshoot failures effectively.\n", + "guid": "69f7f32b-81da-4632-bfff-f54d20cda176", + "learnMoreLink": [ + { + "name": "Azure Event Grid - Enable diagnostic logs for Event Grid resources", + "url": "https://learn.microsoft.com/en-us/azure/event-grid/enable-diagnostic-logs-topic" + } + ], + "longDescription": "Enabling diagnostic settings on Azure Event Grid resources like custom topics, system topics, and domains lets you capture and view diagnostic information to troubleshoot failures effectively.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced troubleshooting for Event Grid", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.EventGrid/topics", + "recommendationTypeId": null, + "service": "Microsoft.EventGrid/topics", + "severity": "Low", + "source": "azure-resources/EventGrid/topics/recommendations.yaml", + "tags": null, + "text": "Configure Diagnostic Settings for all Azure Event Grid resources" + }, + { + "aprlGuid": "92162eb5-4323-3145-8a6c-525ce2f0700e", + "automationAvailable": false, + "category": "Personalized", + "description": "Event Grid may not deliver an event within a specific time or after several attempts, leading to dead-lettering where undelivered events are sent to a storage account.\n", + "guid": "d5b8a762-01b2-4663-8e45-38b6d4a181ec", + "learnMoreLink": [ + { + "name": "Azure Event Grid delivery and retry", + "url": "https://learn.microsoft.com/en-us/azure/event-grid/delivery-and-retry#dead-letter-events" + } + ], + "longDescription": "Event Grid may not deliver an event within a specific time or after several attempts, leading to dead-lettering where undelivered events are sent to a storage account.\n", + "pgVerified": false, + "potentialBenefits": "Saves undelivered events", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Personalized", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.EventGrid/topics", + "recommendationTypeId": null, + "service": "Microsoft.EventGrid/topics", + "severity": "Low", + "source": "azure-resources/EventGrid/topics/recommendations.yaml", + "tags": null, + "text": "Configure Dead-letter to save events that cannot be delivered" + }, + { + "aprlGuid": "b2069f64-4741-3d4a-a71d-50c8b03f5ab7", + "automationAvailable": "arg", + "category": "Security", + "description": "Use private endpoints for secure event ingress to custom topics/domains via a private link, avoiding the public internet. It employs an IP from the VNet space for your topic/domain.\n", + "guid": "fc8a5b90-7f31-430a-92e9-5ada57c86aab", + "learnMoreLink": [ + { + "name": "Configure private endpoints for Azure Event Grid topics or domains", + "url": "https://learn.microsoft.com/en-us/azure/event-grid/configure-private-endpoints" + } + ], + "longDescription": "Use private endpoints for secure event ingress to custom topics/domains via a private link, avoiding the public internet. It employs an IP from the VNet space for your topic/domain.\n", + "pgVerified": false, + "potentialBenefits": "Secure, private VNet ingress", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.EventGrid/topics", + "recommendationTypeId": "bdac9c7b-b9b8-f572-0450-f161c430861c", + "service": "Microsoft.EventGrid/topics", + "severity": "Medium", + "source": "azure-resources/EventGrid/topics/recommendations.yaml", + "tags": null, + "text": "Azure Event Grid topics should use Private Link Private Endpoints" + }, + { + "aprlGuid": "84636c6c-b317-4722-b603-7b1ffc16384b", + "automationAvailable": "arg", + "category": "High Availability", + "description": "When you use the Azure portal, zone redundancy via support for availability zones is automatically enabled. Avoid disabling this capability to continue replicating metadata and data (events) across data centers in an availability zone.\n", + "guid": "0c2360ed-e8e8-48b7-8691-1863d598461b", + "learnMoreLink": [ + { + "name": "Azure Event Hubs - Geo-disaster recovery", + "url": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal#availability-zones" + } + ], + "longDescription": "When you use the Azure portal, zone redundancy via support for availability zones is automatically enabled. Avoid disabling this capability to continue replicating metadata and data (events) across data centers in an availability zone.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced fault tolerance for Event Hub", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Disabled", + "recommendationResourceType": "Microsoft.EventHub/namespaces", + "recommendationTypeId": null, + "service": "Microsoft.EventHub/namespaces", + "severity": "High", + "source": "azure-resources/EventHub/namespaces/recommendations.yaml", + "tags": null, + "text": "Don't disable zone redundancy" + }, + { + "aprlGuid": "fbfef3df-04a5-41b2-a8fd-b8541eb04956", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Enable auto-inflate on Event Hub Standard tier namespaces to automatically scale up TUs, meeting usage needs and preventing data ingress or egress throttle scenarios by adjusting to allowed rates.\n", + "guid": "ea89e930-1e3f-4fca-9769-9dff3e0d08f0", + "learnMoreLink": [ + { + "name": "Azure Event Hubs - Automatically scale throughput units", + "url": "https://learn.microsoft.com/azure/event-hubs/event-hubs-auto-inflate" + } + ], + "longDescription": "Enable auto-inflate on Event Hub Standard tier namespaces to automatically scale up TUs, meeting usage needs and preventing data ingress or egress throttle scenarios by adjusting to allowed rates.\n", + "pgVerified": false, + "potentialBenefits": "Prevents throttling by autoscaling TUs", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.EventHub/namespaces", + "recommendationTypeId": null, + "service": "Microsoft.EventHub/namespaces", + "severity": "High", + "source": "azure-resources/EventHub/namespaces/recommendations.yaml", + "tags": null, + "text": "Enable auto-inflate on Event Hub Standard tier" + }, + { + "aprlGuid": "be448849-0d7d-49ba-9c94-9573ee533d5d", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Configure Resource Health Alerts for all applicable resources to stay informed about the current and historical health status of your Azure resources. They notify you when these resources have a change in their health status.\n", + "guid": "f5ff95b5-cc25-4644-813e-91a080d2502e", + "learnMoreLink": [ + { + "name": "Resource Health", + "url": "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview" + }, + { + "name": "Configure Resource Health alerts in the Azure portal", + "url": "https://learn.microsoft.com/en-us/azure/service-health/resource-health-alert-monitor-guide#create-a-resource-health-alert-rule-in-the-azure-portal" + }, + { + "name": "Alerts Health", + "url": "https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal" + } + ], + "longDescription": "Configure Resource Health Alerts for all applicable resources to stay informed about the current and historical health status of your Azure resources. They notify you when these resources have a change in their health status.\n", + "pgVerified": true, + "potentialBenefits": "Stay informed on resource status", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Insights/activityLogAlerts", + "recommendationTypeId": null, + "service": "Microsoft.Insights/activityLogAlerts", + "severity": "Low", + "source": "azure-resources/Insights/activityLogAlerts/recommendations.yaml", + "tags": null, + "text": "Configure Resource Health Alerts" + }, + { + "aprlGuid": "9729c89d-8118-41b4-a39b-e12468fa872b", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Service health gives a personalized health view of Azure services and regions used, offering the best place for notifications on outages, planned maintenance, and health advisories by knowing the services used.\n", + "guid": "672b162a-da97-4232-acb4-90d05e715a60", + "learnMoreLink": [ + { + "name": "What is Azure Service Health?", + "url": "https://learn.microsoft.com/azure/service-health/overview" + }, + { + "name": "Configure alerts for service health events", + "url": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal" + } + ], + "longDescription": "Service health gives a personalized health view of Azure services and regions used, offering the best place for notifications on outages, planned maintenance, and health advisories by knowing the services used.\n", + "pgVerified": true, + "potentialBenefits": "Proactive outage and maintenance alerts", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Insights/activityLogAlerts", + "recommendationTypeId": null, + "service": "Microsoft.Insights/activityLogAlerts", + "severity": "High", + "source": "azure-resources/Insights/activityLogAlerts/recommendations.yaml", + "tags": null, + "text": "Configure Service Health Alerts" + }, + { + "aprlGuid": "dac421ec-2832-4c37-839e-b6dc5a38f2fa", + "automationAvailable": "arg", + "category": "Service Upgrade and Retirement", + "description": "Classic Application Insights retires in February 2024. To minimize disruption to existing application monitoring scenarios, transition to workspace-based Application Insights before 29 February 2024.\n", + "guid": "86c1f127-c8ab-4014-802a-d74d29876076", + "learnMoreLink": [ + { + "name": "Migrate an Application Insights classic resource to a workspace-based resource", + "url": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/convert-classic-resource" + } + ], + "longDescription": "Classic Application Insights retires in February 2024. To minimize disruption to existing application monitoring scenarios, transition to workspace-based Application Insights before 29 February 2024.\n", + "pgVerified": false, + "potentialBenefits": "Avoid service disruption post-Feb 2024", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Service Upgrade and Retirement", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Insights/components", + "recommendationTypeId": null, + "service": "Microsoft.Insights/components", + "severity": "Medium", + "source": "azure-resources/Insights/components/recommendations.yaml", + "tags": null, + "text": "Convert Classic Deployments" + }, + { + "aprlGuid": "1cca00d2-d9ab-8e42-a788-5d40f49405cb", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.\n", + "guid": "5867ae54-9c62-4d08-ae37-83c20f091ecc", + "learnMoreLink": [ + { + "name": "Azure Key Vault soft-delete overview", + "url": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview" + } + ], + "longDescription": "Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.\n", + "pgVerified": false, + "potentialBenefits": "Enables recovery of deleted items", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.KeyVault/vaults", + "recommendationTypeId": "78211c00-15a9-336e-17c4-0b48613dadf4", + "service": "Microsoft.KeyVault/vaults", + "severity": "High", + "source": "azure-resources/KeyVault/vaults/recommendations.yaml", + "tags": null, + "text": "Key vaults should have soft delete enabled" + }, + { + "aprlGuid": "70fcfe6d-00e9-5544-a63a-fff42b9f2edb", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.\n", + "guid": "1fd93ee3-7d27-4cf5-94a1-5d54e2f3eac3", + "learnMoreLink": [ + { + "name": "Azure Key Vault purge-protection overview", + "url": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection" + } + ], + "longDescription": "Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.\n", + "pgVerified": false, + "potentialBenefits": "Protects from insider attacks, avoids data loss", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.KeyVault/vaults", + "recommendationTypeId": "4ed62ae4-5072-f9e7-8d94-51c76c48159a", + "service": "Microsoft.KeyVault/vaults", + "severity": "Medium", + "source": "azure-resources/KeyVault/vaults/recommendations.yaml", + "tags": null, + "text": "Key vaults should have purge protection enabled" + }, + { + "aprlGuid": "00c3d2b0-ea6e-4c4b-89be-b78a35caeb51", + "automationAvailable": "arg", + "category": "Security", + "description": "Azure Private Link Service lets you securely and privately connect to Azure Key Vault via a Private Endpoint in your VNet, using a private IP and eliminating public Internet exposure.\n", + "guid": "89c342de-224d-40fe-80d1-054057309397", + "learnMoreLink": [ + { + "name": "Azure Key Vault Private Link Service overview", + "url": "https://learn.microsoft.com/azure/key-vault/general/security-features#network-security" + } + ], + "longDescription": "Azure Private Link Service lets you securely and privately connect to Azure Key Vault via a Private Endpoint in your VNet, using a private IP and eliminating public Internet exposure.\n", + "pgVerified": false, + "potentialBenefits": "Secure Key Vault with Private Link", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.KeyVault/vaults", + "recommendationTypeId": "2e96bc2f-1972-e471-9e70-ae58d41e9d2a", + "service": "Microsoft.KeyVault/vaults", + "severity": "Medium", + "source": "azure-resources/KeyVault/vaults/recommendations.yaml", + "tags": null, + "text": "Private endpoint should be configured for Key Vault" + }, + { + "aprlGuid": "e7091145-3642-bd41-bb58-66502e64d2cd", + "automationAvailable": false, + "category": "Governance", + "description": "Key vaults are security boundaries for secret storage. Grouping secrets together increases risk during a security event, as attacks could access multiple secrets.\n", + "guid": "bae3e3a8-6b0f-4047-a6d6-cc4463573141", + "learnMoreLink": [ + { + "name": "Azure Key Vault best practices overview", + "url": "https://learn.microsoft.com/azure/key-vault/general/best-practices#why-we-recommend-separate-key-vaults" + } + ], + "longDescription": "Key vaults are security boundaries for secret storage. Grouping secrets together increases risk during a security event, as attacks could access multiple secrets.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced security, Reduced risk", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.KeyVault/vaults", + "recommendationTypeId": null, + "service": "Microsoft.KeyVault/vaults", + "severity": "High", + "source": "azure-resources/KeyVault/vaults/recommendations.yaml", + "tags": null, + "text": "Use separate key vaults per application per environment" + }, + { + "aprlGuid": "1dc0821d-4f14-7644-bab4-ba208ff5f7fa", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.\n", + "guid": "9caaa8b4-1692-424b-85c8-d67344e7bb20", + "learnMoreLink": [ + { + "name": "Azure Key Vault logging overview", + "url": "https://learn.microsoft.com/azure/key-vault/general/logging?tabs=Vault" + } + ], + "longDescription": "Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced monitoring and security compliance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.KeyVault/vaults", + "recommendationTypeId": "88bbc99c-e5af-ddd7-6105-6150b2bfa519", + "service": "Microsoft.KeyVault/vaults", + "severity": "Low", + "source": "azure-resources/KeyVault/vaults/recommendations.yaml", + "tags": null, + "text": "Diagnostic logs in Key Vault should be enabled" + }, + { + "aprlGuid": "af426a99-62a6-6b4c-9662-42d220b413b8", + "automationAvailable": false, + "category": "Scalability", + "description": "Service levels, part of capacity pool attributes, determine the maximum throughput per volume quota in Azure NetApp Files. It combines read and write speed, offering three levels: Standard (16 MiB/s per 1TiB), Premium (64 MiB/s per 1TiB), and Ultra (128 MiB/s per 1TiB) throughput.\n", + "guid": "9a1490f9-8257-4cae-b057-1c3f0f12cf57", + "learnMoreLink": [ + { + "name": "Service levels for Azure NetApp Files | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels" + } + ], + "longDescription": "Service levels, part of capacity pool attributes, determine the maximum throughput per volume quota in Azure NetApp Files. It combines read and write speed, offering three levels: Standard (16 MiB/s per 1TiB), Premium (64 MiB/s per 1TiB), and Ultra (128 MiB/s per 1TiB) throughput.\n", + "pgVerified": true, + "potentialBenefits": "Optimized performance and cost efficiency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "Medium", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Use the correct service level and volume quota size for the expected performance level" + }, + { + "aprlGuid": "ab984130-c57b-6c4a-8d04-6723b4e1bdb6", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Standard network feature in Azure NetApp Files enhances IP limits and VNet capabilities, including network security groups, user-defined routes on subnets, and diverse connectivity options.\n", + "guid": "af3e4d7e-161c-44ef-8a06-9800368056f2", + "learnMoreLink": [ + { + "name": "Guidelines for Azure NetApp Files network planning | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies" + } + ], + "longDescription": "Standard network feature in Azure NetApp Files enhances IP limits and VNet capabilities, including network security groups, user-defined routes on subnets, and diverse connectivity options.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced connectivity and security", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Use standard network features for production in Azure NetApp Files" + }, + { + "aprlGuid": "47d100a5-7f85-5742-967a-67eb5081240a", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Availability zones are distinct locations within an Azure region to withstand local failures. Deploy your workload in multiple availability zones and use application-based replication or Azure NetApp Files cross-zone replication to achieve high availability. Note that failover is a manual process.\n", + "guid": "7a2881bd-1a59-49c0-ae6c-51be773fc6ff", + "learnMoreLink": [ + { + "name": "Use availability zones for high availability in Azure NetApp Files | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/use-availability-zones" + } + ], + "longDescription": "Availability zones are distinct locations within an Azure region to withstand local failures. Deploy your workload in multiple availability zones and use application-based replication or Azure NetApp Files cross-zone replication to achieve high availability. Note that failover is a manual process.\n", + "pgVerified": true, + "potentialBenefits": "High Availability across availability zones", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Use availability zones for high availability in Azure NetApp Files" + }, + { + "aprlGuid": "8bb690e8-64d5-4838-8703-9ee3dbac688f", + "automationAvailable": false, + "category": "Other Best Practices", + "description": "Azure NetApp Files' availability zone (AZ) volume placement feature lets you deploy volumes in the same AZ with Azure compute and other services to have within AZ latency and share the same AZ failure domain.\n", + "guid": "84100b4d-5d4f-48d5-8a35-b894b5b5146d", + "learnMoreLink": [ + { + "name": "Manage availability zone volume placement for Azure NetApp Files | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement" + } + ], + "longDescription": "Azure NetApp Files' availability zone (AZ) volume placement feature lets you deploy volumes in the same AZ with Azure compute and other services to have within AZ latency and share the same AZ failure domain.\n", + "pgVerified": true, + "potentialBenefits": "Within AZ latency and tolerate failure of other AZ", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Deploy ANF volumes in the same availability zone with Azure compute and other services" + }, + { + "aprlGuid": "72827434-c773-4345-9493-34848ddf5803", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure NetApp Files snapshot technology ensures stability, scalability, and swift data recoverability without affecting performance. It supports automatic snapshot creation via policies for Azure NetApp Files data.\n", + "guid": "bb19e67f-0473-4c51-835c-f5bb86937cc5", + "learnMoreLink": [ + { + "name": "How Azure NetApp Files snapshots work | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/snapshots-introduction" + } + ], + "longDescription": "Azure NetApp Files snapshot technology ensures stability, scalability, and swift data recoverability without affecting performance. It supports automatic snapshot creation via policies for Azure NetApp Files data.\n", + "pgVerified": true, + "potentialBenefits": "Stable, scalable, swift recovery, no perf impact", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Use snapshots for data protection in Azure NetApp Files" + }, + { + "aprlGuid": "b2fb3e60-97ec-e34d-af29-b16a0d61c2ac", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Azure NetApp Files offers a fully managed backup solution enhancing long-term recovery, archiving, and compliance.\n", + "guid": "a695c28c-a2ba-49b5-8fe4-d227d84e3558", + "learnMoreLink": [ + { + "name": "Understand Azure NetApp Files backup | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/backup-introduction" + } + ], + "longDescription": "Azure NetApp Files offers a fully managed backup solution enhancing long-term recovery, archiving, and compliance.\n", + "pgVerified": true, + "potentialBenefits": "Enhances data recovery and compliance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Enable backup for data protection in Azure NetApp Files" + }, + { + "aprlGuid": "e30317d2-c502-4dfe-a2d3-0a737cc79545", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Azure NetApp Files replication offers data protection by allowing asynchronous cross-region volume replication for application failover in case of regional outages. Volumes can be replicated across regions, not concurrently with cross-zone replication. Note that failover is a manual process.\n", + "guid": "fac3bb78-7f08-422a-b254-6da5876c275e", + "learnMoreLink": [ + { + "name": "Cross-region replication of Azure NetApp Files volumes", + "url": "https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-introduction" + } + ], + "longDescription": "Azure NetApp Files replication offers data protection by allowing asynchronous cross-region volume replication for application failover in case of regional outages. Volumes can be replicated across regions, not concurrently with cross-zone replication. Note that failover is a manual process.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced data protection and disaster recovery", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Enable Cross-region replication of Azure NetApp Files volumes" + }, + { + "aprlGuid": "e3d742e1-dacd-9b48-b6b1-510ec9f87c96", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "The cross-zone replication (CZR) feature enables asynchronous data replication between Azure NetApp Files volumes across different availability zones, ensuring data protection and critical application failover in case of zone-wide disasters. Note that failover is a manual process.\n", + "guid": "06975c3c-10d5-4faf-87cb-42d54f2201db", + "learnMoreLink": [ + { + "name": "Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/cross-zone-replication-introduction" + } + ], + "longDescription": "The cross-zone replication (CZR) feature enables asynchronous data replication between Azure NetApp Files volumes across different availability zones, ensuring data protection and critical application failover in case of zone-wide disasters. Note that failover is a manual process.\n", + "pgVerified": true, + "potentialBenefits": "Enhances disaster recovery across availability zones", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Enable Cross-zone replication of Azure NetApp Files volumes" + }, + { + "aprlGuid": "2f579fc9-e599-0d44-8b97-254f50ae04d8", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Azure NetApp Files offers metrics like allocated storage, actual usage, volume IOPS, and latency, enabling a better understanding of usage patterns and volume performance for NetApp accounts.\n", + "guid": "3bead3c9-3e3c-4c34-8ed2-987b6a15340f", + "learnMoreLink": [ + { + "name": "Ways to monitor Azure NetApp Files | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/monitor-azure-netapp-files" + } + ], + "longDescription": "Azure NetApp Files offers metrics like allocated storage, actual usage, volume IOPS, and latency, enabling a better understanding of usage patterns and volume performance for NetApp accounts.\n", + "pgVerified": true, + "potentialBenefits": "Optimize usage and performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "Medium", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Monitor Azure NetApp Files metrics to better understand usage pattern and performance" + }, + { + "aprlGuid": "687ae58f-517f-ca43-90fe-922497e61283", + "automationAvailable": false, + "category": "Governance", + "description": "Azure NetApp Files supports Azure policy integration using either built-in policy definitions or by creating custom ones to maintain organizational standards and compliance.\n", + "guid": "81fafd4c-aa43-4394-ae33-09460d9fb08a", + "learnMoreLink": [ + { + "name": "Azure Policy definitions for Azure NetApp Files | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/azure-policy-definitions" + }, + { + "name": "Creating custom policy definitions | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/governance/policy/tutorials/create-custom-policy-definition" + } + ], + "longDescription": "Azure NetApp Files supports Azure policy integration using either built-in policy definitions or by creating custom ones to maintain organizational standards and compliance.\n", + "pgVerified": true, + "potentialBenefits": "Enforce standards and assess compliance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "Medium", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Enforce standards and assess compliance in Azure NetApp Files with Azure policy" + }, + { + "aprlGuid": "cfa2244b-5436-47de-8287-b217875d3b0a", + "automationAvailable": false, + "category": "Security", + "description": "Access to the delegated subnet should be limited to specific Azure Virtual Networks. SMB-enabled volumes' share permissions should move away from 'Everyone/Full control'. NFS-enabled volumes' access needs to be controlled via export policies and/or NFSv4.1 ACLs.\n", + "guid": "a7780c71-0322-4682-8e7f-39d9115e5cb0", + "learnMoreLink": [ + { + "name": "Configure network features for an Azure NetApp Files volume", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/configure-network-features" + }, + { + "name": "Manage SMB share ACLs in Azure NetApp Files", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/manage-smb-share-access-control-lists" + }, + { + "name": "Configure export policy for NFS or dual-protocol volumes", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-configure-export-policy" + }, + { + "name": "Configure access control lists on NFSv4.1 volumes for Azure NetApp Files", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/configure-access-control-lists" + }, + { + "name": "Configure Unix permissions and change ownership mode for NFS and dual-protocol volumes", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/configure-unix-permissions-change-ownership-mode" + } + ], + "longDescription": "Access to the delegated subnet should be limited to specific Azure Virtual Networks. SMB-enabled volumes' share permissions should move away from 'Everyone/Full control'. NFS-enabled volumes' access needs to be controlled via export policies and/or NFSv4.1 ACLs.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security, Reduced data breach risk", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "Medium", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Restrict default access to Azure NetApp Files volumes" + }, + { + "aprlGuid": "d1e7ccc3-e6c1-40e9-a36e-fd134711c808", + "automationAvailable": false, + "category": "High Availability", + "description": "Certain SMB applications need SMB Transparent Failover for maintenance without interrupting server connectivity. Azure NetApp Files provides this through SMB Continuous Availability for applications like Citrix App Layering, FSLogix user/profile containers, Microsoft SQL Server, MSIX app attach.\n", + "guid": "a63e4474-10ad-4bce-8a33-d7c2347cc559", + "learnMoreLink": [ + { + "name": "Do I need to take special precautions for SMB-based applications? | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#do-i-need-to-take-special-precautions-for-smb-based-applications" + } + ], + "longDescription": "Certain SMB applications need SMB Transparent Failover for maintenance without interrupting server connectivity. Azure NetApp Files provides this through SMB Continuous Availability for applications like Citrix App Layering, FSLogix user/profile containers, Microsoft SQL Server, MSIX app attach.\n", + "pgVerified": true, + "potentialBenefits": "Zero downtime for SMB apps", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": "e4bebd74-387a-4a74-b757-475d2d1b4e3e", + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "High", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Make use of SMB continuous availability for supported applications" + }, + { + "aprlGuid": "60f36f9b-fac9-4160-bbf5-57af04da4f53", + "automationAvailable": false, + "category": "High Availability", + "description": "Azure NetApp Files might undergo occasional planned maintenance such as platform updates or service and software upgrades. It's important to be aware of the application's resiliency settings to cope with these storage service maintenance events.\n", + "guid": "18fa7ffb-ce4c-4e51-a7f3-5ee14e427a30", + "learnMoreLink": [ + { + "name": "What do you recommend for handling potential application disruptions due to storage service maintenance events? | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#what-do-you-recommend-for-handling-potential-application-disruptions-due-to-storage-service-maintenance-events" + } + ], + "longDescription": "Azure NetApp Files might undergo occasional planned maintenance such as platform updates or service and software upgrades. It's important to be aware of the application's resiliency settings to cope with these storage service maintenance events.\n", + "pgVerified": true, + "potentialBenefits": "Minimizes downtime during maintenance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetApp/netAppAccounts", + "recommendationTypeId": null, + "service": "Microsoft.NetApp/netAppAccounts", + "severity": "Medium", + "source": "azure-resources/NetApp/netAppAccounts/recommendations.yaml", + "tags": null, + "text": "Ensure application resilience for service maintenance events" + }, + { + "aprlGuid": "823b0cff-05c0-2e4e-a1e7-9965e1cfa16f", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.\n", + "guid": "4348f34d-7e2d-4fff-8a68-e54efe2e0211", + "learnMoreLink": [ + { + "name": "Application Gateway Autoscaling Zone-Redundant", + "url": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability" + } + ], + "longDescription": "Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.\n", + "pgVerified": true, + "potentialBenefits": "Enhances uptime and enables autoscaling", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": "c9c9750b-9ddb-436f-b19a-9c725539a0b5", + "service": "Microsoft.Network/applicationGateways", + "severity": "Medium", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Ensure Autoscale feature has been enabled" + }, + { + "aprlGuid": "233a7008-71e9-e745-923e-1a1c7a0b92f3", + "automationAvailable": "arg", + "category": "Security", + "description": "Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.\n", + "guid": "f891d2b9-939a-41f2-9b10-248bec6c5293", + "learnMoreLink": [ + { + "name": "Application Gateway Security", + "url": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway#security" + }, + { + "name": "Application Gateway SSL Overview", + "url": "https://learn.microsoft.com/azure/application-gateway/ssl-overview" + }, + { + "name": "Application Gateway SSL Policy Overview", + "url": "https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview" + }, + { + "name": "Application Gateway KeyVault Certs", + "url": "https://learn.microsoft.com/azure/application-gateway/key-vault-certs" + }, + { + "name": "Application Gateway SSL Cert Management", + "url": "https://learn.microsoft.com/azure/application-gateway/ssl-certificate-management" + } + ], + "longDescription": "Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and privacy", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/applicationGateways", + "severity": "High", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Secure all incoming connections with SSL" + }, + { + "aprlGuid": "8d9223c4-730d-ca47-af88-a9a024c37270", + "automationAvailable": "arg", + "category": "Security", + "description": "Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.\n", + "guid": "9981ffdf-2cd8-4feb-af3e-0912b6cb6a40", + "learnMoreLink": [ + { + "name": "Well-Architected Framework Application Gateway Overview", + "url": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway" + }, + { + "name": "Application Gateway - Web Application Firewall", + "url": "https://learn.microsoft.com/azure/application-gateway/features#web-application-firewall" + } + ], + "longDescription": "Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security for HTTP/S traffic", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": "efe75f01-6fff-5d9d-08e6-092b98d3fb3f", + "service": "Microsoft.Network/applicationGateways", + "severity": "Low", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Enable Web Application Firewall policies" + }, + { + "aprlGuid": "7893f0b3-8622-1d47-beed-4b50a19f7895", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Use Application Gateway v2 for built-in features like autoscaling, static VIPs, Azure KeyVault integration for better traffic management and performance, unless v1 is necessary.\n", + "guid": "927e547b-965b-4dba-9c96-79a50bb5e852", + "learnMoreLink": [ + { + "name": "Application Gateway Overview V2", + "url": "https://learn.microsoft.com/azure/application-gateway/overview-v2" + }, + { + "name": "Application Gateway Feature Comparison Between V1 and V2", + "url": "https://learn.microsoft.com/azure/application-gateway/overview-v2#feature-comparison-between-v1-sku-and-v2-sku" + }, + { + "name": "Application Gateway V1 Retirement", + "url": "https://azure.microsoft.com/updates/application-gateway-v1-will-be-retired-on-28-april-2026-transition-to-application-gateway-v2/" + } + ], + "longDescription": "Use Application Gateway v2 for built-in features like autoscaling, static VIPs, Azure KeyVault integration for better traffic management and performance, unless v1 is necessary.\n", + "pgVerified": true, + "potentialBenefits": "Better performance, autoscaling, more features", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": "0e19257e-dcef-4d00-8de1-5fe1ae0fd948", + "service": "Microsoft.Network/applicationGateways", + "severity": "High", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Migrate to Application Gateway v2" + }, + { + "aprlGuid": "5d035919-898d-a047-8d5d-454e199692e5", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights. If using NSGs, enable NSG flow logs to be stored, providing in-depth traffic analysis into Azure Cloud.\n", + "guid": "3cdf3561-e1c3-4d63-98a9-7c2d76b74350", + "learnMoreLink": [ + { + "name": "Application Gateway Metrics", + "url": "https://learn.microsoft.com/azure/application-gateway/application-gateway-metrics" + }, + { + "name": "Application Gateway Diagnostics", + "url": "https://learn.microsoft.com/azure/application-gateway/application-gateway-diagnostics" + } + ], + "longDescription": "Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights. If using NSGs, enable NSG flow logs to be stored, providing in-depth traffic analysis into Azure Cloud.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced traffic insight and audit", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/applicationGateways", + "severity": "High", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Monitor and Log the configurations and traffic" + }, + { + "aprlGuid": "847a8d88-21c4-bc48-a94e-562206edd767", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.\n", + "guid": "ba7b82c1-c69f-4d33-83c1-e22d3028cf02", + "learnMoreLink": [ + { + "name": "Application Gateway Probe Overview", + "url": "https://learn.microsoft.com/azure/application-gateway/application-gateway-probe-overview" + }, + { + "name": "Well-Architected Framework Application Gateway Overview", + "url": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway" + } + ], + "longDescription": "Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.\n", + "pgVerified": true, + "potentialBenefits": "Ensures backend uptime monitoring.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/applicationGateways", + "severity": "High", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Use Health Probes to detect backend availability" + }, + { + "aprlGuid": "c9c00f2a-3888-714b-a72b-b4c9e8fcffb2", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.\n", + "guid": "fc415308-acbe-4527-9110-e0de208bc0b6", + "learnMoreLink": [ + { + "name": "Well-Architected Framework Application Gateway Reliability", + "url": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway#reliability" + }, + { + "name": "Application Gateway V2 Overview", + "url": "https://learn.microsoft.com/azure/application-gateway/overview-v2" + } + ], + "longDescription": "Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced uptime and customer access", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": "5c488377-be3e-4365-92e8-09d1e8d9038c", + "service": "Microsoft.Network/applicationGateways", + "severity": "High", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Deploy Application Gateway in a zone-redundant configuration" + }, + { + "aprlGuid": "10f02bc6-e2e7-004d-a2c2-f9bf9f16b915", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.\n", + "guid": "58f0a951-d7c6-4413-969b-1eae378e6842", + "learnMoreLink": [ + { + "name": "Application Gateway Connection Draining", + "url": "https://learn.microsoft.com/azure/application-gateway/features#connection-draining" + }, + { + "name": "Application Gateway Connection Draining HTTP Settings", + "url": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings#connection-draining" + } + ], + "longDescription": "Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.\n", + "pgVerified": true, + "potentialBenefits": "Smooth updates, no dropped users", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/applicationGateways", + "severity": "Medium", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Plan for backend maintenance by using connection draining" + }, + { + "aprlGuid": "8364fd0a-7c0e-e240-9d95-4bf965aec243", + "automationAvailable": "arg", + "category": "Other Best Practices", + "description": "Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.\n", + "guid": "9e54a4cd-9dfd-4200-aeec-39c290946878", + "learnMoreLink": [ + { + "name": "Azure Application Gateway infrastructure configuration | Microsoft Learn", + "url": "https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#size-of-the-subnet" + } + ], + "longDescription": "Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.\n", + "pgVerified": true, + "potentialBenefits": "Allows autoscaling and maintenance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/applicationGateways", + "recommendationTypeId": "ef4da732-f541-4109-bc0e-465c68b6c7eb", + "service": "Microsoft.Network/applicationGateways", + "severity": "High", + "source": "azure-resources/Network/applicationGateways/recommendations.yaml", + "tags": null, + "text": "Ensure Application Gateway Subnet is using a /24 subnet mask" + }, + { + "aprlGuid": "c72b7fee-1fa0-5b4b-98e5-54bcae95bb74", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.\n", + "guid": "d5134604-9b26-4649-8872-123b1e72d169", + "learnMoreLink": [ + { + "name": "Azure Well Architected Framework - Azure Firewall", + "url": "https://learn.microsoft.com/azure/architecture/framework/services/networking/azure-firewall" + }, + { + "name": "Deploy Azure Firewall across multiple availability zones", + "url": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell" + } + ], + "longDescription": "Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced SLA and reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/azureFirewalls", + "recommendationTypeId": null, + "service": "Microsoft.Network/azureFirewalls", + "severity": "High", + "source": "azure-resources/Network/azureFirewalls/recommendations.yaml", + "tags": null, + "text": "Deploy Azure Firewall across multiple availability zones" + }, + { + "aprlGuid": "3c8fa7c6-6b78-a24a-a63f-348a7c71acb9", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.\n", + "guid": "5598936b-9997-468f-8448-b00ecc762528", + "learnMoreLink": [ + { + "name": "Azure Firewall metrics supported in Azure Monitor", + "url": "https://learn.microsoft.com/azure/azure-monitor/essentials/metrics-supported#microsoftnetworkazurefirewalls" + }, + { + "name": "Azure Firewall performance", + "url": "https://learn.microsoft.com/azure/firewall/firewall-performance" + } + ], + "longDescription": "Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.\n", + "pgVerified": true, + "potentialBenefits": "Improve health and performance monitoring", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/azureFirewalls", + "recommendationTypeId": null, + "service": "Microsoft.Network/azureFirewalls", + "severity": "High", + "source": "azure-resources/Network/azureFirewalls/recommendations.yaml", + "tags": null, + "text": "Monitor Azure Firewall metrics" + }, + { + "aprlGuid": "1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d", + "automationAvailable": "arg", + "category": "Security", + "description": "Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans.\n", + "guid": "44c6f9d3-0453-4a0d-b05c-ddb78b541053", + "learnMoreLink": [ + { + "name": "Azure DDoS Protection overview", + "url": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview" + } + ], + "longDescription": "Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced DDoS attack defense", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/azureFirewalls", + "recommendationTypeId": null, + "service": "Microsoft.Network/azureFirewalls", + "severity": "High", + "source": "azure-resources/Network/azureFirewalls/recommendations.yaml", + "tags": null, + "text": "Configure DDoS Protection on the Azure Firewall VNet" + }, + { + "aprlGuid": "3a63560a-1ed3-6140-acd1-d1d23f9a2e12", + "automationAvailable": false, + "category": "Governance", + "description": "Azure Firewall policy supports rule hierarchies for compliance enforcement, using a central base policy with higher priority over child policies, and employs Azure custom roles to safeguard base policy and manage access within subscriptions or groups.\n", + "guid": "29b4de32-0e78-488a-9be3-7d9f1e65b71a", + "learnMoreLink": [ + { + "name": "Azure Firewall Policy hierarchy", + "url": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy" + } + ], + "longDescription": "Azure Firewall policy supports rule hierarchies for compliance enforcement, using a central base policy with higher priority over child policies, and employs Azure custom roles to safeguard base policy and manage access within subscriptions or groups.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced compliance and rule hierarchy", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/azureFirewalls", + "recommendationTypeId": null, + "service": "Microsoft.Network/azureFirewalls", + "severity": "Medium", + "source": "azure-resources/Network/azureFirewalls/recommendations.yaml", + "tags": null, + "text": "Leverage Azure Firewall policy inheritance model" + }, + { + "aprlGuid": "d2e4a38e-2307-4299-a217-4c0cebc9a7f6", + "automationAvailable": false, + "category": "High Availability", + "description": "Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.\n", + "guid": "8a521d75-4dea-4b15-8af7-315550309978", + "learnMoreLink": [ + { + "name": "Azure Well-Architected Framework review - Azure Firewall", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall#recommendations" + } + ], + "longDescription": "Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.\n", + "pgVerified": false, + "potentialBenefits": "Avoids SNAT exhaustion.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/azureFirewalls", + "recommendationTypeId": null, + "service": "Microsoft.Network/azureFirewalls", + "severity": "Medium", + "source": "azure-resources/Network/azureFirewalls/recommendations.yaml", + "tags": null, + "text": "Configure 2-4 PIPs for SNAT Port utilization" + }, + { + "aprlGuid": "8faace2d-a36e-425c-aa58-2ad99e3e0b7a", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Creating a metric to monitor latency probes over 20ms for periods longer than 30ms helps identify when firewall instance CPUs are stressed, potentially indicating issues.\n", + "guid": "12446e14-026b-4f71-ad1f-f527329939e7", + "learnMoreLink": [ + { + "name": "Azure Well-Architected Framework review - Azure Firewall", + "url": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall#recommendations" + }, + { + "name": "Azure Firewall metrics overview", + "url": "https://learn.microsoft.com/azure/firewall/metrics" + } + ], + "longDescription": "Creating a metric to monitor latency probes over 20ms for periods longer than 30ms helps identify when firewall instance CPUs are stressed, potentially indicating issues.\n", + "pgVerified": false, + "potentialBenefits": "Improved CPU stress detection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/azureFirewalls", + "recommendationTypeId": null, + "service": "Microsoft.Network/azureFirewalls", + "severity": "High", + "source": "azure-resources/Network/azureFirewalls/recommendations.yaml", + "tags": null, + "text": "Monitor \"AZFW Latency Probe\" metric" + }, + { + "aprlGuid": "f6a14b32-a727-4ace-b5fa-7b1c6bdff402", + "automationAvailable": false, + "category": "Scalability", + "description": "ExpressRoute gateways facilitate network traffic and route exchanges. FastPath enhances on-premises to virtual network data path performance by directing traffic straight to virtual machines, bypassing the gateway for improved resiliency through reduced gateway utilization.\n", + "guid": "975def75-2b02-4748-acb3-cccc71247750", + "learnMoreLink": [ + { + "name": "About ExpressRoute FastPath", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/about-fastpath" + } + ], + "longDescription": "ExpressRoute gateways facilitate network traffic and route exchanges. FastPath enhances on-premises to virtual network data path performance by directing traffic straight to virtual machines, bypassing the gateway for improved resiliency through reduced gateway utilization.\n", + "pgVerified": true, + "potentialBenefits": "Enhances speed and resiliency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/connections", + "recommendationTypeId": null, + "service": "Microsoft.Network/connections", + "severity": "Medium", + "source": "azure-resources/Network/connections/recommendations.yaml", + "tags": null, + "text": "For better data path performance enable FastPath on ExpressRoute Direct and Gateway" + }, + { + "aprlGuid": "a5f3a4bd-4cf1-4196-a3cb-f5a0876198b2", + "automationAvailable": false, + "category": "High Availability", + "description": "Configure an Azure Resource lock for Gateway Connection resources to prevent accidental deletion and maintain connectivity between on-premises networks and Azure workloads.\n", + "guid": "160af4de-1f2c-490b-b855-db1168e9c2dc", + "learnMoreLink": [ + { + "name": "Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn", + "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json" + } + ], + "longDescription": "Configure an Azure Resource lock for Gateway Connection resources to prevent accidental deletion and maintain connectivity between on-premises networks and Azure workloads.\n", + "pgVerified": true, + "potentialBenefits": "Prevents accidental deletion of connections", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/connections", + "recommendationTypeId": null, + "service": "Microsoft.Network/connections", + "severity": "High", + "source": "azure-resources/Network/connections/recommendations.yaml", + "tags": null, + "text": "Configure an Azure Resource Lock on connections to prevent accidental deletion" + }, + { + "aprlGuid": "ae054bf2-aefa-cf4a-8282-741194cef8da", + "automationAvailable": false, + "category": "Security", + "description": "Azure DDoS Plan metrics differentiate packets and bytes by tags: Dropped (packets scrubbed by DDoS), Forwarded (packets to VIP not filtered), and No tag (total packets, sum of dropped and forwarded).\n", + "guid": "29b12c87-ff85-477f-b1a3-43079cd769a4", + "learnMoreLink": [ + { + "name": "Monitoring Azure DDoS Protection", + "url": "https://learn.microsoft.com/en-us/azure/ddos-protection/monitor-ddos-protection-reference" + } + ], + "longDescription": "Azure DDoS Plan metrics differentiate packets and bytes by tags: Dropped (packets scrubbed by DDoS), Forwarded (packets to VIP not filtered), and No tag (total packets, sum of dropped and forwarded).\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and traffic insight", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/ddosProtectionPlans", + "recommendationTypeId": null, + "service": "Microsoft.Network/ddosProtectionPlans", + "severity": "Medium", + "source": "azure-resources/Network/ddosProtectionPlans/recommendations.yaml", + "tags": null, + "text": "Monitor Azure DDoS Protection Plan metrics" + }, + { + "aprlGuid": "4d703025-dafc-f840-a183-5dc440456134", + "automationAvailable": false, + "category": "High Availability", + "description": "Connecting each ExpressRoute Gateway to a minimum of two circuits in different peering locations enhances redundancy and reliability by ensuring alternate pathways for data in case one circuit fails.\n", + "guid": "3dfec663-7220-4a20-b446-db5ac5577a4d", + "learnMoreLink": [ + { + "name": "Designing for disaster recovery with ExpressRoute private peering", + "url": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering" + } + ], + "longDescription": "Connecting each ExpressRoute Gateway to a minimum of two circuits in different peering locations enhances redundancy and reliability by ensuring alternate pathways for data in case one circuit fails.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability and redundancy", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "High", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Connect on-prem networks to Azure critical workloads via multiple ExpressRoutes" + }, + { + "aprlGuid": "0e19cc41-8274-1342-b0db-0e4146eacef8", + "automationAvailable": false, + "category": "High Availability", + "description": "Microsoft or the ExpressRoute provider always ensures physical redundancy in their services. It's essential to maintain this level of physical redundancy (two devices, two links) from the ExpressRoute peering location to your network for optimal performance and reliability.\n", + "guid": "26cf25d1-46f0-4d4f-aebf-0f5a3f61a922", + "learnMoreLink": [ + { + "name": "Designing for high availability with ExpressRoute", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/designing-for-high-availability-with-expressroute" + }, + { + "name": "Azure Well-Architected Framework review - Azure ExpressRoute - Design Checklist", + "url": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-expressroute#recommendations" + } + ], + "longDescription": "Microsoft or the ExpressRoute provider always ensures physical redundancy in their services. It's essential to maintain this level of physical redundancy (two devices, two links) from the ExpressRoute peering location to your network for optimal performance and reliability.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability and fault tolerance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "High", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Ensure ExpressRoute's physical links connect to distinct network edge devices" + }, + { + "aprlGuid": "f06a2bbe-5839-d447-9f39-fc3d20562d88", + "automationAvailable": false, + "category": "High Availability", + "description": "Operating both connections of an ExpressRoute circuit in active-active mode enhances high availability as the Microsoft network will load balance the traffic across the connections on a per-flow basis.\n", + "guid": "916215e5-8d2e-4c5d-8263-6731adc3ebc3", + "learnMoreLink": [ + { + "name": "Designing for high availability with ExpressRoute - Active-active connections", + "url": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections" + } + ], + "longDescription": "Operating both connections of an ExpressRoute circuit in active-active mode enhances high availability as the Microsoft network will load balance the traffic across the connections on a per-flow basis.\n", + "pgVerified": true, + "potentialBenefits": "Improved high availability and load balancing", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "High", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Ensure both connections of an ExpressRoute circuit are configured in active-active mode" + }, + { + "aprlGuid": "2a5bf650-586d-db4c-a292-d922be7d3e0e", + "automationAvailable": false, + "category": "High Availability", + "description": "Enabling BFD over ExpressRoute speeds up link failure detection between MSEE devices and routers configured for ExpressRoute (CE/PE), applicable over both customer and Partner Edge routing devices with managed Layer 3 service.\n", + "guid": "17768b77-5224-404e-8931-d1c7ce7561fe", + "learnMoreLink": [ + { + "name": "Configure BFD over ExpressRoute", + "url": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd" + } + ], + "longDescription": "Enabling BFD over ExpressRoute speeds up link failure detection between MSEE devices and routers configured for ExpressRoute (CE/PE), applicable over both customer and Partner Edge routing devices with managed Layer 3 service.\n", + "pgVerified": true, + "potentialBenefits": "Faster link failure detection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "High", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Activate Bidirectional Forwarding Detection on edge devices for faster failover" + }, + { + "aprlGuid": "9771a435-d031-814e-9827-9b5fdafc0f87", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Use Network Insights for monitoring ExpressRoute circuit availability, QoS, and throughput. Set alerts based on Azure Monitor Baseline Alerts for availability, QoS metrics, and throughput metrics exceeding specific thresholds.\n", + "guid": "0a85b8ac-b568-4c7d-8ba2-f3db8aaee629", + "learnMoreLink": [ + { + "name": "Azure Monitor Baseline Alerts - expressRouteCircuits", + "url": "https://azure.github.io/azure-monitor-baseline-alerts/services/Network/expressRouteCircuits/" + } + ], + "longDescription": "Use Network Insights for monitoring ExpressRoute circuit availability, QoS, and throughput. Set alerts based on Azure Monitor Baseline Alerts for availability, QoS metrics, and throughput metrics exceeding specific thresholds.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced network performance and health", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "High", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Configure monitoring and alerting for ExpressRoute circuits" + }, + { + "aprlGuid": "26cb547f-aabc-dc40-be02-d0a9b6b04b1a", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "ExpressRoute leverages service health for notifications on both planned and unplanned maintenance, ensuring users are informed about any changes to their ExpressRoute circuits.\n", + "guid": "8902695a-6f04-41cc-8fa1-430fc1750f38", + "learnMoreLink": [ + { + "name": "How to view and configure alerts for Azure ExpressRoute circuit maintenance", + "url": "https://learn.microsoft.com/azure/expressroute/maintenance-alerts" + } + ], + "longDescription": "ExpressRoute leverages service health for notifications on both planned and unplanned maintenance, ensuring users are informed about any changes to their ExpressRoute circuits.\n", + "pgVerified": true, + "potentialBenefits": "Stay informed on circuit updates", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "High", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Configure service health to receive ExpressRoute circuit maintenance notification" + }, + { + "aprlGuid": "f902cf86-2b53-2942-abc2-781f4fb62be6", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "If you haven't added a second ExpressRoute circuit, use a site-to-site VPN as a temporary solution until the second circuit is available. This ensures network reliability and continuity of service.\n", + "guid": "531bdbb3-91b8-493e-8008-08ab693b6816", + "learnMoreLink": [ + { + "name": "Using S2S VPN as a backup for ExpressRoute private peering", + "url": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering" + } + ], + "longDescription": "If you haven't added a second ExpressRoute circuit, use a site-to-site VPN as a temporary solution until the second circuit is available. This ensures network reliability and continuity of service.\n", + "pgVerified": true, + "potentialBenefits": "Ensures continuity and reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "Medium", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Use a site-to-site VPN as an interim backup solution for a single ExpressRoute circuit" + }, + { + "aprlGuid": "d40c769d-2f08-4980-8d8f-a386946276e6", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Rate limiting controls traffic volume between on-premises networks and Azure via ExpressRoute Direct, applying to private or Microsoft peering. It distributes port bandwidth, ensures stability, and prevents congestion, with steps outlined for enabling on circuits.\n", + "guid": "88562e4f-2b56-4891-bbe5-dc7592794500", + "learnMoreLink": [ + { + "name": "Rate limiting for ExpressRoute Direct circuits (Preview)", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/rate-limit" + } + ], + "longDescription": "Rate limiting controls traffic volume between on-premises networks and Azure via ExpressRoute Direct, applying to private or Microsoft peering. It distributes port bandwidth, ensures stability, and prevents congestion, with steps outlined for enabling on circuits.\n", + "pgVerified": true, + "potentialBenefits": "Optimizes network, prevents congestion", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRouteCircuits", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRouteCircuits", + "severity": "Medium", + "source": "azure-resources/Network/expressRouteCircuits/recommendations.yaml", + "tags": null, + "text": "Implement rate-limiting across ExpressRoute Direct Circuits to optimize network flow" + }, + { + "aprlGuid": "60077378-7cb1-4b35-89bb-393884d9921d", + "automationAvailable": "arg", + "category": "High Availability", + "description": "In Azure ExpressRoute Direct, the \"Admin State\" indicates the administrative status of layer 1 links, showing if a link is enabled or disabled, effectively turning the physical port on or off.\n", + "guid": "33ec9c85-0a33-4ead-bb93-d3bb3bc4c88c", + "learnMoreLink": [ + { + "name": "How to configure ExpressRoute Direct Change Admin State of links", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-erdirect#state" + } + ], + "longDescription": "In Azure ExpressRoute Direct, the \"Admin State\" indicates the administrative status of layer 1 links, showing if a link is enabled or disabled, effectively turning the physical port on or off.\n", + "pgVerified": true, + "potentialBenefits": "Ensures optimal connectivity.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/ExpressRoutePorts", + "recommendationTypeId": null, + "service": "Microsoft.Network/ExpressRoutePorts", + "severity": "High", + "source": "azure-resources/Network/expressRoutePorts/recommendations.yaml", + "tags": null, + "text": "The Admin State of both Links of an ExpressRoute Direct should be in Enabled state" + }, + { + "aprlGuid": "0bee356b-7348-4799-8cab-0c71ffe13018", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Provisioning ExpressRoute circuits on a 10-Gbps or 100-Gbps ExpressRoute Direct resource up to 20-Gbps or 200-Gbps is possible but not recommended for resiliency. If an ExpressRoute Direct port fails, and circuits are using full capacity, the remaining port won't handle the extra load.\n", + "guid": "01937901-4131-4002-9137-a89bf2f0542e", + "learnMoreLink": [ + { + "name": "About ExpressRoute Direct Circuit Sizes", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-erdirect-about?source=recommendations#circuit-sizes" + } + ], + "longDescription": "Provisioning ExpressRoute circuits on a 10-Gbps or 100-Gbps ExpressRoute Direct resource up to 20-Gbps or 200-Gbps is possible but not recommended for resiliency. If an ExpressRoute Direct port fails, and circuits are using full capacity, the remaining port won't handle the extra load.\n", + "pgVerified": true, + "potentialBenefits": "Improves resilience during port failures", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/ExpressRoutePorts", + "recommendationTypeId": null, + "service": "Microsoft.Network/ExpressRoutePorts", + "severity": "High", + "source": "azure-resources/Network/expressRoutePorts/recommendations.yaml", + "tags": null, + "text": "Ensure you do not over-subscribe an ExpressRoute Direct" + }, + { + "aprlGuid": "55815823-d588-4cb7-a5b8-ae581837356e", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Use Network Insights for monitoring ExpressRoute Port light levels, bits per second in/out, and line protocol. Set alerts based on Azure Monitor Baseline Alerts for light levels, bits per second in/out, and line protocol exceeding specific thresholds.\n", + "guid": "276a090d-e939-4990-b35e-a16597bcf914", + "learnMoreLink": [ + { + "name": "Azure Monitor Baseline Alerts - expressRoutePorts", + "url": "https://azure.github.io/azure-monitor-baseline-alerts/services/Network/expressRoutePorts/" + } + ], + "longDescription": "Use Network Insights for monitoring ExpressRoute Port light levels, bits per second in/out, and line protocol. Set alerts based on Azure Monitor Baseline Alerts for light levels, bits per second in/out, and line protocol exceeding specific thresholds.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced network performance and health", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/expressRoutePorts", + "recommendationTypeId": null, + "service": "Microsoft.Network/expressRoutePorts", + "severity": "High", + "source": "azure-resources/Network/expressRoutePorts/recommendations.yaml", + "tags": null, + "text": "Configure monitoring and alerting for ExpressRoute Ports" + }, + { + "aprlGuid": "d0cfe47f-686b-5043-bf83-5a3868acb80a", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "WAF may mistakenly block legitimate requests (false positives). These can be identified by examining the last 24 hours of blocked requests in Log Analytics.\n", + "guid": "2f7ae572-83c5-4891-acd3-71ec93163896", + "learnMoreLink": [ + { + "name": "Azure Web Application Firewall monitoring and logging - Access Log", + "url": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium#access-logs" + }, + { + "name": "Understanding WAF logs", + "url": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-tuning?pivots=front-door-standard-premium#understanding-waf-logs" + }, + { + "name": "Web Application Firewall exclusion lists", + "url": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal" + }, + { + "name": "Fixing a false positive", + "url": "https://learn.microsoft.com/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#fixing-false-positives" + } + ], + "longDescription": "WAF may mistakenly block legitimate requests (false positives). These can be identified by examining the last 24 hours of blocked requests in Log Analytics.\n", + "pgVerified": true, + "potentialBenefits": "Reduces false positives, improves access", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "recommendationTypeId": null, + "service": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "severity": "High", + "source": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml", + "tags": null, + "text": "Inspect Azure Front Door WAF logs for wrongfully blocked legitimate requests" + }, + { + "aprlGuid": "537b4d94-edd1-4041-b13d-8217dfa485f0", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "WAF may block legitimate requests as false positives. Identifying blocked requests within the last 24 hours through Log Analytics can help manage and mitigate these incorrect blockages efficiently.\n", + "guid": "1282878b-6ded-49c1-a251-da275d71cef9", + "learnMoreLink": [ + { + "name": "Azure Web Application Firewall Monitoring and Logging", + "url": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-metrics#logs-and-diagnostics" + }, + { + "name": "Diagnostic logs", + "url": "https://learn.microsoft.com/azure/web-application-firewall/ag/web-application-firewall-logs#diagnostic-logs" + } + ], + "longDescription": "WAF may block legitimate requests as false positives. Identifying blocked requests within the last 24 hours through Log Analytics can help manage and mitigate these incorrect blockages efficiently.\n", + "pgVerified": true, + "potentialBenefits": "Improve false positive identification", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "recommendationTypeId": null, + "service": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "severity": "High", + "source": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml", + "tags": null, + "text": "Check Azure Application Gateway WAF logs for mistakenly blocked valid requests" + }, + { + "aprlGuid": "5357ae22-0f52-1a49-9fd4-1f00ace6add0", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Monitoring the health of your Web Application Firewall and the applications it protects is crucial. This can be achieved through integration with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs, ensuring optimal performance and security.\n", + "guid": "364bfaba-1446-4029-9aad-e5dbe0e062a0", + "learnMoreLink": [ + { + "name": "WAF monitoring", + "url": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview#waf-monitoring" + }, + { + "name": "Azure Monitor Workbook for WAF", + "url": "https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Workbook%20-%20WAF%20Monitor%20Workbook" + } + ], + "longDescription": "Monitoring the health of your Web Application Firewall and the applications it protects is crucial. This can be achieved through integration with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs, ensuring optimal performance and security.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced security and health insight", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "recommendationTypeId": null, + "service": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "severity": "High", + "source": "azure-resources/Network/frontDoorWebApplicationFirewallPolicies/recommendations.yaml", + "tags": null, + "text": "Monitor Web Application Firewall" + }, + { + "aprlGuid": "38c3bca1-97a1-eb42-8cd3-838b243f35ba", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.\n", + "guid": "b4944f4e-da96-4ae7-8403-fa189adcb143", + "learnMoreLink": [ + { + "name": "Reliability and Azure Load Balancer", + "url": "https://learn.microsoft.com/azure/architecture/framework/services/networking/azure-load-balancer/reliability" + }, + { + "name": "Resiliency checklist for specific Azure services- Azure Load Balancer", + "url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer" + } + ], + "longDescription": "Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability and SLA support", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/loadBalancers", + "recommendationTypeId": null, + "service": "Microsoft.Network/loadBalancers", + "severity": "High", + "source": "azure-resources/Network/loadBalancers/recommendations.yaml", + "tags": null, + "text": "Use Standard Load Balancer SKU" + }, + { + "aprlGuid": "6d82d042-6d61-ad49-86f0-6a5455398081", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building.\n", + "guid": "28d1fd2c-f251-4b2e-be4c-3e68e556b80f", + "learnMoreLink": [ + { + "name": "Resiliency checklist for specific Azure services- Azure Load Balancer", + "url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer" + } + ], + "longDescription": "Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building.\n", + "pgVerified": true, + "potentialBenefits": "Enhances reliability and scalability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/loadBalancers", + "recommendationTypeId": null, + "service": "Microsoft.Network/loadBalancers", + "severity": "High", + "source": "azure-resources/Network/loadBalancers/recommendations.yaml", + "tags": null, + "text": "Ensure the Backend Pool contains at least two instances" + }, + { + "aprlGuid": "8d319a05-677b-944f-b9b4-ca0fb42e883c", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Outbound rules for Standard Public Load Balancer involve manual port allocation for backend pools, limiting scalability and risk of SNAT port exhaustion. NAT Gateway is recommended for its dynamic scaling and secure internet connectivity.\n", + "guid": "61cbb0b2-c6a9-4a52-8bd2-555cc2c877a0", + "learnMoreLink": [ + { + "name": "Resiliency checklist for specific Azure services- Azure Load Balancer", + "url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer" + } + ], + "longDescription": "Outbound rules for Standard Public Load Balancer involve manual port allocation for backend pools, limiting scalability and risk of SNAT port exhaustion. NAT Gateway is recommended for its dynamic scaling and secure internet connectivity.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced scalability and reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/loadBalancers", + "recommendationTypeId": null, + "service": "Microsoft.Network/loadBalancers", + "severity": "Medium", + "source": "azure-resources/Network/loadBalancers/recommendations.yaml", + "tags": null, + "text": "Use NAT Gateway instead of Outbound Rules for Production Workloads" + }, + { + "aprlGuid": "621dbc78-3745-4d32-8eac-9e65b27b7512", + "automationAvailable": "arg", + "category": "High Availability", + "description": "In regions with Availability Zones, assigning a zone-redundant frontend IP to a Standard Load Balancer ensures continuous traffic distribution even if one availability zone fails, provided other healthy zones and backend instances are available to receive the traffic.\n", + "guid": "fd4399da-56ea-4c75-ae3d-3fdb5902b3c3", + "learnMoreLink": [ + { + "name": "Load Balancer and Availability Zones", + "url": "https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-availability-zones#zone-redundant" + } + ], + "longDescription": "In regions with Availability Zones, assigning a zone-redundant frontend IP to a Standard Load Balancer ensures continuous traffic distribution even if one availability zone fails, provided other healthy zones and backend instances are available to receive the traffic.\n", + "pgVerified": true, + "potentialBenefits": "Enhances uptime and resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/loadBalancers", + "recommendationTypeId": null, + "service": "Microsoft.Network/loadBalancers", + "severity": "High", + "source": "azure-resources/Network/loadBalancers/recommendations.yaml", + "tags": null, + "text": "Ensure Standard Load Balancer is zone-redundant" + }, + { + "aprlGuid": "e5f5fcea-f925-4578-8599-9a391e888a60", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Health probes are used by Azure Load Balancers to determine the status of backend endpoints. Using custom health probes that are aligned with vendor recommendations enhances understanding of backend availability and facilitates monitoring of backend services for any impact.\n", + "guid": "9c103f18-65c5-43b1-ac2f-8ac000c03f0d", + "learnMoreLink": [ + { + "name": "Load Balancer Health Probe Overview", + "url": "https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview" + } + ], + "longDescription": "Health probes are used by Azure Load Balancers to determine the status of backend endpoints. Using custom health probes that are aligned with vendor recommendations enhances understanding of backend availability and facilitates monitoring of backend services for any impact.\n", + "pgVerified": true, + "potentialBenefits": "Ensures backend uptime monitoring.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/loadBalancers", + "recommendationTypeId": null, + "service": "Microsoft.Network/loadBalancers", + "severity": "High", + "source": "azure-resources/Network/loadBalancers/recommendations.yaml", + "tags": null, + "text": "Use Health Probes to detect backend instances availability" + }, + { + "aprlGuid": "4281631c-3d19-4994-8d96-084c2a51a534", + "automationAvailable": false, + "category": "Scalability", + "description": "NAT Gateway provides 64,512 SNAT ports per public IP address and supports up to 16 public IP addresses. Monitor \"Total SNAT connection count\" metric to determine if you're nearing the connection limit of NAT gateway. You can scale the NAT gateway by adding more public IP addresses.\n", + "guid": "05eb3584-fa7b-4b50-8698-40bcd45d4daa", + "learnMoreLink": [ + { + "name": "Scale a NAT gateway to meet the demand of a dynamic workload", + "url": "https://learn.microsoft.com/en-us/azure/nat-gateway/nat-gateway-design#scale-a-nat-gateway-to-meet-the-demand-of-a-dynamic-workload" + }, + { + "name": "Total SNAT Connection Count", + "url": "https://learn.microsoft.com/en-us/azure/nat-gateway/nat-metrics#total-snat-connection-count" + } + ], + "longDescription": "NAT Gateway provides 64,512 SNAT ports per public IP address and supports up to 16 public IP addresses. Monitor \"Total SNAT connection count\" metric to determine if you're nearing the connection limit of NAT gateway. You can scale the NAT gateway by adding more public IP addresses.\n", + "pgVerified": false, + "potentialBenefits": "Enhances reliability and scalability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/natGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/natGateways", + "severity": "Medium", + "source": "azure-resources/Network/natGateways/recommendations.yaml", + "tags": null, + "text": "Scale a NAT gateway to meet the demand of a dynamic workload" + }, + { + "aprlGuid": "babf75d6-6407-4d90-b01e-5a1768e621f5", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Use Network Insights for monitoring and alerting on your NAT gateway.Use Total SNAT connection count metric to determine if you're nearing the connection limit of NAT gateway. Set alerts based on Azure Monitor Baseline Alerts (AMBA) thresholds for NAT Gateway\n", + "guid": "961945ed-e79d-4f3f-9c64-751c9773ddea", + "learnMoreLink": [ + { + "name": "What is Azure NAT Gateway metrics and alerts?", + "url": "https://learn.microsoft.com/en-us/azure/nat-gateway/nat-metrics" + }, + { + "name": "AMBA - NAT Gateway", + "url": "https://azure.github.io/azure-monitor-baseline-alerts/services/Network/natGateways/" + } + ], + "longDescription": "Use Network Insights for monitoring and alerting on your NAT gateway.Use Total SNAT connection count metric to determine if you're nearing the connection limit of NAT gateway. Set alerts based on Azure Monitor Baseline Alerts (AMBA) thresholds for NAT Gateway\n", + "pgVerified": false, + "potentialBenefits": "Enhanced network performance and health", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/natGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/natGateways", + "severity": "High", + "source": "azure-resources/Network/natGateways/recommendations.yaml", + "tags": null, + "text": "Configure monitoring and alerting for NAT gateway" + }, + { + "aprlGuid": "419df1ea-336b-460a-b6b2-fefe2588fcef", + "automationAvailable": false, + "category": "High Availability", + "description": "A zonal promise for zone isolation scenarios exists when a virtual machine instance using a NAT gateway resource is in the same zone as the NAT gateway resource and its public IP addresses. The pattern you want to use for zone isolation is creating a \"zonal stack\" per availability zone.\n", + "guid": "fd23ecb9-cb8a-4715-8afc-bc837840f377", + "learnMoreLink": [ + { + "name": "Zonal NAT gateway resource for each zone in a region to create zone-resiliency", + "url": "https://learn.microsoft.com/en-us/azure/nat-gateway/nat-availability-zones#zonal-nat-gateway-resource-for-each-zone-in-a-region-to-create-zone-resiliency" + } + ], + "longDescription": "A zonal promise for zone isolation scenarios exists when a virtual machine instance using a NAT gateway resource is in the same zone as the NAT gateway resource and its public IP addresses. The pattern you want to use for zone isolation is creating a \"zonal stack\" per availability zone.\n", + "pgVerified": false, + "potentialBenefits": "Enhances reliability and scalability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/natGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/natGateways", + "severity": "Medium", + "source": "azure-resources/Network/natGateways/recommendations.yaml", + "tags": null, + "text": "Consider zonal NAT gateway deployment for zone isolation scenarios" + }, + { + "aprlGuid": "d2976d3e-294b-4b49-a1f0-c42566a3758f", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.\n", + "guid": "a7ef92ad-73e7-4a29-88c0-b77fb133abd7", + "learnMoreLink": [ + { + "name": "Diagnostic settings in Azure Monitor", + "url": "https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings" + } + ], + "longDescription": "Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced monitoring and security insights", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/networkSecurityGroups", + "recommendationTypeId": null, + "service": "Microsoft.Network/networkSecurityGroups", + "severity": "Medium", + "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml", + "tags": null, + "text": "Configure Diagnostic Settings for all network security groups" + }, + { + "aprlGuid": "8bb4a57b-55e4-d24e-9c19-2679d8bc779f", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.\n", + "guid": "47a876f2-b3d1-4e38-94f1-679a95f1a155", + "learnMoreLink": [ + { + "name": "Azure Monitor activity log", + "url": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell" + } + ], + "longDescription": "Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and change monitoring", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/networkSecurityGroups", + "recommendationTypeId": null, + "service": "Microsoft.Network/networkSecurityGroups", + "severity": "Low", + "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml", + "tags": null, + "text": "Monitor changes in Network Security Groups with Azure Monitor" + }, + { + "aprlGuid": "52ac35e8-9c3e-f84d-8ce8-2fab955333d3", + "automationAvailable": false, + "category": "Governance", + "description": "As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental deletions and modifications. The lock overrides user permissions. Locks can prevent either deletions or modifications and are known as Delete and Read-only in the portal.\n", + "guid": "f9908283-8950-4c13-8b9a-c5fb02803339", + "learnMoreLink": [ + { + "name": "Lock your resources to protect your infrastructure", + "url": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json" + } + ], + "longDescription": "As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental deletions and modifications. The lock overrides user permissions. Locks can prevent either deletions or modifications and are known as Delete and Read-only in the portal.\n", + "pgVerified": true, + "potentialBenefits": "Prevents accidental edits/deletions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/networkSecurityGroups", + "recommendationTypeId": null, + "service": "Microsoft.Network/networkSecurityGroups", + "severity": "Low", + "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml", + "tags": null, + "text": "Configure locks for Network Security Groups to avoid accidental changes and/or deletion" + }, + { + "aprlGuid": "da1a3c06-d1d5-a940-9a99-fcc05966fe7c", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Monitoring, managing, and understanding your network is crucial for protection and optimization. Knowing the current state, who and from where connections are made, open internet ports, expected and irregular behavior, and traffic spikes is essential.\n", + "guid": "00c00fa5-11e1-4e7e-b0a4-0a3a3bbffd4a", + "learnMoreLink": [ + { + "name": "Flow logging for network security groups", + "url": "https://learn.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview" + } + ], + "longDescription": "Monitoring, managing, and understanding your network is crucial for protection and optimization. Knowing the current state, who and from where connections are made, open internet ports, expected and irregular behavior, and traffic spikes is essential.\n", + "pgVerified": true, + "potentialBenefits": "Enhances security and optimizes network", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/networkSecurityGroups", + "recommendationTypeId": null, + "service": "Microsoft.Network/networkSecurityGroups", + "severity": "Medium", + "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml", + "tags": null, + "text": "Configure NSG Flow Logs" + }, + { + "aprlGuid": "8291c1fa-650c-b44b-b008-4deb7465919d", + "automationAvailable": "arg", + "category": "Security", + "description": "Azure network security groups filter network traffic between resources in a virtual network, using security rules to allow or deny inbound or outbound traffic based on source, destination, port, and protocol.\n", + "guid": "eb9b8070-96cf-4f8b-a6d2-050c83931d4b", + "learnMoreLink": [ + { + "name": "Security rules", + "url": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#security-rules" + } + ], + "longDescription": "Azure network security groups filter network traffic between resources in a virtual network, using security rules to allow or deny inbound or outbound traffic based on source, destination, port, and protocol.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced traffic control and security", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/networkSecurityGroups", + "recommendationTypeId": null, + "service": "Microsoft.Network/networkSecurityGroups", + "severity": "Medium", + "source": "azure-resources/Network/networkSecurityGroups/recommendations.yaml", + "tags": null, + "text": "The NSG only has Default Security Rules, make sure to configure the necessary rules" + }, + { + "aprlGuid": "4e133bd0-8762-bc40-a95b-b29142427d73", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Azure Network Watcher offers tools for monitoring, diagnosing, viewing metrics, and managing logs for IaaS resources. It helps maintain the health of VMs, VNets, application gateways, load balancers, but not for PaaS or Web analytics.\n", + "guid": "a6ebcc89-3177-4053-b407-c40dbf5f2d1b", + "learnMoreLink": [ + { + "name": "What is Azure Network Watcher?", + "url": "https://learn.microsoft.com/azure/network-watcher/network-watcher-overview" + } + ], + "longDescription": "Azure Network Watcher offers tools for monitoring, diagnosing, viewing metrics, and managing logs for IaaS resources. It helps maintain the health of VMs, VNets, application gateways, load balancers, but not for PaaS or Web analytics.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced monitoring and diagnostics for Azure IaaS", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/networkWatchers", + "recommendationTypeId": null, + "service": "Microsoft.Network/networkWatchers", + "severity": "Low", + "source": "azure-resources/Network/networkWatchers/recommendations.yaml", + "tags": null, + "text": "Deploy Network Watcher in all regions where you have networking services" + }, + { + "aprlGuid": "22a769ed-0ecb-8b49-bafe-8f52e6373d9c", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Network security group flow logging is a feature of Azure Network Watcher that logs IP traffic info through a network security group. If in Failed state, monitoring data from the associated resource is not collected.\n", + "guid": "3d76f276-832d-4c4e-9d20-a4961c9d17b3", + "learnMoreLink": [ + { + "name": "Manage NSG flow logs using the Azure portal", + "url": "https://learn.microsoft.com/azure/network-watcher/nsg-flow-logging" + } + ], + "longDescription": "Network security group flow logging is a feature of Azure Network Watcher that logs IP traffic info through a network security group. If in Failed state, monitoring data from the associated resource is not collected.\n", + "pgVerified": true, + "potentialBenefits": "Ensures IP traffic logging", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/networkWatchers", + "recommendationTypeId": null, + "service": "Microsoft.Network/networkWatchers", + "severity": "Low", + "source": "azure-resources/Network/networkWatchers/recommendations.yaml", + "tags": null, + "text": "Fix Flow Log configurations in Failed state or Disabled Status" + }, + { + "aprlGuid": "2820f6d6-a23c-7a40-aec5-506f3bd1aeb6", + "automationAvailable": false, + "category": "Security", + "description": "Private DNS zones and records are critical and their deletion can cause service outages. To protect against unauthorized or accidental changes, the Private DNS Zone Contributor role, a built-in role for managing these resources, should be assigned to specific users or groups.\n", + "guid": "7fe78661-5b4a-4ef3-9728-005af6b25257", + "learnMoreLink": [ + { + "name": "Protecting private DNS Zones and Records - Azure DNS", + "url": "https://learn.microsoft.com/en-us/azure/dns/dns-protect-private-zones-recordsets" + } + ], + "longDescription": "Private DNS zones and records are critical and their deletion can cause service outages. To protect against unauthorized or accidental changes, the Private DNS Zone Contributor role, a built-in role for managing these resources, should be assigned to specific users or groups.\n", + "pgVerified": true, + "potentialBenefits": "Prevents DNS outages", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/privateDnsZones", + "recommendationTypeId": null, + "service": "Microsoft.Network/privateDnsZones", + "severity": "Medium", + "source": "azure-resources/Network/privateDnsZones/recommendations.yaml", + "tags": null, + "text": "Protect private DNS zones and records" + }, + { + "aprlGuid": "ab896e8c-49b9-2c44-adec-98339aff7821", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "The records in a private DNS zone are only resolvable from linked virtual networks. You can link a private DNS zone to multiple networks and enable autoregistration to manage DNS records for virtual machines automatically.\n", + "guid": "4ef09754-f91d-4a76-99c1-36a830ef04cd", + "learnMoreLink": [ + { + "name": "Supported metrics for Microsoft.Network/privateDnsZones", + "url": "https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-network-privatednszones-metrics" + } + ], + "longDescription": "The records in a private DNS zone are only resolvable from linked virtual networks. You can link a private DNS zone to multiple networks and enable autoregistration to manage DNS records for virtual machines automatically.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced DNS reliability and alerting", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/privateDnsZones", + "recommendationTypeId": null, + "service": "Microsoft.Network/privateDnsZones", + "severity": "High", + "source": "azure-resources/Network/privateDnsZones/recommendations.yaml", + "tags": null, + "text": "Monitor Private DNS Zones health and set up alerts" + }, + { + "aprlGuid": "1e02335c-1f90-fd4e-a5a5-d359c7b22d70", + "automationAvailable": false, + "category": "Governance", + "description": "Azure Private DNS offers a reliable, secure way to handle domain names within virtual networks, using custom domains instead of default Azure names. Records in these zones aren't internet-accessible, only resolvable within linked virtual networks.\n", + "guid": "de85dfb9-1e81-4669-bddd-5f0e28648683", + "learnMoreLink": [ + { + "name": "Scenarios for Azure Private DNS zones", + "url": "https://learn.microsoft.com/en-us/azure/dns/private-dns-scenarios" + } + ], + "longDescription": "Azure Private DNS offers a reliable, secure way to handle domain names within virtual networks, using custom domains instead of default Azure names. Records in these zones aren't internet-accessible, only resolvable within linked virtual networks.\n", + "pgVerified": true, + "potentialBenefits": "Ensures seamless failover for DNS", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/privateDnsZones", + "recommendationTypeId": null, + "service": "Microsoft.Network/privateDnsZones", + "severity": "Medium", + "source": "azure-resources/Network/privateDnsZones/recommendations.yaml", + "tags": null, + "text": "Align Production and DR zones with identical workload and resource failover entries" + }, + { + "aprlGuid": "b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7", + "automationAvailable": "arg", + "category": "High Availability", + "description": "A private endpoint has two custom properties, static IP address and the network interface name, which must be set at creation. If not in Succeeded state, there may be issues with the endpoint or associated resource.\n", + "guid": "4a47f9a4-9e95-43df-abaa-13bb62b4afb8", + "learnMoreLink": [ + { + "name": "Private endpoint connections", + "url": "https://learn.microsoft.com/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections" + } + ], + "longDescription": "A private endpoint has two custom properties, static IP address and the network interface name, which must be set at creation. If not in Succeeded state, there may be issues with the endpoint or associated resource.\n", + "pgVerified": true, + "potentialBenefits": "Ensure connection availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/privateEndpoints", + "recommendationTypeId": null, + "service": "Microsoft.Network/privateEndpoints", + "severity": "Medium", + "source": "azure-resources/Network/privateEndpoints/recommendations.yaml", + "tags": null, + "text": "Resolve issues with Private Endpoints in non Succeeded connection state" + }, + { + "aprlGuid": "c63b81fb-7afc-894c-a840-91bb8a8dcfaf", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience.\n", + "guid": "ca23c9b6-4bc6-4034-ae8c-ebe9170996c9", + "learnMoreLink": [ + { + "name": "Public IP addresses - Availability Zones", + "url": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone" + }, + { + "name": "Upgrading a basic public IP address to Standard SKU", + "url": "https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance#steps-to-complete-the-upgrade" + } + ], + "longDescription": "Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced resilience with zone redundancy", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/publicIPAddresses", + "recommendationTypeId": null, + "service": "Microsoft.Network/publicIPAddresses", + "severity": "High", + "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml", + "tags": null, + "text": "Use Standard SKU and Zone-Redundant IPs when applicable" + }, + { + "aprlGuid": "1adba190-5c4c-e646-8527-dd1b2a6d8b15", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Prevent connectivity failures due to SNAT port exhaustion by employing NAT gateway for outbound traffic from virtual networks, ensuring dynamic scaling and secure internet connections.\n", + "guid": "fe986aa6-a08a-4844-ac5e-4db40f130c19", + "learnMoreLink": [ + { + "name": "Use NAT GW for outbound connectivity", + "url": "https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#use-nat-gateway-for-outbound-connectivity" + }, + { + "name": "TCP and SNAT Ports", + "url": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability#tcp-and-snat-ports" + } + ], + "longDescription": "Prevent connectivity failures due to SNAT port exhaustion by employing NAT gateway for outbound traffic from virtual networks, ensuring dynamic scaling and secure internet connections.\n", + "pgVerified": true, + "potentialBenefits": "Avoids SNAT port exhaustion risks", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/publicIPAddresses", + "recommendationTypeId": null, + "service": "Microsoft.Network/publicIPAddresses", + "severity": "Medium", + "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml", + "tags": null, + "text": "Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion" + }, + { + "aprlGuid": "5cea1501-6fe4-4ec4-ac8f-f72320eb18d3", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Basic SKU public IP addresses will be retired on September 30, 2025. Users are advised to upgrade to Standard SKU public IP addresses before this date to avoid service disruptions.\n", + "guid": "e3278717-2f1a-4017-8f4c-9c7e894336c6", + "learnMoreLink": [ + { + "name": "Upgrading a basic public IP address to Standard SKU - Guidance", + "url": "https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance" + }, + { + "name": "Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025 as Basic SKU will be retired", + "url": "https://azure.microsoft.com/en-us/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/" + } + ], + "longDescription": "Basic SKU public IP addresses will be retired on September 30, 2025. Users are advised to upgrade to Standard SKU public IP addresses before this date to avoid service disruptions.\n", + "pgVerified": true, + "potentialBenefits": "Avoids service disruption", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/publicIPAddresses", + "recommendationTypeId": null, + "service": "Microsoft.Network/publicIPAddresses", + "severity": "Medium", + "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml", + "tags": null, + "text": "Upgrade Basic SKU public IP addresses to Standard SKU" + }, + { + "aprlGuid": "c4254c66-b8a5-47aa-82f6-e7d7fb418f47", + "automationAvailable": "arg", + "category": "Security", + "description": "DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.\n", + "guid": "3bd389c1-92d5-4c1d-8628-aa9b1972ead0", + "learnMoreLink": [ + { + "name": "Azure DDoS Protection", + "url": "https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview" + } + ], + "longDescription": "DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.\n", + "pgVerified": true, + "potentialBenefits": "Avoids service disruption", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/publicIPAddresses", + "recommendationTypeId": null, + "service": "Microsoft.Network/publicIPAddresses", + "severity": "Medium", + "source": "azure-resources/Network/publicIPAddresses/recommendations.yaml", + "tags": null, + "text": "Public IP addresses should have DDoS protection enabled" + }, + { + "aprlGuid": "23b2dfc7-7e5d-9443-9f62-980ca621b561", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside.\n", + "guid": "90180c2d-7c2b-44cd-9d82-543720efec60", + "learnMoreLink": [ + { + "name": "Azure activity log - Azure Monitor | Microsoft Learn", + "url": "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell" + } + ], + "longDescription": "Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and change detection", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/routeTables", + "recommendationTypeId": null, + "service": "Microsoft.Network/routeTables", + "severity": "High", + "source": "azure-resources/Network/routeTables/recommendations.yaml", + "tags": null, + "text": "Monitor changes in Route Tables with Azure Monitor" + }, + { + "aprlGuid": "89d1166a-1a20-0f46-acc8-3194387bf127", + "automationAvailable": false, + "category": "Governance", + "description": "As an administrator, you can protect Azure subscriptions, resource groups, or resources from accidental deletions and modifications by setting locks.\n", + "guid": "8198033b-fb15-4699-a654-5cbd7da81e53", + "learnMoreLink": [ + { + "name": "Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn", + "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json" + } + ], + "longDescription": "As an administrator, you can protect Azure subscriptions, resource groups, or resources from accidental deletions and modifications by setting locks.\n", + "pgVerified": true, + "potentialBenefits": "Prevents accidental edits/deletions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/routeTables", + "recommendationTypeId": null, + "service": "Microsoft.Network/routeTables", + "severity": "Low", + "source": "azure-resources/Network/routeTables/recommendations.yaml", + "tags": null, + "text": "Configure locks for Route Tables to avoid accidental changes or deletion" + }, + { + "aprlGuid": "f05a3e6d-49db-2740-88e2-2b13706c1f67", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Monitor status should be online to ensure failover for application workload. If Traffic Manager's health shows Degraded, one or more endpoints may also be Degraded.\n", + "guid": "80f02f9b-c0e0-4b28-af6b-22dced884dc6", + "learnMoreLink": [ + { + "name": "Azure Traffic Manager endpoint monitoring", + "url": "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-monitoring" + }, + { + "name": "Enable or disable health checks", + "url": "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-monitoring#enable-or-disable-health-checks-preview" + }, + { + "name": "Troubleshooting degraded state on Azure Traffic Manager", + "url": "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-troubleshooting-degraded" + } + ], + "longDescription": "Monitor status should be online to ensure failover for application workload. If Traffic Manager's health shows Degraded, one or more endpoints may also be Degraded.\n", + "pgVerified": true, + "potentialBenefits": "Ensures failover functionality", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/trafficManagerProfiles", + "recommendationTypeId": null, + "service": "Microsoft.Network/trafficManagerProfiles", + "severity": "High", + "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml", + "tags": null, + "text": "Traffic Manager Monitor Status Should be Online" + }, + { + "aprlGuid": "5b422a7f-8caa-3d48-becb-511599e5bba9", + "automationAvailable": "arg", + "category": "High Availability", + "description": "When configuring the Azure traffic manager, provision at least two endpoints to ensure workloads can fail-over to another instance, enhancing reliability and availability.\n", + "guid": "64312601-7be4-4f80-b909-0b4fc0781ff5", + "learnMoreLink": [ + { + "name": "Traffic Manager Endpoint Types", + "url": "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-endpoint-types" + } + ], + "longDescription": "When configuring the Azure traffic manager, provision at least two endpoints to ensure workloads can fail-over to another instance, enhancing reliability and availability.\n", + "pgVerified": true, + "potentialBenefits": "Enhances failover capabilities", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/trafficManagerProfiles", + "recommendationTypeId": "6cd70072-c45c-4716-bf7b-b35c18e46e72", + "service": "Microsoft.Network/trafficManagerProfiles", + "severity": "Medium", + "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml", + "tags": null, + "text": "Traffic manager profiles should have more than one endpoint" + }, + { + "aprlGuid": "1ad9d7b7-9692-1441-a8f4-93792efbe97a", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Profiles should have multiple endpoints to ensure availability in case an endpoint fails. It's also advised to distribute these endpoints across different regions for enhanced reliability.\n", + "guid": "57bb0a27-2026-4d1d-aa8e-6640f74c99f0", + "learnMoreLink": [ + { + "name": "Reliability recommendations", + "url": "https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#add-at-least-one-more-endpoint-to-the-profile-preferably-in-another-azure-region" + } + ], + "longDescription": "Profiles should have multiple endpoints to ensure availability in case an endpoint fails. It's also advised to distribute these endpoints across different regions for enhanced reliability.\n", + "pgVerified": true, + "potentialBenefits": "Enhances availability across regions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/trafficManagerProfiles", + "recommendationTypeId": "0db76759-6d22-4262-93f0-2f989ba2b58e", + "service": "Microsoft.Network/trafficManagerProfiles", + "severity": "Medium", + "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml", + "tags": null, + "text": "Configure at least one endpoint within a another region" + }, + { + "aprlGuid": "c31f76a0-48cd-9f44-aa43-99ee904db9bc", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "For geographic routing, traffic is directed to endpoints based on specific regions. If a region fails, without a predefined failover, configuring an endpoint to \"All (World)\" for geographic profiles can prevent traffic black holes, ensuring service remains available.\n", + "guid": "8ef976b2-d5ea-42d9-ad65-d5b76e4c2f15", + "learnMoreLink": [ + { + "name": "Add an endpoint configured to \"All (World)\"", + "url": "https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#add-an-endpoint-configured-to-all-world" + }, + { + "name": "Traffic Manager profile - GeographicProfile (Add an endpoint configured to \"\"All (World)\"\").", + "url": "https://aka.ms/Rf7vc5" + } + ], + "longDescription": "For geographic routing, traffic is directed to endpoints based on specific regions. If a region fails, without a predefined failover, configuring an endpoint to \"All (World)\" for geographic profiles can prevent traffic black holes, ensuring service remains available.\n", + "pgVerified": true, + "potentialBenefits": "Avoids traffic black holing, ensures availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/trafficManagerProfiles", + "recommendationTypeId": "0bbe0a49-3c63-49d3-ab4a-aa24198f03f7", + "service": "Microsoft.Network/trafficManagerProfiles", + "severity": "High", + "source": "azure-resources/Network/trafficManagerProfiles/recommendations.yaml", + "tags": null, + "text": "Ensure endpoint configured to (All World) for geographic profiles" + }, + { + "aprlGuid": "d37db635-157f-584d-9bce-4f6fc8c65ce5", + "automationAvailable": "arg", + "category": "High Availability", + "description": "To increase reliability, it's advised that each ExpressRoute gateway connects to at least two circuits, with each circuit originating from a different peering location than the other, ensuring diverse connectivity paths for enhanced resilience.\n", + "guid": "f493b10f-ca39-4091-a2f3-72696439a03c", + "learnMoreLink": [ + { + "name": "Designing for disaster recovery with ExpressRoute private peering", + "url": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering" + } + ], + "longDescription": "To increase reliability, it's advised that each ExpressRoute gateway connects to at least two circuits, with each circuit originating from a different peering location than the other, ensuring diverse connectivity paths for enhanced resilience.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced resiliency for Azure service", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": "8d61a7d4-5405-4f43-81e3-8c6239b844a6", + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Connect ExpressRoute gateway with circuits from diverse peering locations for resilience" + }, + { + "aprlGuid": "bbe668b7-eb5c-c746-8b82-70afdedf0cae", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure ExpressRoute gateway offers variable SLAs based on deployment in single or multiple availability zones. To deploy virtual network gateways across zones automatically, use zone-redundant gateways for accessing critical, scalable services with increased resilience.\n", + "guid": "d6ac40c6-e65e-4ba6-8653-65e160f74cb0", + "learnMoreLink": [ + { + "name": "About ExpressRoute virtual network gateways - Zone-redundant gateway SKUs", + "url": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways#zrgw" + }, + { + "name": "About zone-redundant virtual network gateway in Azure availability zones", + "url": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways" + }, + { + "name": "Create a zone-redundant virtual network gateway in Azure Availability Zones", + "url": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway" + } + ], + "longDescription": "Azure ExpressRoute gateway offers variable SLAs based on deployment in single or multiple availability zones. To deploy virtual network gateways across zones automatically, use zone-redundant gateways for accessing critical, scalable services with increased resilience.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced SLA and resilience", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": "c9af1ef6-55bc-48af-bfe4-2c80490159f8", + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Use Zone-redundant ExpressRoute gateway SKUs" + }, + { + "aprlGuid": "c0f23a92-d322-4d4d-97e9-a238b5e3bbb8", + "automationAvailable": false, + "category": "High Availability", + "description": "Configuring an Azure Resource lock for ExpressRoute gateway prevents accidental deletion by enabling administrators to lock an Azure subscription, resource group, or resource, thereby protecting them from unintended user deletions and modifications, with the lock overriding all user permissions.\n", + "guid": "347fe146-4626-48ce-9222-45920b4b85fc", + "learnMoreLink": [ + { + "name": "Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn", + "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json" + } + ], + "longDescription": "Configuring an Azure Resource lock for ExpressRoute gateway prevents accidental deletion by enabling administrators to lock an Azure subscription, resource group, or resource, thereby protecting them from unintended user deletions and modifications, with the lock overriding all user permissions.\n", + "pgVerified": true, + "potentialBenefits": "Prevents accidental deletions", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "Medium", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Configure an Azure Resource lock for ExpressRoute gateway to prevent accidental deletion" + }, + { + "aprlGuid": "1c34faa8-8b99-974c-adbf-71922eae943c", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Use Network Insights for monitoring ExpressRoute Gateway's health, including availability, performance, and scalability.\n", + "guid": "3ac83197-de31-4344-9095-b44d41211a2d", + "learnMoreLink": [ + { + "name": "ExpressRoute monitoring, metrics, and alerts | ExpressRoute gateways", + "url": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts#expressroute-gateways" + }, + { + "name": "Azure ExpressRoute Insights using Network Insights", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-network-insights" + } + ], + "longDescription": "Use Network Insights for monitoring ExpressRoute Gateway's health, including availability, performance, and scalability.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced monitoring and alerting", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Monitor gateway health for ExpressRoute gateways" + }, + { + "aprlGuid": "194c14ac-0d7a-5a48-ae32-75fa450ee564", + "automationAvailable": false, + "category": "High Availability", + "description": "While multiple VNets can connect via the same ExpressRoute gateway, Microsoft recommends using alternatives like VNet peering, Azure Firewall, NVA, Azure Route Server, site-to-site VPN, virtual WAN, or SD-WAN for VNet-to-VNet communication to optimize network performance and management.\n", + "guid": "4bfa4dc5-5c3f-4ec6-8fef-447a945395fb", + "learnMoreLink": [ + { + "name": "About ExpressRoute virtual network gateways - VNet-to-VNet connectivity", + "url": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways#vnet-to-vnet-connectivity" + } + ], + "longDescription": "While multiple VNets can connect via the same ExpressRoute gateway, Microsoft recommends using alternatives like VNet peering, Azure Firewall, NVA, Azure Route Server, site-to-site VPN, virtual WAN, or SD-WAN for VNet-to-VNet communication to optimize network performance and management.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced VNet integration efficiency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "Medium", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Avoid using ExpressRoute circuits for VNet to VNet communication" + }, + { + "aprlGuid": "3e115044-a3aa-433e-be01-ce17d67e50da", + "automationAvailable": "arg", + "category": "High Availability", + "description": "ExpressRoute gateways are updated for improved functionality, reliability, performance, and security. Customer-controlled maintenance configuration and scheduling minimize update impact and align with your maintenance windows.\n", + "guid": "94d79cc7-6803-4155-a31a-84bd52cb949d", + "learnMoreLink": [ + { + "name": "Configure customer-controlled maintenance for your virtual network gateway - ExpressRoute | Microsoft Learn", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/customer-controlled-gateway-maintenance#azure-portal-steps" + } + ], + "longDescription": "ExpressRoute gateways are updated for improved functionality, reliability, performance, and security. Customer-controlled maintenance configuration and scheduling minimize update impact and align with your maintenance windows.\n", + "pgVerified": true, + "potentialBenefits": "Minimizes update impact", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Configure customer-controlled ExpressRoute gateway maintenance" + }, + { + "aprlGuid": "5b1933a6-90e4-f642-a01f-e58594e5aab2", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure VPN gateway offers variable SLAs based on deployment in one or two availability zones. Deploying zone-redundant virtual network gateways across availability zones ensures zone-resiliency, improving access to mission-critical, scalable services on Azure.\n", + "guid": "9be47b2e-0d2c-4b60-b476-b300c0da23e1", + "learnMoreLink": [ + { + "name": "Zone redundant Virtual network gateway in availability zone", + "url": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways" + }, + { + "name": "Gateway SKU", + "url": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways#gwskus" + }, + { + "name": "SLA summary for Azure services", + "url": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1" + } + ], + "longDescription": "Azure VPN gateway offers variable SLAs based on deployment in one or two availability zones. Deploying zone-redundant virtual network gateways across availability zones ensures zone-resiliency, improving access to mission-critical, scalable services on Azure.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability and scalability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Choose a Zone-redundant VPN gateway" + }, + { + "aprlGuid": "281a2713-c0e0-3c48-b596-19f590c46671", + "automationAvailable": "arg", + "category": "High Availability", + "description": "The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling.\n", + "guid": "c03c76d6-6aa4-45b7-8a2c-3ac3d4236e32", + "learnMoreLink": [ + { + "name": "Active-active VPN gateway", + "url": "https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway" + }, + { + "name": "Gateway SKU", + "url": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku" + } + ], + "longDescription": "The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability and network capacity", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": "c249dc0e-9a17-423e-838a-d72719e8c5dd", + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "Medium", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Enable Active-Active VPN Gateways for redundancy" + }, + { + "aprlGuid": "af11fc4c-c06c-4f4c-b98d-6eee6d5c4c70", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels.\n", + "guid": "ac922f7b-0994-45b4-b8ad-99b6edd83d26", + "learnMoreLink": [ + { + "name": "Dual-redundancy active-active VPN gateways for both Azure and on-premises networks", + "url": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks" + } + ], + "longDescription": "Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels.\n", + "pgVerified": true, + "potentialBenefits": "Maximizes resilience and availability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Deploy active-active VPN concentrators on your premises for maximum resiliency with VPN gateways" + }, + { + "aprlGuid": "9eab120e-f6d3-ee49-ba0d-766562ce7df1", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Set up monitoring and alerts for Virtual Network Gateway health to utilize a variety of metrics for ensuring operational efficiency and prompt response to any disruptions.\n", + "guid": "7ff388a1-1020-4503-9ffb-c8ace06382f6", + "learnMoreLink": [ + { + "name": "VPN gateway data reference", + "url": "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference" + } + ], + "longDescription": "Set up monitoring and alerts for Virtual Network Gateway health to utilize a variety of metrics for ensuring operational efficiency and prompt response to any disruptions.\n", + "pgVerified": true, + "potentialBenefits": "Improved uptime and issue awareness", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Monitor VPN gateway connections and health" + }, + { + "aprlGuid": "9186dae0-7ddc-8f4b-bea5-55538cea4893", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "VPN gateway leverages service health to inform users about both planned and unplanned maintenance, ensuring they are notified about modifications to their VPN connectivity.\n", + "guid": "d43eab69-862e-4dc7-8a12-3e1668499ebb", + "learnMoreLink": [ + { + "name": "Getting started with Azure Metrics Explorer", + "url": "https://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started" + }, + { + "name": "Monitor VPN gateway", + "url": "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics" + } + ], + "longDescription": "VPN gateway leverages service health to inform users about both planned and unplanned maintenance, ensuring they are notified about modifications to their VPN connectivity.\n", + "pgVerified": true, + "potentialBenefits": "Improves VPN maintenance alerts", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Enable VPN gateway service health" + }, + { + "aprlGuid": "4bae5a28-5cf4-40d9-bcf1-623d28f6d917", + "automationAvailable": "arg", + "category": "High Availability", + "description": "For zone-redundant VPN gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability, applying to both active-passive (single IP) and active-active (dual IP) setups.\n", + "guid": "bb186ac3-b7f7-49bc-8dc8-815d09482b9e", + "learnMoreLink": [ + { + "name": "About zone-redundant virtual network gateway in Azure availability zones", + "url": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways" + } + ], + "longDescription": "For zone-redundant VPN gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability, applying to both active-passive (single IP) and active-active (dual IP) setups.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability and disaster recovery", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworkGateways", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworkGateways", + "severity": "High", + "source": "azure-resources/Network/virtualNetworkGateways/recommendations.yaml", + "tags": null, + "text": "Deploy zone-redundant VPN gateways with zone-redundant Public IP(s)" + }, + { + "aprlGuid": "f0bf9ae6-25a5-974d-87d5-025abec73539", + "automationAvailable": "arg", + "category": "Security", + "description": "Network security groups and application security groups allow filtering of inbound and outbound traffic by IP, port, and protocol, adding a security layer at the Subnet level.\n", + "guid": "c5d187f9-39ca-4cca-a690-4dae51ffda5f", + "learnMoreLink": [ + { + "name": "Azure Virtual Network - Concepts and best practices | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices" + }, + { + "name": "GatewaySUbnet", + "url": "https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub" + }, + { + "name": "Can I associate a network security group (NSG) to the RouteServerSubnet?", + "url": "https://learn.microsoft.com/en-us/azure/route-server/route-server-faq#can-i-associate-a-network-security-group-nsg-to-the-routeserversubnet" + }, + { + "name": "Are Network Security Groups (NSGs) supported on the AzureFirewallSubnet?", + "url": "https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-network-security-groups--nsgs--supported-on-the-azurefirewallsubnet" + } + ], + "longDescription": "Network security groups and application security groups allow filtering of inbound and outbound traffic by IP, port, and protocol, adding a security layer at the Subnet level.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced subnet security and traffic control", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworks", + "recommendationTypeId": "eade5b56-eefd-444f-95c8-23f29e5d93cb", + "service": "Microsoft.Network/virtualNetworks", + "severity": "Low", + "source": "azure-resources/Network/virtualNetworks/recommendations.yaml", + "tags": null, + "text": "All Subnets should have a Network Security Group associated" + }, + { + "aprlGuid": "69ea1185-19b7-de40-9da1-9e8493547a5c", + "automationAvailable": "arg", + "category": "Security", + "description": "Azure DDoS Protection offers enhanced mitigation features against DDoS attacks and is auto-tuned to protect specific resources in a virtual network, combined with application design best practices.\n", + "guid": "b5412dc7-2ecc-4db8-99d4-e9e5718ad84b", + "learnMoreLink": [ + { + "name": "Reliability and Azure Virtual Network - Microsoft Azure Well-Architected Framework | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/architecture/framework/services/networking/azure-virtual-network/reliability" + } + ], + "longDescription": "Azure DDoS Protection offers enhanced mitigation features against DDoS attacks and is auto-tuned to protect specific resources in a virtual network, combined with application design best practices.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced DDoS attack mitigation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworks", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworks", + "severity": "High", + "source": "azure-resources/Network/virtualNetworks/recommendations.yaml", + "tags": null, + "text": "Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans" + }, + { + "aprlGuid": "24ae3773-cc2c-3649-88de-c9788e25b463", + "automationAvailable": "arg", + "category": "Security", + "description": "Use VNet service endpoints only if Private Link isn't available and no data movement concerns. This feature restricts Azure service access to specified VNet and subnet, enhancing network security and isolating service traffic.\n", + "guid": "21119fc0-91c7-48ca-b87b-ab287ca80551", + "learnMoreLink": [ + { + "name": "Azure Virtual Network FAQ | Microsoft Learn", + "url": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq" + }, + { + "name": "Reliability and Network connectivity - Microsoft Azure Well-Architected Framework | Microsoft LearnNetworking Reliability", + "url": "https://learn.microsoft.com/azure/architecture/framework/services/networking/network-connectivity/reliability" + }, + { + "name": "Azure Private Link availability", + "url": "https://learn.microsoft.com/en-us/azure/private-link/availability" + } + ], + "longDescription": "Use VNet service endpoints only if Private Link isn't available and no data movement concerns. This feature restricts Azure service access to specified VNet and subnet, enhancing network security and isolating service traffic.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and data isolation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Network/virtualNetworks", + "recommendationTypeId": null, + "service": "Microsoft.Network/virtualNetworks", + "severity": "Medium", + "source": "azure-resources/Network/virtualNetworks/recommendations.yaml", + "tags": null, + "text": "When available, use Private Endpoints instead of Service Endpoints for PaaS Services" + }, + { + "aprlGuid": "1ceea4b5-1d8b-4be0-9bbe-9594557be51a", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.\n", + "guid": "c038be53-2857-4490-a0f5-fca987165a29", + "learnMoreLink": [ + { + "name": "Azure ExpressRoute Traffic Collector", + "url": "https://learn.microsoft.com/en-us/azure/expressroute/traffic-collector" + } + ], + "longDescription": "ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced network flow analysis and DR readiness", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.NetworkFunction/azureTrafficCollectors", + "recommendationTypeId": null, + "service": "Microsoft.NetworkFunction/azureTrafficCollectors", + "severity": "Medium", + "source": "azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml", + "tags": null, + "text": "Ensure ExpressRoute Traffic Collector is enabled and configured for ExpressRoute Direct circuits" + }, + { + "aprlGuid": "b36fd2ac-dd83-664a-ab48-ff7b8d3b189d", + "automationAvailable": false, + "category": "Governance", + "description": "Data export in a Log Analytics workspace to an Azure Storage account enhances data protection against regional failures by using geo-redundant (GRS) or geo-zone-redundant storage (GZRS), mainly for compliance and integration with other Azure services and tools.\n", + "guid": "7c2db6e9-7511-4b81-aa6a-b2e017fd9676", + "learnMoreLink": [ + { + "name": "Log Analytics workspace data export in Azure Monitor", + "url": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export" + }, + { + "name": "Azure Monitor configuration recommendations", + "url": "https://learn.microsoft.com/azure/azure-monitor/best-practices-logs#configuration-recommendations" + } + ], + "longDescription": "Data export in a Log Analytics workspace to an Azure Storage account enhances data protection against regional failures by using geo-redundant (GRS) or geo-zone-redundant storage (GZRS), mainly for compliance and integration with other Azure services and tools.\n", + "pgVerified": true, + "potentialBenefits": "Enhances compliance and regional fault tolerance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.OperationalInsights/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.OperationalInsights/workspaces", + "severity": "Medium", + "source": "azure-resources/OperationalInsights/workspaces/recommendations.yaml", + "tags": null, + "text": "Enable Log Analytics data export to GRS or GZRS" + }, + { + "aprlGuid": "4b77191c-cc3c-8c4e-844b-0f56d0927890", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "A health status alert will proactively notify you if a workspace becomes unavailable because of a datacenter or regional failure.\n", + "guid": "71fa168b-169a-4269-b163-a131c000d9c1", + "learnMoreLink": [ + { + "name": "Monitor Log Analytics workspace health", + "url": "https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-health" + }, + { + "name": "Azure Monitor configuration recommendations", + "url": "https://learn.microsoft.com/azure/azure-monitor/best-practices-logs#configuration-recommendations" + } + ], + "longDescription": "A health status alert will proactively notify you if a workspace becomes unavailable because of a datacenter or regional failure.\n", + "pgVerified": true, + "potentialBenefits": "Early alert for workspace failure", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.OperationalInsights/workspaces", + "recommendationTypeId": null, + "service": "Microsoft.OperationalInsights/workspaces", + "severity": "Low", + "source": "azure-resources/OperationalInsights/workspaces/recommendations.yaml", + "tags": null, + "text": "Create a health status alert rule for your Log Analytics workspace" + }, + { + "aprlGuid": "e93bb813-b356-48f3-9bdf-a06a0a6ba039", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Ensure VM failover settings' static IP addresses are available in the failover subnet to maintain consistent IP assignment during failover, with the target VM receiving the same static IP if it's available or the next available IP otherwise. IP adjustments can be made in VM Network settings.\n", + "guid": "0d46b616-ed04-40f1-b1f2-36818f12f5ba", + "learnMoreLink": [ + { + "name": "Setup network mapping for site recovery", + "url": "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#set-up-ip-addressing-for-target-vms" + } + ], + "longDescription": "Ensure VM failover settings' static IP addresses are available in the failover subnet to maintain consistent IP assignment during failover, with the target VM receiving the same static IP if it's available or the next available IP otherwise. IP adjustments can be made in VM Network settings.\n", + "pgVerified": true, + "potentialBenefits": "Smooth failover IP management", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.RecoveryServices/vaults", + "recommendationTypeId": null, + "service": "Microsoft.RecoveryServices/vaults", + "severity": "High", + "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml", + "tags": null, + "text": "Ensure static IP addresses in Site Recovery VM failover settings are available in failover subnet" + }, + { + "aprlGuid": "17e877f7-3a89-4205-8a24-0670de54ddcd", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Perform a test failover to validate your BCDR strategy and ensure that your applications are functioning correctly in the target region without impacting your production environment. Test your Disaster Recovery plan periodically without any data loss or downtime, using test failovers.\n", + "guid": "7124c8e3-2f88-43c4-82c0-e14efe48f836", + "learnMoreLink": [ + { + "name": "Run a test failover", + "url": "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-dr-drill#run-a-test-failover" + } + ], + "longDescription": "Perform a test failover to validate your BCDR strategy and ensure that your applications are functioning correctly in the target region without impacting your production environment. Test your Disaster Recovery plan periodically without any data loss or downtime, using test failovers.\n", + "pgVerified": true, + "potentialBenefits": "Ensures BCDR plan accuracy and VM performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.RecoveryServices/vaults", + "recommendationTypeId": null, + "service": "Microsoft.RecoveryServices/vaults", + "severity": "High", + "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml", + "tags": null, + "text": "Validate VM functionality with a Site Recovery test failover to check performance at target" + }, + { + "aprlGuid": "2912472d-0198-4bdc-aa90-37f145790edc", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Classic alerts for Recovery Services vaults in Azure Backup will be retired on 31 March 2026.\n", + "guid": "44220f15-026b-4c20-ac37-d6bc8aaf93f3", + "learnMoreLink": [ + { + "name": "Move to Azure monitor Alerts", + "url": "https://learn.microsoft.com/azure/backup/move-to-azure-monitor-alerts" + }, + { + "name": "Classic alerts retirement announcement", + "url": "https://azure.microsoft.com/updates/transition-to-builtin-azure-monitor-alerts-for-recovery-services-vaults-in-azure-backup-by-31-march-2026/" + } + ], + "longDescription": "Classic alerts for Recovery Services vaults in Azure Backup will be retired on 31 March 2026.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced, scalable, and consistent alerting.", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.RecoveryServices/vaults", + "recommendationTypeId": "06578866-1877-41e6-9d22-3ea5122e8048", + "service": "Microsoft.RecoveryServices/vaults", + "severity": "Medium", + "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml", + "tags": null, + "text": "Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults" + }, + { + "aprlGuid": "1549b91f-2ea0-4d4f-ba2a-4596becbe3de", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Cross Region Restore enables the restoration of Azure VMs in a secondary, Azure paired region, facilitating drills for audit or compliance and allowing recovery of VMs or disks in the event of a primary region disaster. It is an opt-in feature available exclusively for GRS vaults.\n", + "guid": "953e01ba-ba61-43eb-b082-69475bc61ddf", + "learnMoreLink": [ + { + "name": "Set Cross Region Restore", + "url": "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-cross-region-restore" + }, + { + "name": "Azure Backup Best Practices", + "url": "https://learn.microsoft.com/azure/backup/guidance-best-practices" + }, + { + "name": "Minimum Role Requirements for Cross Region Restore", + "url": "https://learn.microsoft.com/azure/backup/backup-rbac-rs-vault#minimum-role-requirements-for-azure-vm-backup" + }, + { + "name": "Recovery Services Vault", + "url": "https://learn.microsoft.com/azure/backup/backup-azure-arm-vms-prepare" + } + ], + "longDescription": "Cross Region Restore enables the restoration of Azure VMs in a secondary, Azure paired region, facilitating drills for audit or compliance and allowing recovery of VMs or disks in the event of a primary region disaster. It is an opt-in feature available exclusively for GRS vaults.\n", + "pgVerified": true, + "potentialBenefits": "Enhances disaster recovery capabilities", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.RecoveryServices/vaults", + "recommendationTypeId": "9b1308f1-4c25-4347-a061-7cc5cd6a44ab", + "service": "Microsoft.RecoveryServices/vaults", + "severity": "Medium", + "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml", + "tags": null, + "text": "Enable Cross Region Restore for your GRS Recovery Services Vault" + }, + { + "aprlGuid": "9e39919b-78af-4a0b-b70f-c548dae97c25", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "With soft delete, if backup data is deleted, the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss with no cost to you. Soft delete is enabled by default. Disabling this feature isn't recommended.\n", + "guid": "ed4deb1e-e615-4e4b-8ab3-f914656ee6da", + "learnMoreLink": [ + { + "name": "Soft Delete for Azure Backup", + "url": "https://learn.microsoft.com/azure/backup/backup-azure-security-feature-cloud?tabs=azure-portal" + } + ], + "longDescription": "With soft delete, if backup data is deleted, the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss with no cost to you. Soft delete is enabled by default. Disabling this feature isn't recommended.\n", + "pgVerified": false, + "potentialBenefits": "Enhances disaster recovery capabilities", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.RecoveryServices/vaults", + "recommendationTypeId": null, + "service": "Microsoft.RecoveryServices/vaults", + "severity": "Medium", + "source": "azure-resources/RecoveryServices/vaults/recommendations.yaml", + "tags": null, + "text": "Enable Soft Delete for Recovery Services Vaults in Azure Backup" + }, + { + "aprlGuid": "98bd7098-49d6-491b-86f1-b143d6b1a0ff", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Ensure resource locations align with their resource group to manage resources during regional outages. ARM stores resource data, which if in an unavailable region, could halt updates, rendering resources read-only.\n", + "guid": "1f6a175c-4954-4e15-818c-fe04d2d4d9ed", + "learnMoreLink": [ + { + "name": "Azure Resource Manager Overview", + "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-group-location-alignment" + } + ], + "longDescription": "Ensure resource locations align with their resource group to manage resources during regional outages. ARM stores resource data, which if in an unavailable region, could halt updates, rendering resources read-only.\n", + "pgVerified": true, + "potentialBenefits": "Improves outage management", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Resources/resourceGroups", + "recommendationTypeId": null, + "service": "Microsoft.Resources/resourceGroups", + "severity": "High", + "source": "azure-resources/Resources/resourceGroups/recommendations.yaml", + "tags": null, + "text": "Ensure Resource Group and its Resources are located in the same Region" + }, + { + "aprlGuid": "20057905-262c-49fe-a9be-49f423afb359", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Use Service Bus with zone redundancy for high availability. The Premium SKU supports availability zones, ensuring isolation within the same region. It manages 3 copies of the messaging store, kept in sync.\n", + "guid": "43cc2f49-0d0c-4938-900a-bd27e317c2e1", + "learnMoreLink": [ + { + "name": "Service Bus and reliability", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/services/messaging/service-bus/reliability" + }, + { + "name": "Azure Service Bus Geo-disaster recovery", + "url": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-geo-dr#availability-zones" + }, + { + "name": "Insulate Azure Service Bus applications against outages and disasters", + "url": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-outages-disasters" + } + ], + "longDescription": "Use Service Bus with zone redundancy for high availability. The Premium SKU supports availability zones, ensuring isolation within the same region. It manages 3 copies of the messaging store, kept in sync.\n", + "pgVerified": false, + "potentialBenefits": "Enhances fault tolerance and uptime", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ServiceBus/namespaces", + "recommendationTypeId": null, + "service": "Microsoft.ServiceBus/namespaces", + "severity": "High", + "source": "azure-resources/ServiceBus/namespaces/recommendations.yaml", + "tags": null, + "text": "Enable Availability Zones for Service Bus namespaces" + }, + { + "aprlGuid": "d810e3a8-600f-4be1-895b-1a93e61d37fd", + "automationAvailable": false, + "category": "High Availability", + "description": "Use Service Bus with auto-scale for high availability. The Premium SKU supports auto-scale, ensuring that the resources are automatically scaled based on the load.\n", + "guid": "56e355dd-c728-4494-b8d4-a23df08857d8", + "learnMoreLink": [ + { + "name": "Service Bus auto-scaling", + "url": "https://learn.microsoft.com/azure/service-bus-messaging/automate-update-messaging-units" + } + ], + "longDescription": "Use Service Bus with auto-scale for high availability. The Premium SKU supports auto-scale, ensuring that the resources are automatically scaled based on the load.\n", + "pgVerified": false, + "potentialBenefits": "Ensures high availability and performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.ServiceBus/namespaces", + "recommendationTypeId": null, + "service": "Microsoft.ServiceBus/namespaces", + "severity": "High", + "source": "azure-resources/ServiceBus/namespaces/recommendations.yaml", + "tags": null, + "text": "Enable auto-scale for production workloads on Service Bus namespaces" + }, + { + "aprlGuid": "6a8b3db9-5773-413a-a127-4f7032f34bbd", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Use SignalR with zone redundancy for production to improve uptime. This feature, available in the Premium tier, is activated upon creating or upgrading to Premium. Standard can upgrade to Premium without downtime.\n", + "guid": "4c66551c-bc2e-4aa7-93c7-234740d04e3c", + "learnMoreLink": [ + { + "name": "Availability zones support in Azure SignalR Service", + "url": "https://learn.microsoft.com/azure/azure-signalr/availability-zones" + } + ], + "longDescription": "Use SignalR with zone redundancy for production to improve uptime. This feature, available in the Premium tier, is activated upon creating or upgrading to Premium. Standard can upgrade to Premium without downtime.\n", + "pgVerified": false, + "potentialBenefits": "Enhances reliability and uptime", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.SignalRService/SignalR", + "recommendationTypeId": null, + "service": "Microsoft.SignalRService/SignalR", + "severity": "High", + "source": "azure-resources/SignalRService/signalR/recommendations.yaml", + "tags": null, + "text": "Enable zone redundancy for SignalR" + }, + { + "aprlGuid": "74c2491d-048b-0041-a140-935960220e20", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Active Geo Replication ensures business continuity by utilizing readable secondary database replicas. In case of primary database failure, manually failover to secondary database. Secondaries, up to four, can be in same/different regions, used for read-only access.\n", + "guid": "bac12d33-af1d-4319-8883-1b9ca90ff89f", + "learnMoreLink": [ + { + "name": "Active Geo Replication", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview" + } + ], + "longDescription": "Active Geo Replication ensures business continuity by utilizing readable secondary database replicas. In case of primary database failure, manually failover to secondary database. Secondaries, up to four, can be in same/different regions, used for read-only access.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced disaster recovery and read scalability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Sql/servers", + "recommendationTypeId": "2ea11bcb-dfd0-48dc-96f0-beba578b989a", + "service": "Microsoft.Sql/servers", + "severity": "High", + "source": "azure-resources/Sql/servers/recommendations.yaml", + "tags": null, + "text": "Use Active Geo Replication to Create a Readable Secondary in Another Region" + }, + { + "aprlGuid": "943c168a-2ec2-a94c-8015-85732a1b4859", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "Failover Groups facilitate disaster recovery by configuring databases on one logical server to replicate to another region's logical server. This streamlines geo-replicated database management, offering a single endpoint for connection routing to replicated databases if the primary server fails.\n", + "guid": "d3467425-00c1-4cd7-b554-1017f6915ca7", + "learnMoreLink": [ + { + "name": "AutoFailover Groups", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-overview?tabs=azure-powershell" + }, + { + "name": "DR Design", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/designing-cloud-solutions-for-disaster-recovery" + } + ], + "longDescription": "Failover Groups facilitate disaster recovery by configuring databases on one logical server to replicate to another region's logical server. This streamlines geo-replicated database management, offering a single endpoint for connection routing to replicated databases if the primary server fails.\n", + "pgVerified": true, + "potentialBenefits": "Improves load balancing and disaster recovery", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Sql/servers", + "recommendationTypeId": null, + "service": "Microsoft.Sql/servers", + "severity": "High", + "source": "azure-resources/Sql/servers/recommendations.yaml", + "tags": null, + "text": "Auto Failover Groups can encompass one or multiple databases, usually used by the same app." + }, + { + "aprlGuid": "c0085c32-84c0-c247-bfa9-e70977cbf108", + "automationAvailable": "arg", + "category": "High Availability", + "description": "By default, Azure SQL Database premium tier provisions multiple copies within the same region. For geo redundancy, databases can be set as Zone Redundant, distributing copies across Azure Availability Zones to maintain availability during regional outages.\n", + "guid": "07f06afc-5969-419f-8838-4ee6be35c953", + "learnMoreLink": [ + { + "name": "Zone Redundant Databases", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/high-availability-sla" + } + ], + "longDescription": "By default, Azure SQL Database premium tier provisions multiple copies within the same region. For geo redundancy, databases can be set as Zone Redundant, distributing copies across Azure Availability Zones to maintain availability during regional outages.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced reliability, no extra cost", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Sql/servers", + "recommendationTypeId": "807e58d0-e385-41ad-987b-4a4b3e3fb563", + "service": "Microsoft.Sql/servers", + "severity": "Medium", + "source": "azure-resources/Sql/servers/recommendations.yaml", + "tags": null, + "text": "Enable zone redundancy for Azure SQL Database to achieve high availability and resiliency" + }, + { + "aprlGuid": "cbb17a29-64fb-c943-95d0-8df814a37c40", + "automationAvailable": false, + "category": "High Availability", + "description": "During transient failures, the application should handle connection retries effectively with Azure SQL Database. No Database layer configuration is needed; instead, the application must be set up for graceful retrying.\n", + "guid": "f2849493-136b-482f-94d9-4a657c10276b", + "learnMoreLink": [ + { + "name": "How to Implement Retry Logic", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/troubleshoot-common-connectivity-issues" + } + ], + "longDescription": "During transient failures, the application should handle connection retries effectively with Azure SQL Database. No Database layer configuration is needed; instead, the application must be set up for graceful retrying.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced connectivity stability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Sql/servers", + "recommendationTypeId": null, + "service": "Microsoft.Sql/servers", + "severity": "High", + "source": "azure-resources/Sql/servers/recommendations.yaml", + "tags": null, + "text": "Implement Retry Logic" + }, + { + "aprlGuid": "7e7daec9-6a81-3546-a4cc-9aef72fec1f7", + "automationAvailable": "arg", + "category": "Monitoring and Alerting", + "description": "Monitoring and alerting are an important part of database operations. When working with Azure SQL Database, make use of Azure Monitor and SQL Insights to ensure that you capture relevant database metrics.\n", + "guid": "bbe70111-adfc-4058-91d5-2969ef525c37", + "learnMoreLink": [ + { + "name": "Azure Monitor", + "url": "https://learn.microsoft.com/en-us/azure/azure-monitor/insights/azure-sql#analyze-data-and-create-alerts" + }, + { + "name": "Azure SQL Database Monitoring", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/monitoring-sql-database-azure-monitor" + }, + { + "name": "Monitoring SQL Database Reference", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/monitoring-sql-database-azure-monitor-reference" + } + ], + "longDescription": "Monitoring and alerting are an important part of database operations. When working with Azure SQL Database, make use of Azure Monitor and SQL Insights to ensure that you capture relevant database metrics.\n", + "pgVerified": true, + "potentialBenefits": "Quick incident detection and response", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Sql/servers", + "recommendationTypeId": null, + "service": "Microsoft.Sql/servers", + "severity": "High", + "source": "azure-resources/Sql/servers/recommendations.yaml", + "tags": null, + "text": "Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents" + }, + { + "aprlGuid": "d6ef87aa-574e-584e-a955-3e6bb8b5425b", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "It is highly recommended to use Azure Key Vault (AKV) to store encryption keys related to Always Encrypted configurations, however it is not required. If you are not using AKV, then ensure that your keys are properly backed up and stored in a secure manner.\n", + "guid": "095a923a-a4fd-489e-a372-8e6cc1f8f352", + "learnMoreLink": [ + { + "name": "Azure Key Vault", + "url": "https://learn.microsoft.com/en-us/azure/key-vault/general/overview" + }, + { + "name": "Getting Started with Always Encrypted", + "url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-landing?view=azuresql" + } + ], + "longDescription": "It is highly recommended to use Azure Key Vault (AKV) to store encryption keys related to Always Encrypted configurations, however it is not required. If you are not using AKV, then ensure that your keys are properly backed up and stored in a secure manner.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security and data recovery", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Sql/servers", + "recommendationTypeId": null, + "service": "Microsoft.Sql/servers", + "severity": "Medium", + "source": "azure-resources/Sql/servers/recommendations.yaml", + "tags": null, + "text": "Back Up Your Keys" + }, + { + "aprlGuid": "e6c7e1cc-2f47-264d-aa50-1da421314472", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.\n", + "guid": "f4fc32c2-fab7-450b-91b8-c534c3e0258a", + "learnMoreLink": [ + { + "name": "Azure Storage redundancy", + "url": "https://learn.microsoft.com/azure/storage/common/storage-redundancy" + }, + { + "name": "Change the redundancy configuration for a storage account", + "url": "https://learn.microsoft.com/azure/storage/common/redundancy-migration" + } + ], + "longDescription": "Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.\n", + "pgVerified": true, + "potentialBenefits": "High availability and durability for storage", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Storage/storageAccounts", + "severity": "High", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Ensure that storage accounts are zone or region redundant" + }, + { + "aprlGuid": "63ad027e-611c-294b-acc5-8e3234db9a40", + "automationAvailable": "arg", + "category": "Service Upgrade and Retirement", + "description": "Classic storage accounts will be fully retired on August 31, 2024. If you have classic storage accounts, start planning your migration now.\n", + "guid": "41eb0f1f-b998-49f2-8d47-5143251f0d66", + "learnMoreLink": [ + { + "name": "Azure classic storage accounts retirement announcement", + "url": "https://azure.microsoft.com/updates/classic-azure-storage-accounts-will-be-retired-on-31-august-2024/" + }, + { + "name": "Migrate your classic storage accounts to Azure Resource Manager", + "url": "https://learn.microsoft.com/azure/storage/common/classic-account-migration-overview" + } + ], + "longDescription": "Classic storage accounts will be fully retired on August 31, 2024. If you have classic storage accounts, start planning your migration now.\n", + "pgVerified": true, + "potentialBenefits": "Avoids service retirement issues", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Service Upgrade and Retirement", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": "47bb383c-8e25-95f0-c2aa-437add1d87d3", + "service": "Microsoft.Storage/storageAccounts", + "severity": "High", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Classic Storage Accounts must be migrated to new Azure Resource Manager resources" + }, + { + "aprlGuid": "5587ef77-7a05-a74d-9c6e-449547a12f27", + "automationAvailable": false, + "category": "Scalability", + "description": "Use premium performance block blob storage instead of standard performance storage for workloads that require fast storage response times and/or high transaction rates.\n", + "guid": "3d51a650-a80b-4a8b-9343-9f4e93a16897", + "learnMoreLink": [ + { + "name": "Types of storage accounts", + "url": "https://learn.microsoft.com/azure/storage/common/storage-account-overview#types-of-storage-accounts" + }, + { + "name": "Scalability and performance targets for standard storage accounts", + "url": "https://learn.microsoft.com/azure/storage/common/scalability-targets-standard-account" + }, + { + "name": "Performance and scalability checklist for Blob storage", + "url": "https://learn.microsoft.com/azure/storage/blobs/storage-performance-checklist" + }, + { + "name": "Scalability and performance targets for Blob storage", + "url": "https://learn.microsoft.com/azure/storage/blobs/scalability-targets" + }, + { + "name": "Premium block blob storage accounts", + "url": "https://learn.microsoft.com/azure/storage/blobs/storage-blob-block-blob-premium" + } + ], + "longDescription": "Use premium performance block blob storage instead of standard performance storage for workloads that require fast storage response times and/or high transaction rates.\n", + "pgVerified": true, + "potentialBenefits": "Optimized cost and performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": "c6b94711-f1f5-4e7e-9c89-c17ed4190969", + "service": "Microsoft.Storage/storageAccounts", + "severity": "Medium", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Use premium performance block blob storage for high performance workloads" + }, + { + "aprlGuid": "03263c57-c869-3841-9e0a-3dbb9ef3e28d", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "The soft delete option enables data recovery if mistakenly deleted, while the Lock feature prevents the accidental deletion of the storage account itself, ensuring additional security and data integrity measures.\n", + "guid": "da1c415b-0ae6-4bff-8c4a-91bcb034b4d9", + "learnMoreLink": [ + { + "name": "Soft delete detail docs", + "url": "https://learn.microsoft.com//azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal " + } + ], + "longDescription": "The soft delete option enables data recovery if mistakenly deleted, while the Lock feature prevents the accidental deletion of the storage account itself, ensuring additional security and data integrity measures.\n", + "pgVerified": true, + "potentialBenefits": "Prevents accidental data/account loss", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": "42dbf883-9e4b-4f84-9da4-232b87c4b5e9", + "service": "Microsoft.Storage/storageAccounts", + "severity": "Medium", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Enable Soft Delete to protect your data" + }, + { + "aprlGuid": "8ebda7c0-e0e1-ed45-af59-2d7ea9a1c05d", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Consider enabling versioning for Azure Storage Accounts to recover from accidental modifications or deletions and manage blob operation latency. Microsoft advises maintaining fewer than 1000 versions per blob to optimize performance. Lifecycle management can help delete old versions automatically.\n", + "guid": "a9e4ebd1-25ad-4e2b-9668-5b01d278cd5b", + "learnMoreLink": [ + { + "name": "Blob versioning", + "url": "https://learn.microsoft.com/azure/storage/blobs/versioning-overview " + } + ], + "longDescription": "Consider enabling versioning for Azure Storage Accounts to recover from accidental modifications or deletions and manage blob operation latency. Microsoft advises maintaining fewer than 1000 versions per blob to optimize performance. Lifecycle management can help delete old versions automatically.\n", + "pgVerified": true, + "potentialBenefits": "Recover data, manage latency", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Storage/storageAccounts", + "severity": "Low", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Enable versioning for accidental modification and keep the number of versions below 1000" + }, + { + "aprlGuid": "1b965cb9-7629-214e-b682-6bf6e450a100", + "automationAvailable": false, + "category": "Disaster Recovery", + "description": "Consider enabling point-in-time restore for standard general purpose v2 accounts with flat namespace to protect against accidental deletion or corruption by restoring block blob data to an earlier state.\n", + "guid": "38d3f9c5-e576-40fa-aee5-1a9fd3a188ed", + "learnMoreLink": [ + { + "name": "Point-in-time restore for block blobs", + "url": "https://learn.microsoft.com/azure/storage/blobs/point-in-time-restore-overview" + }, + { + "name": "Perform a point-in-time restore on block blob data", + "url": "https://learn.microsoft.com/azure/storage/blobs/point-in-time-restore-manage?tabs=portal" + } + ], + "longDescription": "Consider enabling point-in-time restore for standard general purpose v2 accounts with flat namespace to protect against accidental deletion or corruption by restoring block blob data to an earlier state.\n", + "pgVerified": true, + "potentialBenefits": "Protects data from loss/corruption", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Storage/storageAccounts", + "severity": "Low", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Enable point-in-time restore for GPv2 accounts to safeguard against data loss" + }, + { + "aprlGuid": "96cb8331-6b06-8242-8ce8-4e2f665dc679", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "For critical applications and business processes relying on Azure, monitoring and alerts are crucial. Resource logs are only stored after creating a diagnostic setting to route logs to specified locations, requiring selection of log categories to collect.\n", + "guid": "21868902-37d8-4306-87e5-7bf83c34db12", + "learnMoreLink": [ + { + "name": "Monitor Azure Blob Storage", + "url": "https://learn.microsoft.com/azure/storage/blobs/monitor-blob-storage" + }, + { + "name": "Best practices for monitoring Azure Blob Storage", + "url": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios" + } + ], + "longDescription": "For critical applications and business processes relying on Azure, monitoring and alerts are crucial. Resource logs are only stored after creating a diagnostic setting to route logs to specified locations, requiring selection of log categories to collect.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced alerting and log analysis", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Storage/storageAccounts", + "severity": "Low", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Monitor all blob storage accounts" + }, + { + "aprlGuid": "2ad78dec-5a4d-4a30-8fd1-8584335ad781", + "automationAvailable": "arg", + "category": "Scalability", + "description": "General-purpose v2 accounts are recommended for most storage scenarios offering the latest features or the lowest per-gigabyte pricing. Legacy accounts like Standard general-purpose v1 and Blob Storage aren't advised by Microsoft but may fit specific scenarios.\n", + "guid": "9c049733-718b-4431-be66-87c5fb60a940", + "learnMoreLink": [ + { + "name": "Legacy storage account types", + "url": "https://learn.microsoft.com/azure/storage/common/storage-account-overview#legacy-storage-account-types" + }, + { + "name": "Upgrade to a general-purpose v2 storage account", + "url": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade" + } + ], + "longDescription": "General-purpose v2 accounts are recommended for most storage scenarios offering the latest features or the lowest per-gigabyte pricing. Legacy accounts like Standard general-purpose v1 and Blob Storage aren't advised by Microsoft but may fit specific scenarios.\n", + "pgVerified": true, + "potentialBenefits": "Latest features, lowest cost", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Storage/storageAccounts", + "severity": "Low", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Consider upgrading legacy storage accounts to v2 storage accounts" + }, + { + "aprlGuid": "dc55be60-6f8c-461e-a9d5-a3c7686ed94e", + "automationAvailable": "arg", + "category": "Security", + "description": "Leverage Azure Private Link Service for secure access to Azure Storage and services via Private Endpoint in your VNet. Eliminate the need for public IPs, ensuring data privacy. Enjoy granular access control for enhanced security.\n", + "guid": "91a6caec-e427-4d46-91e8-0dcf5153ade1", + "learnMoreLink": [ + { + "name": "Learn More", + "url": "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop#azure-virtual-desktop-limitations" + }, + { + "name": "Private Link", + "url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/networking#private-endpoints-private-link" + } + ], + "longDescription": "Leverage Azure Private Link Service for secure access to Azure Storage and services via Private Endpoint in your VNet. Eliminate the need for public IPs, ensuring data privacy. Enjoy granular access control for enhanced security.\n", + "pgVerified": true, + "potentialBenefits": "Secure, private access to storage with no public IPs", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Security", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Storage/storageAccounts", + "recommendationTypeId": null, + "service": "Microsoft.Storage/storageAccounts", + "severity": "Medium", + "source": "azure-resources/Storage/storageAccounts/recommendations.yaml", + "tags": null, + "text": "Enable Azure Private Link service for storage accounts" + }, + { + "aprlGuid": "c041d596-6c97-4c5f-b4b3-9cd37628f2e2", + "automationAvailable": "arg", + "category": "Governance", + "description": "A Citrix Managed Azure subscription supports VMs with VDA for app/desktop delivery, excluding other machines like Cloud Connectors. When close to the limit, signaled by a dashboard notification, and with sufficient licenses, request another subscription. Can't exceed the given limits for catalogs.\n", + "guid": "2d824995-de40-457f-b2f6-23c2cb940e7f", + "learnMoreLink": [ + { + "name": "Citrix Limits", + "url": "https://docs.citrix.com/en-us/citrix-daas-azure/limits" + } + ], + "longDescription": "A Citrix Managed Azure subscription supports VMs with VDA for app/desktop delivery, excluding other machines like Cloud Connectors. When close to the limit, signaled by a dashboard notification, and with sufficient licenses, request another subscription. Can't exceed the given limits for catalogs.\n", + "pgVerified": true, + "potentialBenefits": "Avoids hitting limit, ensures reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Subscription/Subscriptions", + "recommendationTypeId": null, + "service": "Microsoft.Subscription/Subscriptions", + "severity": "High", + "source": "azure-resources/Subscription/subscriptions/recommendations.yaml", + "tags": null, + "text": "Do not create more than 2000 Citrix VDA servers per subscription" + }, + { + "aprlGuid": "5ada5ffa-7149-4e49-9fbf-e67be7c2594c", + "automationAvailable": "arg", + "category": "Governance", + "description": "The root management group in Azure is designed for organizational hierarchy, allowing for all management groups and subscriptions to fold into it.\n", + "guid": "6142e48a-012b-4082-b0ff-d36dfa8c6aef", + "learnMoreLink": [ + { + "name": "Management group recommendations", + "url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" + }, + { + "name": "Root management group for each directory", + "url": "https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#root-management-group-for-each-directory" + } + ], + "longDescription": "The root management group in Azure is designed for organizational hierarchy, allowing for all management groups and subscriptions to fold into it.\n", + "pgVerified": true, + "potentialBenefits": "Enhanced security, compliance, and management", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Subscription/Subscriptions", + "recommendationTypeId": null, + "service": "Microsoft.Subscription/Subscriptions", + "severity": "Medium", + "source": "azure-resources/Subscription/subscriptions/recommendations.yaml", + "tags": null, + "text": "Subscriptions should not be placed under the Tenant Root Management Group" + }, + { + "aprlGuid": "19b6df57-f6b5-3e4f-843a-273daa087cb0", + "automationAvailable": false, + "category": "High Availability", + "description": "When building Image Templates, use sources for gen 2 VMs. Gen 2 offers more memory, supports >2TB disks, uses UEFI for faster boot/installation, has Intel SGX, and virtualized persistent memory (vPMEM), unlike gen 1's BIOS-based architecture.\n", + "guid": "a7f0d8bb-578f-407e-a312-80da6dc5bac2", + "learnMoreLink": [ + { + "name": "Generation 1 vs generation 2 virtual machines", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2#features-and-capabilities" + } + ], + "longDescription": "When building Image Templates, use sources for gen 2 VMs. Gen 2 offers more memory, supports >2TB disks, uses UEFI for faster boot/installation, has Intel SGX, and virtualized persistent memory (vPMEM), unlike gen 1's BIOS-based architecture.\n", + "pgVerified": true, + "potentialBenefits": "More memory, supports >2TB disks, faster boot", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.VirtualMachineImages/imageTemplates", + "recommendationTypeId": null, + "service": "Microsoft.VirtualMachineImages/imageTemplates", + "severity": "Low", + "source": "azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml", + "tags": null, + "text": "Use Generation 2 virtual machine source image" + }, + { + "aprlGuid": "21fb841b-ba70-1f4e-a460-1f72fb41aa51", + "automationAvailable": "arg", + "category": "Disaster Recovery", + "description": "The Azure Image Builder service, used for deploying Image Templates, lacks availability zones support. By replicating Image Templates to a secondary, preferably paired, region, quick recovery from a region failure is enabled, ensuring continuous virtual machine deployment from these templates.\n", + "guid": "7dd16bbd-4760-466a-9fac-871e85f954a1", + "learnMoreLink": [ + { + "name": "Image Template resiliency", + "url": "https://learn.microsoft.com/en-us/azure/reliability/reliability-image-builder?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json#capacity-and-proactive-disaster-recovery-resiliency" + }, + { + "name": "Azure Image Builder Supported Regions", + "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#regions" + } + ], + "longDescription": "The Azure Image Builder service, used for deploying Image Templates, lacks availability zones support. By replicating Image Templates to a secondary, preferably paired, region, quick recovery from a region failure is enabled, ensuring continuous virtual machine deployment from these templates.\n", + "pgVerified": true, + "potentialBenefits": "Enhances disaster recovery capability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Disaster Recovery", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.VirtualMachineImages/imageTemplates", + "recommendationTypeId": null, + "service": "Microsoft.VirtualMachineImages/imageTemplates", + "severity": "Low", + "source": "azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml", + "tags": null, + "text": "Replicate your Image Templates to a secondary region" + }, + { + "aprlGuid": "88cb90c2-3b99-814b-9820-821a63f600dd", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Azure's feature of deploying App Service plans across availability zones enhances resiliency and reliability by ensuring operation during datacenter failures, providing redundancy without needing different regions, thus minimizing downtime and maintaining uninterrupted services.\n", + "guid": "4a9d4efa-df19-4e77-b417-d2d8312fc81d", + "learnMoreLink": [ + { + "name": "Migrate App Service to availability zone support", + "url": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service" + }, + { + "name": "High availability enterprise deployment using App Service Environment", + "url": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/enterprise-integration/ase-high-availability-deployment" + } + ], + "longDescription": "Azure's feature of deploying App Service plans across availability zones enhances resiliency and reliability by ensuring operation during datacenter failures, providing redundancy without needing different regions, thus minimizing downtime and maintaining uninterrupted services.\n", + "pgVerified": false, + "potentialBenefits": "Enhances app resiliency and reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/serverFarms", + "recommendationTypeId": null, + "service": "Microsoft.Web/serverFarms", + "severity": "High", + "source": "azure-resources/Web/serverFarms/recommendations.yaml", + "tags": null, + "text": "Migrate App Service to availability Zone Support" + }, + { + "aprlGuid": "b2113023-a553-2e41-9789-597e2fb54c31", + "automationAvailable": "arg", + "category": "High Availability", + "description": "Choose Standard/Premium Azure App Service Plan for robust apps with advanced scaling, high availability, better performance, and multiple slots, ensuring resilience and continuous operation.\n", + "guid": "1e250488-36b3-4062-9096-5363e03ec0df", + "learnMoreLink": [ + { + "name": "Resiliency checklist for specific Azure services", + "url": "https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#app-service" + } + ], + "longDescription": "Choose Standard/Premium Azure App Service Plan for robust apps with advanced scaling, high availability, better performance, and multiple slots, ensuring resilience and continuous operation.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced scaling and reliability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "High Availability", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/serverFarms", + "recommendationTypeId": null, + "service": "Microsoft.Web/serverFarms", + "severity": "High", + "source": "azure-resources/Web/serverFarms/recommendations.yaml", + "tags": null, + "text": "Use Standard or Premium tier" + }, + { + "aprlGuid": "07243659-4643-d44c-a1c6-07ac21635072", + "automationAvailable": "arg", + "category": "Scalability", + "description": "Avoid frequent scaling up/down of Azure App Service instances to prevent service disruptions. Choose the right tier and size for the workload and scale out for traffic changes, as scaling adjustments can trigger application restarts.\n", + "guid": "5f7aaef1-c5f1-40fe-b4ac-3c8c3dc157f2", + "learnMoreLink": [ + { + "name": "Resiliency checklist for specific Azure services", + "url": "https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#app-service" + } + ], + "longDescription": "Avoid frequent scaling up/down of Azure App Service instances to prevent service disruptions. Choose the right tier and size for the workload and scale out for traffic changes, as scaling adjustments can trigger application restarts.\n", + "pgVerified": false, + "potentialBenefits": "Minimizes restarts, enhances stability", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/serverFarms", + "recommendationTypeId": null, + "service": "Microsoft.Web/serverFarms", + "severity": "Medium", + "source": "azure-resources/Web/serverFarms/recommendations.yaml", + "tags": null, + "text": "Avoid scaling up or down" + }, + { + "aprlGuid": "dbe3fd66-fb2a-9d46-b162-1791e21da236", + "automationAvailable": false, + "category": "Governance", + "description": "It is strongly recommended to create separate App Service plans for production and test environments to avoid using slots within your production deployment for testing purposes.\n", + "guid": "5ccdfc86-f71e-47c0-a06d-70cfecc74f8a", + "learnMoreLink": [ + { + "name": "Resiliency checklist for specific Azure services", + "url": "https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#app-service" + } + ], + "longDescription": "It is strongly recommended to create separate App Service plans for production and test environments to avoid using slots within your production deployment for testing purposes.\n", + "pgVerified": false, + "potentialBenefits": "Protects prod performance; avoids test impact", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "High", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/serverFarms", + "recommendationTypeId": null, + "service": "Microsoft.Web/serverFarms", + "severity": "High", + "source": "azure-resources/Web/serverFarms/recommendations.yaml", + "tags": null, + "text": "Create separate App Service plans for production and test" + }, + { + "aprlGuid": "6320abf6-f917-1843-b2ae-4779c35985ae", + "automationAvailable": false, + "category": "Scalability", + "description": "Enabling Autoscale/Automatic Scaling for your Azure App Service ensures sufficient resources for incoming requests. Autoscaling is rule-based, whereas Automatic Scaling, a newer feature, automatically adjusts resources based on HTTP traffic.\n", + "guid": "85fecac9-b021-44cb-aa49-3e482bd9316f", + "learnMoreLink": [ + { + "name": "Automatic scaling in Azure App Service", + "url": "https://learn.microsoft.com/en-us/azure/app-service/manage-automatic-scaling?tabs=azure-portal" + }, + { + "name": "Auto Scale Web Apps", + "url": "https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started" + } + ], + "longDescription": "Enabling Autoscale/Automatic Scaling for your Azure App Service ensures sufficient resources for incoming requests. Autoscaling is rule-based, whereas Automatic Scaling, a newer feature, automatically adjusts resources based on HTTP traffic.\n", + "pgVerified": false, + "potentialBenefits": "Optimizes resources for traffic", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/serverFarms", + "recommendationTypeId": null, + "service": "Microsoft.Web/serverFarms", + "severity": "Medium", + "source": "azure-resources/Web/serverFarms/recommendations.yaml", + "tags": null, + "text": "Enable Autoscale/Automatic scaling to ensure adequate resources are available to service requests" + }, + { + "aprlGuid": "493f6079-3bb6-4a56-96ba-ab3248474cb1", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Enabling diagnostics logging for your Azure App Service is crucial for monitoring and diagnostics, including both application logging and web server logging.\n", + "guid": "ff40df6b-8cb3-463e-8223-486a78118830", + "learnMoreLink": [ + { + "name": "Enable diagnostics logging for apps in Azure App Service", + "url": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs" + } + ], + "longDescription": "Enabling diagnostics logging for your Azure App Service is crucial for monitoring and diagnostics, including both application logging and web server logging.\n", + "pgVerified": false, + "potentialBenefits": "Monitoring and Alerting", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Low", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Enable diagnostics logging" + }, + { + "aprlGuid": "a7e8bb3d-8ceb-442d-b26f-007cd63f9ffc", + "automationAvailable": false, + "category": "Monitoring and Alerting", + "description": "Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring.\n", + "guid": "4ea95bc5-b454-4fe5-b8a9-7f68c01a9c36", + "learnMoreLink": [ + { + "name": "Application Insights", + "url": "https://learn.microsoft.com/azure/application-insights/app-insights-overview" + }, + { + "name": "Application monitoring for Azure App Service", + "url": "https://learn.microsoft.com/azure/azure-monitor/app/azure-web-apps" + } + ], + "longDescription": "Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring.\n", + "pgVerified": false, + "potentialBenefits": "Real-time insights and issue diagnosis", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Monitoring and Alerting", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Medium", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Monitor Performance" + }, + { + "aprlGuid": "78a5c033-ff51-4332-8a71-83464c34494b", + "automationAvailable": false, + "category": "Scalability", + "description": "If your solution includes both a web front end and a web API, decomposing them into separate App Service apps facilitates solution decomposition by workload, allowing for independent scaling. Initially, you can deploy both in the same plan and separate them for independent scaling when necessary.\n", + "guid": "e17cf9e9-c72d-4bb0-a389-7dadf80acadd", + "learnMoreLink": [ + { + "name": "Resiliency checklist for specific Azure services", + "url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#app-service" + } + ], + "longDescription": "If your solution includes both a web front end and a web API, decomposing them into separate App Service apps facilitates solution decomposition by workload, allowing for independent scaling. Initially, you can deploy both in the same plan and separate them for independent scaling when necessary.\n", + "pgVerified": false, + "potentialBenefits": "Independent scaling, easier management", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Low", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Separate web apps from web APIs" + }, + { + "aprlGuid": "3f9ddb59-0bb3-4acb-9c9b-99aa1776f0ab", + "automationAvailable": false, + "category": "Scalability", + "description": "Creating a separate storage account for logs and not using the same one for application data prevents logging activities from reducing application performance by ensuring that the resources dedicated to handling application data are not burdened by logging processes.\n", + "guid": "65604aab-d232-447f-91c3-2454f0f1a9dc", + "learnMoreLink": [ + { + "name": "Resiliency checklist", + "url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#app-service" + } + ], + "longDescription": "Creating a separate storage account for logs and not using the same one for application data prevents logging activities from reducing application performance by ensuring that the resources dedicated to handling application data are not burdened by logging processes.\n", + "pgVerified": false, + "potentialBenefits": "Improves app performance", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Medium", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Create a separate storage account for logs" + }, + { + "aprlGuid": "a1d91661-32d4-430b-b3b6-5adeb0975df7", + "automationAvailable": "arg", + "category": "Governance", + "description": "Create a deployment slot for staging to deploy updates, verify them, and ensure all instances are warmed up before production swap, reducing bad update chances. An LKG slot allows easy rollback to a previous good deployment if issues arise later, enhancing reliability.\n", + "guid": "a742df1b-28df-4ac6-8f4a-8877a4d43f22", + "learnMoreLink": [ + { + "name": "Set up staging environments in Azure App Service", + "url": "https://learn.microsoft.com/azure/app-service-web/web-sites-staged-publishing" + } + ], + "longDescription": "Create a deployment slot for staging to deploy updates, verify them, and ensure all instances are warmed up before production swap, reducing bad update chances. An LKG slot allows easy rollback to a previous good deployment if issues arise later, enhancing reliability.\n", + "pgVerified": false, + "potentialBenefits": "Safer updates and easy rollback", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Low", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": "1d3b5a51-62d4-4b77-96f6-40ed0a3aa21f", + "service": "Microsoft.Web/sites", + "severity": "Low", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Deploy to a staging slot" + }, + { + "aprlGuid": "0b80b67c-afbe-4988-ad58-a85a146b681e", + "automationAvailable": "arg", + "category": "Other Best Practices", + "description": "Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability.\n", + "guid": "51b2f4c1-179a-4605-89b9-7e5d7e43fc9b", + "learnMoreLink": [ + { + "name": "Configure web apps in Azure App Service", + "url": "https://learn.microsoft.com/azure/app-service-web/web-sites-configure" + } + ], + "longDescription": "Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced reliability via automation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Medium", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Store configuration as app settings" + }, + { + "aprlGuid": "fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d", + "automationAvailable": "arg", + "category": "Other Best Practices", + "description": "Use Health Check for production workloads. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. The Health check path should check critical components of your application.\n", + "guid": "3111002a-8c70-45d2-9daf-787d91ef717d", + "learnMoreLink": [ + { + "name": "Monitor the health of App Service instances", + "url": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check?tabs=dotnet#enable-health-check" + } + ], + "longDescription": "Use Health Check for production workloads. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. The Health check path should check critical components of your application.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced reliability via automation", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Other Best Practices", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Medium", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Enable Health check for App Services" + }, + { + "aprlGuid": "aab6b4a4-9981-43a4-8728-35c7ecbb746d", + "automationAvailable": "arg", + "category": "Governance", + "description": "Use network access restrictions to define a priority-ordered allow/deny list that controls network access to your app. Web application firewalls, such as the one available in Application Gateway, are recommended for protection of public-facing web applications.\n", + "guid": "d412f7ed-ecd0-47bd-8b5a-402c1006e877", + "learnMoreLink": [ + { + "name": "Set up Azure App Service access restrictions", + "url": "https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli" + } + ], + "longDescription": "Use network access restrictions to define a priority-ordered allow/deny list that controls network access to your app. Web application firewalls, such as the one available in Application Gateway, are recommended for protection of public-facing web applications.\n", + "pgVerified": false, + "potentialBenefits": "Enhanced security", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Governance", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Medium", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Configure network access restrictions" + }, + { + "aprlGuid": "9e6682ac-31bc-4635-9959-ab74b52454e6", + "automationAvailable": "arg", + "category": "Scalability", + "description": "App Service should be configured with a minimum of two instances for production workloads. If apps have a longer warmup time a minimum of three instances should be used.\n", + "guid": "69a0f7b1-6acc-4670-8a19-7e6f5ef1e70d", + "learnMoreLink": [ + { + "name": "Ultimate guide to running healthy apps in the cloud", + "url": "https://azure.github.io/AppService/2020/05/15/Robust-Apps-for-the-cloud.html" + } + ], + "longDescription": "App Service should be configured with a minimum of two instances for production workloads. If apps have a longer warmup time a minimum of three instances should be used.\n", + "pgVerified": false, + "potentialBenefits": "Improves app performace", + "publishedToAdvisor": false, + "publishedToLearn": false, + "recommendationControl": "Scalability", + "recommendationImpact": "Medium", + "recommendationMetadataState": "Active", + "recommendationResourceType": "Microsoft.Web/sites", + "recommendationTypeId": null, + "service": "Microsoft.Web/sites", + "severity": "Medium", + "source": "azure-resources/Web/sites/recommendations.yaml", + "tags": null, + "text": "Set minimum instance count to 2 for app service" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Prioritize user flows: Not all flows are equally critical. Assign priorities to each flow to guide your design decisions. User flow design can influence which service tiers and number of instances that you choose for an App Service plan and configuration.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Anticipate potential failures: Plan mitigation strategies for potential failures. The following table shows examples of failure mode analysis.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Build redundancy: Build redundancy in the application and supporting infrastructure. Spread instances across availability zones to improve fault tolerance. Traffic is routed to other zones if one zone fails. Deploy your application across multiple regions to ensure that your app remains available, even if an entire region experiences an outage.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Have a reliable scaling strategy: Unexpected load on an application can make it unreliable. Consider the right scaling approach based on your workload characteristics. You can sometimes scale up to handle the load. However, if the load continues to increase, scale out to new instances. Prefer automatic scaling over manual approaches. Always maintain a buffer of extra capacity during scaling operations to prevent performance degradation.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Plan your recoverability: Redundancy is crucial for business continuity. Fail over to another instance if one instance is unreachable. Explore automatic healing capabilities in App Service, such as automatic repair of instances.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Conduct reliability testing: Conduct load testing to evaluate your application's reliability and performance under load. Test plans should include scenarios that validate your automated recovery operations.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Use health probes to identify unresponsive workers: App Service has built-in capabilities that periodically ping a specific path of your web application. Unresponsive instances are removed from the load balancer and replaced with a new instance.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "A premium App Service plan offers advanced scaling features and ensures redundancy if failures occur.", + "service": "App Service Web Apps", + "text": "(App Service plan) Choose the Premium tier of an App Service plan for production workloads. Set the maximum and minimum number of workers according to your capacity planning. For more information, see App Service plan overview.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Your application can withstand failures in a single zone when multiple instances are spread across zones. Traffic automatically shifts to healthy instances in other zones and maintains application reliability if one zone is unavailable.", + "service": "App Service Web Apps", + "text": "(App Service plan) Enable zone redundancy. Consider provisioning more than three instances to enhance fault tolerance. Check regional support for zone redundancy because not all regions offer this feature.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Incoming requests are evenly distributed across all available nodes when you disable ARR affinity. Evenly distributed requests prevent traffic from overwhelming any single node. Requests can be seamlessly redirected to other healthy nodes if a node is unavailable. Avoid session affinity to ensure that your App Service instance remains stateless. A stateless App Service reduces complexity and ensures consistent behavior across nodes. Remove sticky sessions so that App Service can add or remove instances to scale horizontally.", + "service": "App Service Web Apps", + "text": "(App Service) Consider disabling the application request routing (ARR) affinity feature. ARR affinity creates sticky sessions that redirect users to the node that handled their previous requests.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Automatic healing rules help your application recover automatically from unexpected problems. The configured rules trigger healing actions when thresholds are breached. Automatic healing enables automatic proactive maintenance.", + "service": "App Service Web Apps", + "text": "(App Service) Define automatic healing rules based on request count, slow requests, memory limits, and other indicators that are part of your performance baseline. Consider this configuration as part of your scaling strategy.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Health checks can detect problems early. Then the system can automatically take corrective actions when a health check request fails. The load balancer routes traffic away from unhealthy instances, which directs users to healthy nodes.", + "service": "App Service Web Apps", + "text": "(App Service) Enable the health check feature and provide a path that responds to the health check requests.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Review security baselines: To enhance the security posture of your application that's hosted on an App Service plan, review the security baseline for App Service.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Use the latest runtime and libraries: Thoroughly test your application builds before you do updates to catch problems early and ensure a smooth transition to the new version. App Service supports the language runtime support policy for updating existing stacks and retiring end-of-support stacks.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Create segmentation through isolation boundaries to contain breach: Apply identity segmentation. For example, implement role-based access control (RBAC) to assign specific permissions based on roles. Follow the principle of least privilege to limit access rights to only what's necessary. Also create segmentation at the network level. Inject App Service apps in an Azure virtual network for isolation and define network security groups (NSGs) to filter traffic.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Apply access controls on identities: Restrict both inward access to the web app and outward access from the web app to other resources. This configuration applies access controls on identities and helps maintain the workload's overall security posture.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Control network traffic to and from the application: Don't expose application endpoints to the public internet. Instead, add a private endpoint on the web app that's placed in a dedicated subnet. Front your application with a reverse proxy that communicates with that private endpoint. Consider using Application Gateway or Azure Front Door for that purpose.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Encrypt data: Protect data in transit with end-to-end Transport Layer Security (TLS). Use your customer-managed keys for full encryption of data at rest. For more information, see Encryption at rest using customer-managed keys.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Reduce the attack surface: Remove default configurations that you don't need. For example, disable remote debugging, local authentication for Source Control Manager (SCM) sites, and basic authentication. Disable unsecure protocols like HTTP and File Transfer Protocol (FTP). Enforce configurations through Azure policies. For more information, see Azure policies.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Protect application secrets: You need to handle sensitive information, like API keys or authentication tokens. Instead of hardcoding these secrets directly into your application code or configuration files, you can use Azure Key Vault references in app settings. When the application starts, App Service automatically retrieves the secret values from Key Vault by using the app's managed identity.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Enable resource logs for your application: Enable resource logs for your application to create comprehensive activity trails that provide valuable data during investigations that follow security incidents.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "The application retrieves secrets from Key Vault to authenticate outward communication from the application. Azure manages the identity and doesn't require you to provision or rotate any secrets. You have distinct identities for granularity of control. Distinct identities make revocation easy if an identity is compromised.", + "service": "App Service Web Apps", + "text": "(App Service) Assign managed identities to the web app. To maintain isolation boundaries, don't share or reuse identities across applications. Make sure that you securely connect to your container registry if you use containers for your deployment.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Custom domains enable secure communication through HTTPS using Transport Layer Security (TLS) protocol, which ensures the protection of sensitive data and builds user trust.", + "service": "App Service Web Apps", + "text": "(App Service) Configure custom domains for applications. Disable HTTP and only accept HTTPS requests.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "When you use this feature, you don't have to use authentication libraries in application code, which reduces complexity. The user is already authenticated when a request reaches the application.", + "service": "App Service Web Apps", + "text": "(App Service) valuate whether App Service built-in authentication is the right mechanism to authenticate users that access your application. App Service built-in authentication integrates with Microsoft Entra ID. This feature handles token validation and user identity management across multiple sign-in providers and supports OpenID Connect. With this feature, you don't have authorization at a granular level, and you don't have a mechanism to test authentication.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Get the security benefits of using an Azure virtual network. For example, the application can securely access resources within the network. Add a private endpoint to help protect your application. Private endpoints limit direct exposure to the public network and allow controlled access through the reverse proxy.", + "service": "App Service Web Apps", + "text": "(App Service) Configure the application for virtual network integration. Use private endpoints for App Service apps. Block all public traffic. Route the container image pull through the virtual network integration. All outgoing traffic from the application passes through the virtual network.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "We don't recommend basic authentication as a secure deployment method. Microsoft Entra ID employs OAuth 2.0 token-based authentication, which offers numerous advantages and enhancements that address the limitations that are associated with basic authentication. Policies restrict access to application resources, only allow requests from specific domains, and secure cross-region requests.", + "service": "App Service Web Apps", + "text": "(App Service) To implement hardening: - Disable basic authentication that uses a username and password in favor of Microsoft Entra ID-based authentication. - Turn off remote debugging so that inbound ports aren't opened. - Enable CORS policies to tighten incoming requests. - Disable protocols, such as FTP.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Secrets are kept separate from your app's configuration. App settings are encrypted at rest. App Service also manages secret rotations.", + "service": "App Service Web Apps", + "text": "(App Service) Always use Key Vault references as app settings.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Get real-time protection for resources that run in an App Service plan. Guard against threats and enhance your overall security posture.", + "service": "App Service Web Apps", + "text": "(App Service plan) Enable Microsoft Defender for Cloud for App Service.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Logging captures access patterns. It records relevant events that provide valuable insights into how users interact with an application or platform. This information is crucial for accountability, compliance, and security purposes.", + "service": "App Service Web Apps", + "text": "(App Service plan) Enable diagnostic logging and add instrumentation to your app. The logs are sent to Azure Storage accounts, Azure Event Hubs, and Log Analytics. For more information about audit log types, see Supported log types.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Estimate the initial cost: As part of your cost modeling exercise, use the Azure pricing calculator to evaluate the approximate costs associated with various tiers based on the number of instances that you plan to run. Each App Service tier offers different compute options.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Evaluate the discounted options: Higher tiers include dedicated compute instances. You can apply a reservation discount if your workload has a predictable and consistent usage pattern. Make sure that you analyze usage data to determine the type of reservation that suits your workload. For more information, see Save costs with App Service reserved instances.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Understand usage meters: Azure charges an hourly rate, prorated to the second, based on your App Service plan's pricing tier. Charges apply to each scaled-out instance in your plan, based on the time that you allocate the VM instance. Pay attention to underused compute resources that might increase your costs as a result of overallocation due to suboptimal SKU selection, or poorly configured scale-in configuration.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Consider the tradeoffs between density and isolation: You can use App Service plans to host multiple applications on the same compute, which saves costs with shared environments. For more information, see Tradeoffs.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Evaluate the effect of your scaling strategy on cost: You must properly design, test, and configure for scaling out and for scaling in when you implement autoscaling. Establish precise maximum and minimum limits on autoscaling.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Optimize environment costs: Consider the Basic or Free tier to run pre-production environments. These tiers are low performance and low cost. If you use the Basic or Free tier, use governance to enforce the tier, constrain the number of instances and CPUs, restrict scaling, and limit log retention.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Implement design patterns: This strategy reduces the volume of requests that your workload generates. Consider using patterns like the Backends for Frontends pattern and the Gateway Aggregation pattern, which can minimize the number of requests and reduce costs.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Regularly check data-related costs: Extended data retention periods or expensive storage tiers can lead to high storage costs. More expenses can accumulate due to both bandwidth usage and prolonged retention of logging data.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Optimize deployment costs: Take advantage of deployment slots to optimize costs. The slot runs in the same compute environment as the production instance. Use them strategically for scenarios like blue-green deployments that switch between slots. This approach minimizes downtime and ensures smooth transitions.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "The Free and Basic tiers are budget-friendly compared to higher tiers. They provide a cost-effective solution for nonproduction environments that don't need the full features and performance of premium plans.", + "service": "App Service Web Apps", + "text": "(App Service plan) Choose Free or Basic tiers for lower environments. We recommend these tiers for experimental use. Remove the tiers when you no longer need them.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Dev/test plans provide reduced rates for Azure services, which makes them cost-effective for nonproduction environments. Use reserved instances to prepay for compute resources and get significant discounts.", + "service": "App Service Web Apps", + "text": "(App Service plan) Take advantage of discounts and explore preferred pricing for: - Lower environments with dev/test plans. - Azure reservations and Azure savings plans for dedicated compute that you provision in the Premium V3 tier and App Service Environment. Use reserved instances for stable workloads that have predictable usage patterns.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "You can identify cost spikes, inefficiencies, or unexpected expenses early on. This proactive approach helps you to provide budgetary controls to prevent overspending.", + "service": "App Service Web Apps", + "text": "(App Service) Monitor costs that App Service resources incur. Run the cost analysis tool in the Azure portal. Create budgets and alerts to notify stakeholders.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Prevent wastage and reduce unnecessary expenses.", + "service": "App Service Web Apps", + "text": "(App Service plan) Scale in when demand decreases. To scale in, define scale rules to reduce the number of instances in Azure Monitor.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Manage releases: Use deployment slots to manage releases effectively. You can deploy your application to a slot, perform testing, and validate its functionality. After verification, you can seamlessly move the app to production. This process doesn't incur extra costs because the slot runs in the same virtual machine (VM) environment as the production instance.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Run automated tests: Before you promote a release of your web app, thoroughly test its performance, functionality, and integration with other components. Use Azure Load Testing, which integrates with Apache JMeter, a popular tool for performance testing. Explore automated tools for other types of testing, such as Phantom for functional testing.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Deploy immutable units: Implement the Deployment Stamps pattern to compartmentalize App Service into an immutable stamp. App Service supports the use of containers, which are inherently immutable. Consider custom containers for your App Service web app.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Keep production environments safe: Create separate App Service plans to run production and pre-production environments. Don't make changes directly in the production environment to ensure stability and reliability. Separate instances allow flexibility in development and testing before you promote changes to production.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Manage certificates: For custom domains, you need to manage TLS certificates.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "You can detect problems promptly and take necessary actions to maintain availability and performance.", + "service": "App Service Web Apps", + "text": "(App Service) Monitor the health of your instances and activate instance health probes. Set up a specific path for handling health probe requests.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Diagnostic logs provide valuable insights into your app's behavior. Monitor traffic patterns and identify anomalies.", + "service": "App Service Web Apps", + "text": "(App Service) Enable diagnostics logs for the application and the instance. Frequent logging can slow down the performance of the system, add to storage costs, and introduce risk if you have unsecure access to logs. Follow these best practices: - Log the right level of information. - Set retention policies. - Keep an audit trail of authorized access and unauthorized attempts. - Treat logs as data and apply data-protection controls.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "App Service automatically handles processes like certificate procurement, certificate verification, certificate renewal, and importing certificates from Key Vault. Alternatively, upload your certificate to Key Vault and authorize the App Service resource provider to access it.", + "service": "App Service Web Apps", + "text": "(App Service) Take advantage of App Service managed certificates to offload certification management to Azure.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Avoid downtime and errors. Quickly revert to the last-known good state if you detect a problem after a swap.", + "service": "App Service Web Apps", + "text": "(App Service plan) Validate app changes in the staging slot before you swap it with the production slot.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Identify and monitor performance indicators: Set targets for the key indicators for the application, such as the volume of incoming requests, time that the application takes to respond to requests, pending requests, and errors in HTTP responses. Consider key indicators as part of the performance baseline for the workload.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Assess capacity: Simulate various user scenarios to determine the optimal capacity that you need to handle expected traffic. Use Load Testing to understand how your application behaves under different levels of load.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Select the right tier: Use dedicated compute for production workloads. Premium tiers offer larger SKUs with increased memory and CPU capacity, more instances, and more features, such as zone redundancy. For more information, see Premium V3 pricing tier.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Optimize your scaling strategy: When possible, use autoscaling instead of manually adjusting the number of instances as application load changes. With autoscaling, App Service adjusts server capacity based on predefined rules or triggers. Make sure you do adequate performance testing and set the right rules for the right triggers.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Use caching: Retrieving information from a resource that doesn't change frequently and is expensive to access affects performance. Complex queries, including joins and multiple lookups, contribute to runtime. Perform caching to minimize the processing time and latency. Cache query results to avoid repeated round trips to the database or back end and reduce processing time for subsequent requests.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "App Service Web Apps", + "text": "Review the performance antipatterns: To make sure the web application performs and scales in accordance with your business requirements, avoid the typical antipatterns. Here are some antipatterns that App Service corrects.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "The application is never unloaded with Always On enabled.", + "service": "App Service Web Apps", + "text": "Enable the Always On setting when applications share a single App Service plan. App Service apps automatically unload when idle to save resources. The next request triggers a cold start, which can cause request timeouts.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Choose HTTP/2 over HTTP/1.1 because HTTP/2 fully multiplexes connections, reuses connections to reduce overhead, and compresses headers to minimize data transfer.", + "service": "App Service Web Apps", + "text": "Consider using HTTP/2 for applications to improve protocol efficiency.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Deploy the instances in a zone-aware configuration, where available.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Use Application Gateway with Web Application Firewall (WAF) within a virtual network to protect inbound `HTTP/S` traffic from the Internet.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "In new deployments, use Azure Application Gateway v2 unless there is a compelling reason to use Azure Application Gateway v1.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Plan for rule updates", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Use health probes to detect backend unavailability", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Review the impact of the interval and threshold settings on health probes", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Verify downstream dependencies through health endpoints", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Plan enough time for updates before accessing Application Gateway or making further changes. For example, removing servers from backend pool might take some time because they have to drain existing connections.", + "service": "Azure Application Gateway", + "text": "Plan for rule updates", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "If Application Gateway is used to load balance incoming traffic over multiple backend instances, we recommend the use of health probes. These will ensure that traffic is not routed to backends that are unable to handle the traffic.", + "service": "Azure Application Gateway", + "text": "Use health probes to detect backend unavailability", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "The health probe sends requests to the configured endpoint at a set interval. Also, there's a threshold of failed requests that will be tolerated before the backend is marked unhealthy. These numbers present a trade-off.- Setting a higher interval puts a higher load on your service. Each Application Gateway instance sends its own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.- Setting a lower interval leaves more time before an outage is detected.- Setting a low unhealthy threshold might mean that short, transient failures might take down a backend. - Setting a high threshold it can take longer to take a backend out of rotation.", + "service": "Azure Application Gateway", + "text": "Review the impact of the interval and threshold settings on health probes", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Suppose each backend has its own dependencies to ensure failures are isolated. For example, an application hosted behind Application Gateway might have multiple backends, each connected to a different database (replica). When such a dependency fails, the application might be working but won't return valid results. For that reason, the health endpoint should ideally validate all dependencies. Keep in mind that if each call to the health endpoint has a direct dependency call, that database would receive 100 queries every 30 seconds instead of 1. To avoid this, the health endpoint should cache the state of the dependencies for a short period of time.", + "service": "Azure Application Gateway", + "text": "Verify downstream dependencies through health endpoints", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Certain scenarios can force you to implement rules specifically on Application Gateway. For example, if ModSec CRS 2.2.9, CRS 3.0 or CRS 3.1 rules are required, these rules can be only implemented on Application Gateway. Conversely, rate-limiting and geo-filtering are available only on Azure Front Door, not on AppGateway.", + "service": "Azure Application Gateway", + "text": "When using Azure Front Door and Application Gateway to protect `HTTP/S` applications, use WAF policies in Front Door and lock down Application Gateway to receive traffic only from Azure Front Door.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Set up a TLS policy for enhanced security", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Use AppGateway for TLS termination", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Use Azure Key Vault to store TLS certificates", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Use an appropriate DNS server for backend pool resources", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Comply with all NSG restrictions for Application Gateway", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Refrain from using UDRs on the Application Gateway subnet", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Be aware of Application Gateway capacity changes when enabling WAF", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Set up a TLS policy for extra security. Ensure you're always using the latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.", + "service": "Azure Application Gateway", + "text": "Set up a TLS policy for enhanced security", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "There are advantages of using Application Gateway for TLS termination:- Performance improves because requests going to different backends to have to re-authenticate to each backend.- Better utilization of backend servers because they don't have to perform TLS processing- Intelligent routing by accessing the request content.- Easier certificate management because the certificate only needs to be installed on Application Gateway.", + "service": "Azure Application Gateway", + "text": "Use AppGateway for TLS termination", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Application Gateway can be integrated with Key Vault. This provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", + "service": "Azure Application Gateway", + "text": "Use Azure Key Vault to store TLS certificates", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "A TLS certificate of the backend server must be issued by a well-known CA. If the certificate was not issued by a trusted CA, the Application Gateway checks if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate is found. Only then a secure connection is established. Otherwise, Application Gateway marks the backend as unhealthy.", + "service": "Azure Application Gateway", + "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "When the backend pool contains a resolvable FQDN, the DNS resolution is based on a private DNS zone or custom DNS server (if configured on the VNet), or it uses the default Azure-provided DNS.", + "service": "Azure Application Gateway", + "text": "Use an appropriate DNS server for backend pool resources", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "NSGs are supported on Application Gateway subnet, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions. For details, see Network security groups.", + "service": "Azure Application Gateway", + "text": "Comply with all NSG restrictions for Application Gateway", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Using User Defined Routes (UDR) on the Application Gateway subnet can cause some issues. Health status in the back-end might be unknown. Application Gateway logs and metrics might not get generated. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics. If your organizations require to use UDR in the Application Gateway subnet, please ensure you review the supported scenarios. For more information, see Supported user-defined routes.", + "service": "Azure Application Gateway", + "text": "Refrain from using UDRs on the Application gateway subnet", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "When WAF is enabled, every request must be buffered by the Application Gateway until it fully arrives, checks if the request matches with any rule violation in its core rule set, and then forwards the packet to the backend instances. When there are large file uploads (30MB+ in size), it can result in a significant latency. Because Application Gateway capacity requirements are different with WAF, we do not recommend enabling WAF on Application Gateway without proper testing and validation.", + "service": "Azure Application Gateway", + "text": "Be aware of Application Gateway capacity changes when enabling WAF", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Familiarize yourself with Application Gateway pricing", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Review underutilized resources", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Stop Application Gateway instances that are not in use", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Have a scale-in and scale-out policy", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Review consumption metrics across different parameters", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "For information about Application Gateway pricing, see Understanding Pricing for Azure Application Gateway and Web Application Firewall. You can also leverage the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", + "service": "Azure Application Gateway", + "text": "Familiarize yourself with Application Gateway pricing", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Identify and delete Application Gateway instances with empty backend pools to avoid unnecessary costs.", + "service": "Azure Application Gateway", + "text": "Review underutilized resources", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "You aren't billed when Application Gateway is in the stopped state. Continuously running Application Gateway instances can incur extraneous costs. Evaluate usage patterns and stop instances when you don't need them. For example, usage after business hours in Dev/Test environments is expected to be low.See these articles for information about how to stop and start instances.- Stop-AzApplicationGateway- Start-AzApplicationGateway", + "service": "Azure Application Gateway", + "text": "Stop Application Gateway instances when not in use", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "A scale-out policy ensures that there will be enough instances to handle incoming traffic and spikes. Also, have a scale-in policy that makes sure the number of instances are reduced when demand drops. Consider the choice of instance size. The size can significantly impact the cost. Some considerations are described in the Estimate the Application Gateway instance count.For more information, see What is Azure Application Gateway v2?", + "service": "Azure Application Gateway", + "text": "Have a scale-in and scale-out policy", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "You're billed based on metered instances of Application Gateway based on the metrics tracked by Azure. Evaluate the various metrics and capacity units and determine the cost drivers. For more information, see Microsoft Cost Management and Billing. The following metrics are key for Application Gateway. This information can be used to validate that the provisioned instance count matches the amount of incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units- Current Capacity UnitsFor more information, see Application Gateway metrics.Make sure you account for bandwidth costs.", + "service": "Azure Application Gateway", + "text": "Review consumption metrics across different parameters", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Monitor capacity metrics", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Use Azure Monitor Network Insights", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Match timeout settings with the backend application", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Monitor Key Vault configuration issues using Azure Advisor", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Configure and monitor SNAT port limitations", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Consider SNAT port limitations in your design", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "Use these metrics as indicators of utilization of the provisioned Application Gateway capacity. We strongly recommend setting up alerts on capacity. For details, see Application Gateway high traffic support.", + "service": "Azure Application Gateway", + "text": "Monitor capacity metrics", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "There are other metrics that can indicate issues either at Application Gateway or the backend. We recommend evaluating the following alerts:- Unhealthy Host Count- Response Status (dimension 4xx and 5xx)- Backend Response Status (dimension 4xx and 5xx)- Backend Last Byte Response Time- Application Gateway Total TimeFor more information, see Metrics for Application Gateway.", + "service": "Azure Application Gateway", + "text": "Troubleshoot using metrics", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Diagnostic logs allow you to view firewall logs, performance logs, and access logs. Use these logs to manage and troubleshoot issues with Application Gateway instances. For more information, see Back-end health and diagnostic logs for Application Gateway.", + "service": "Azure Application Gateway", + "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Azure Monitor Network Insights provides a comprehensive view of health and metrics for network resources, including Application Gateway. For additional details and supported capabilities for Application Gateway, see Azure Monitor Network insights.", + "service": "Azure Application Gateway", + "text": "Use Azure Monitor Network Insights", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Ensure you have configured the IdleTimeout settings to match the listener and traffic characteristics of the backend application. The default value is set to four minutes and can be configured to a maximum of 30. For more information, see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring application health for reliability.", + "service": "Azure Application Gateway", + "text": "Match timeout settings with the backend application", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Application Gateway checks for the renewed certificate version in the linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation. You must configure the Advisor alerts to stay updated and fix such issues immediately to avoid any Control or Data plane related problems. For more information, see Investigating and resolving key vault errors. To set an alert for this specific case, use the Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.", + "service": "Azure Application Gateway", + "text": "Monitor Key Vault configuration issues using Azure Advisor", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "SNAT port limitations are important for backend connections on the Application Gateway. There are separate factors that affect how Application Gateway reaches the SNAT port limit. For example, if the backend is a public IP address, it will require its own SNAT port. In order to avoid SNAT port limitations, you can increase the number of instances per Application Gateway, scale out the backends to have more IP addresses, or move your backends into the same virtual network and use private IP addresses for the backends.Requests per second (RPS) on the Application Gateway will be affected if the SNAT port limit is reached. For example, if an Application Gateway reaches the SNAT port limit, then it won't be able to open a new connection to the backend, and the request will fail.", + "service": "Azure Application Gateway", + "text": "Consider SNAT port limitations in your design", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Estimate the Application Gateway instance count", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Define the maximum instance count", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Define the minimum instance count", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Define Application Gateway subnet size", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Application Gateway", + "text": "Take advantage of Application Gateway V2 features for autoscaling and performance benefits", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "For Application Gateway v2 SKU, autoscaling takes some time (approximately six to seven minutes) before the additional set of instances is ready to serve traffic. During that time, if there are short spikes in traffic, expect transient latency or loss of traffic.We recommend that you set your minimum instance count to an optimal level. After you estimate the average instance count and determine your Application Gateway autoscaling trends, define the minimum instance count based on your application patterns. For information, see Application Gateway high traffic support.Check the Current Compute Units for the past one month. This metric represents the gateway's CPU utilization. To define the minimum instance count, divide the peak usage by 10. For example, if your average Current Compute Units in the past month is 50, set the minimum instance count to five.", + "service": "Azure Application Gateway", + "text": "Define the minimum instance count", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "We recommend 125 as the maximum autoscale instance count. Make sure the subnet that has the Application Gateway has sufficient available IP addresses to support the scale-up set of instances.Setting the maximum instance count to 125 has no cost implications because you're billed only for the consumed capacity.", + "service": "Azure Application Gateway", + "text": "Define the maximum instance count", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Application Gateway needs a dedicated subnet within a virtual network. The subnet can have multiple instances of the deployed Application Gateway resource. You can also deploy other Application Gateway resources in that subnet, v1 or v2 SKU.Here are some considerations for defining the subnet size:- Application Gateway uses one private IP address per instance and another private IP address if a private front-end IP is configured.- Azure reserves five IP addresses in each subnet for internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support up to 125 instances, using the same calculation, a subnet size of /24 is recommended.- If you want to deploy additional Application Gateway resources in the same subnet, consider the additional IP addresses that will be required for their maximum instance count for both, Standard and Standard v2.", + "service": "Azure Application Gateway", + "text": "Define Application Gateway subnet size", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "The v2 SKU offers autoscaling to ensure that your Application Gateway can scale up as traffic increases. When compared to v1 SKU, v2 has capabilities that enhance the performance of the workload. For example, better TLS offload performance, quicker deployment and update times, zone redundancy, and more. For more information about autoscaling features, see Scaling Application Gateway v2 and WAF v2.If you are running v1 SKU Application gateway, consider migrating to the Application gateway v2 SKU. For more information, see Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.", + "service": "Azure Application Gateway", + "text": "Take advantage of features for autoscaling and performance benefits", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Use failure mode analysis: Minimize points of failure by considering internal dependencies such as the availability of virtual networks, Azure Key Vault, or Azure Content Delivery Network or Azure Front Door endpoints. Failures can occur if credentials required by workloads to access Blob Storage go missing from Key Vault, or if workloads use an endpoint based on a content delivery network that's removed. In these cases, workloads might need to use an alternative endpoint to connect. For general information about failure mode analysis, see Recommendations for performing failure mode analysis.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Define reliability and recovery targets: Review the Azure service-level agreements (SLAs). Derive the service-level objective (SLO) for the storage account. For example, the SLO might be affected by the redundancy configuration that you chose. Consider the effect of a regional outage, the potential for data loss, and the time required to restore access after an outage. Also consider the availability of any internal dependencies that you identified as part of your failure mode analysis.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Configure data redundancy: For maximum durability, choose a configuration that copies data across availability zones or global regions. For maximum availability, choose a configuration that allows clients to read data from the secondary region during an outage of the primary region.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Design applications: Design applications to seamlessly shift to reading data from the secondary region if the primary region becomes unavailable for any reason. This only applies to geo-redundant storage (GRS) and geo-zone-redundant storage (GZRS) configurations. Designing applications to handle outages reduces downtime for end users.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Explore features to help you meet your recovery targets: Make blobs restorable so that they can be recovered if they're corrupted, edited, or deleted by mistake.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Create a recovery plan: Consider data protection features, backup and restore operations, or failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over. For more information, see Recommendations for designing a disaster recovery strategy.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Monitor potential availability problems: Subscribe to the Azure Service Health dashboard to monitor potential availability problems. Use storage metrics in Azure Monitor and diagnostic logs to investigate alerts.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Redundancy protects your data against unexpected failures. The ZRS and GZRS configuration options replicate across different availability zones and enable applications to continue reading data during an outage. For more information, see Durability and availability by outage scenario and Durability and availability parameters.", + "service": "Azure Blob Storage", + "text": "Configure your account for redundancy. For maximum availability and durability, configure your account by using zone-redundant storage (ZRS) or GZRS.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "This property helps you estimate how much data you might lose by initiating an account failover. All data and metadata written before the last synchronization time is available on the secondary region, but data and metadata written after the last synchronization time might be lost because it's not written to the secondary region.", + "service": "Azure Blob Storage", + "text": "Before initiating a failover or failback, evaluate the potential for data loss by checking the value of the last synchronization time property. This recommendation applies only to GRS and GZRS configurations.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "The soft delete option enables a storage account to recover deleted containers and blobs. The versioning option automatically tracks changes made to blobs. This option lets you restore a blob to a previous state.The point-in-time restore option protects against accidental blob deletion or corruption and lets you restore block blob data to an earlier state. For more information, see Data protection overview.", + "service": "Azure Blob Storage", + "text": "As a part of your backup and recovery strategy, enable the container soft delete, blob soft delete, versioning, and point-in-time restore options.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Review the security baseline for Azure Storage: To get started, first review the security baseline for Storage.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Use network controls to restrict ingress and egress traffic: Disable all public traffic to the storage account. Use account network controls to grant the minimal level of access required by users and applications. For more information, see How to approach network security for your storage account.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Reduce the attack surface: Preventing anonymous access, account key access, or access over non-secure (HTTP) connections can reduce the attack surface. Require clients to send and receive data by using the latest version of the Transport Layer Security (TLS) protocol.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Authorize access without using passwords or keys: Microsoft Entra ID provides superior security and ease of use compared to shared keys and shared access signatures. Grant security principals only those permissions that are necessary for them to do their tasks.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Protect sensitive information: Protect sensitive information such as account keys and shared access signature tokens. While these forms of authorization are generally not recommended, you should make sure to rotate, expire, and store them securely.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Enable the secure transfer required option: Enabling this setting for all your storage accounts ensures that all requests made against the storage account must take place over secure connections. Any requests made over HTTP fail.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Protect critical objects: Apply immutability policies to protect critical objects. Policies protect blobs that are stored for legal, compliance, or other business purposes from being modified or deleted. Configure holds for set time periods or until restrictions are lifted by an administrator.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Detect threats: Enable Microsoft Defender for Storage to detect threats. Security alerts are triggered when anomalies in activity occur. The alerts notify subscription administrators via email with details of suspicious activity and recommendations on how to investigate and remediate threats.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "When anonymous access is allowed for a storage account, a user that has the appropriate permissions can modify a container's anonymous access setting to enable anonymous access to the data in that container.", + "service": "Azure Blob Storage", + "text": "Disable anonymous read access to containers and blob.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Locking an account prevents it from being deleted and causing data loss.", + "service": "Azure Blob Storage", + "text": "Apply an Azure Resource Manager lock on the storage account.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Start with zero access and then incrementally authorize the lowest levels of access required for clients and services to minimize the risk of creating unnecessary openings for attackers.", + "service": "Azure Blob Storage", + "text": "Disable traffic to the public endpoints of your storage account. Create private endpoints for clients that run in Azure. Enable the public endpoint only if clients and services external to Azure require direct access to your storage account. Enable firewall rules that limit access to specific virtual networks.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "With RBAC, there are no passwords or keys that can be compromised. The security principal (user, group, managed identity, or service principal) is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token is used to authorize a request against the Blob Storage service.", + "service": "Azure Blob Storage", + "text": "Authorize access by using Azure role-based access control (RBAC).", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Only secured requests that are authorized with Microsoft Entra ID are permitted.", + "service": "Azure Blob Storage", + "text": "Disallow shared key authorization. This disables not only account key access but also service and account shared access signature tokens because they're based on account keys.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Key Vault lets you retrieve keys at runtime, instead of saving them by using your application. Key Vault also makes it easy to rotate your keys without interruption to your applications. Rotating the account keys periodically reduces the risk of exposing your data to malicious attacks.", + "service": "Azure Blob Storage", + "text": "We recommend that you don't use an account key. If you must use account keys, then store them in Key Vault, and make sure that you regenerate them periodically.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Best practices can help you prevent a shared access signature token from being leaked and quickly recover if a leak does occur.", + "service": "Azure Blob Storage", + "text": "We recommend that you don't use shared access signature tokens. Evaluate whether you need shared access signature tokens to secure access to Blob Storage resources. If you must create one, then review this list of shared access signature best practices before you create and distribute it.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support modern cryptographic algorithms and cipher suites.", + "service": "Azure Blob Storage", + "text": "Configure your storage account so clients can send and receive data by using the minimum version of TLS 1.2.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Customer-managed keys provide greater flexibility and control. For example, you can store encryption keys in Key Vault and automatically rotate them.", + "service": "Azure Blob Storage", + "text": "Consider using your own encryption key to protect the data in your storage account. For more information, see Customer-managed keys for Azure Storage encryption.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Identify the meters that are used to calculate your bill: Meters are used to track the amount of data stored in the account (data capacity) and the number and type of operations that are performed to write and read data. There are also meters associated with the use of optional features such as blob index tags, blob inventory, change feed support, encryption scopes, and SSH File Transfer Protocol (SFTP) support. For more information, see How you're charged for Blob Storage.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Understand the price of each meter: Make sure to use the appropriate pricing page and apply the appropriate settings in that page. For more information, see Finding the unit price for each meter. Consider the number of operations associated with each price. For example, the price associated with write and read operations applies to 10,000 operations. To determine the price of an individual operation, divide the listed price by 10,000.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Estimate the cost of capacity and operations: You can model the costs associated with data storage, ingress, and egress by using the Azure pricing calculator. Use fields to compare the cost associated with various regions, account types, namespace types, and redundancy configurations. For certain scenarios, you can use sample calculations and worksheets available in Microsoft documentation. For example, you can estimate the cost of archiving data or estimate the cost of using the AzCopy command to transfer blobs.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Choose a billing model for capacity: Evaluate whether using a commitment-based model is more cost-efficient than using a consumption-based model. If you're unsure about how much capacity you need, you can start with a consumption-based model, monitor the capacity metrics, and then evaluate later.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Choose an account type, a redundancy level, and a default access tier: You must select a value for each of these settings when you create a storage account. All the values affect transaction charges and capacity charges. All these settings except for the account type can be changed after the account is created.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Choose the most cost-effective default access tier: Unless a tier is specified with each blob upload, blobs infer their access tier from the default access tier setting. A change to the default access tier setting of a storage account applies to all blobs in the account for which an access tier hasn't been explicitly set. This cost could be significant if you've collected a large number of blobs. For more information about how a tier change affects each existing blob, see Changing a blob's access tier.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Upload data directly to the most cost-efficient access tier: For example, if the default access tier setting of your account is hot, but you're uploading files for archiving purposes, specify a cooler tier as the archive or a cold tier as part of your upload operation. After uploading blobs, use lifecycle management policies to move blobs to the most cost-efficient tiers based on usage metrics such as the last accessed time. Choosing the most optimal tier up front can reduce costs. If you change the tier of a block blob that you already uploaded, then you pay the cost of writing to the initial tier when you first upload the blob, and then pay the cost of writing to the desired tier.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Have a plan for managing the data lifecycle: Optimize transaction and capacity costs by taking advantage of access tiers and lifecycle management. Data used less often should be placed in cooler access tiers while data that's accessed often should be placed in warmer access tiers.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Decide which features you need: Some features such as versioning and blob soft delete incur additional transaction and capacity costs as well as other charges. Make sure to review the pricing and billing sections in articles that describe those capabilities when you choose which capabilities to add to your account.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Create guardrails: Create budgets based on subscriptions and resource groups. Use governance policies to restrict resource types, configurations, and locations. Additionally, use RBAC to block actions that can lead to overspending.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Monitor costs: Ensure costs stay within budgets, compare costs against forecasts, and see where overspending occurs. You can use the cost analysis pane in the Azure portal to monitor costs. You also can export cost data to a storage account and analyze that data by using Excel or Power BI.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Monitor usage: Continuously monitor usage patterns and detect unused or underutilized accounts and containers. Use Storage insights to identity accounts with no or low use. Enable blob inventory reports, and use tools such as Azure Databricks or Azure Synapse Analytics and Power BI to analyze cost data. Watch out for unexpected increases in capacity, which might indicate that you're collecting numerous log files, blob versions, or soft-deleted blobs. Develop a strategy for expiring or transitioning objects to more cost-effective access tiers.Have a plan for expiring objects or moving objects to more affordable access tiers.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "Cooler tiers have higher data transfer costs. By having fewer large files, you can reduce the number of operations required to transfer data.", + "service": "Azure Blob Storage", + "text": "Pack small files into larger files before moving them to cooler tiers. You can use file formats such as TAR or ZIP.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "High-priority rehydration from the archive tier can lead to higher-than-normal bills.", + "service": "Azure Blob Storage", + "text": "Use standard-priority rehydration when rehydrating blobs from archive storage. Use high-priority rehydration only for emergency data restoration situations. For more information, see Rehydrate an archived blob to an online tier", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Storing resource logs in a storage account for later analysis can be a cheaper option. Using lifecycle management policies to manage log retention in a storage account prevents large numbers of logs files building up over time, which can lead to unnecessary capacity charges.", + "service": "Azure Blob Storage", + "text": "Reduce the cost of using resource logs by choosing the appropriate log storage location and by managing log-retention periods. If you only plan to query logs occasionally (for example, querying logs for compliance auditing), consider sending resource logs to a storage account instead of sending them to an Azure Monitor Logs workspace. You can use a serverless query solution such as Azure Synapse Analytics to analyze logs. For more information, see Optimize cost for infrequent queries. Use lifecycle management policies to delete or archive logs.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Every write operation to a blob creates a new version. This increases capacity costs. You can keep costs in check by removing versions that you no longer need.", + "service": "Azure Blob Storage", + "text": "If you enable versioning, use a lifecycle management policy to automatically delete old blob versions.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Every time a blob is overwritten, a new version is added which leads to increased storage capacity charges. To reduce capacity charges, store frequently overwritten data in a separate storage account with versioning disabled.", + "service": "Azure Blob Storage", + "text": "If you enable versioning, then place blobs that are frequently overwritten into an account that doesn't have versioning enabled.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Every time a blob is overwritten, a new snapshot is created. The cause of increased capacity charges might be difficult to access because the creation of these snapshots doesn't appear in logs. To reduce capacity charges, store frequently overwritten data in a separate storage account with soft delete disabled. A retention period keeps soft-deleted blobs from piling up and adding to the cost of capacity.", + "service": "Azure Blob Storage", + "text": "If you enable soft delete, then place blobs that are frequently overwritten into an account that doesn't have soft delete enabled. Set retention periods. Consider starting with a short retention period to better understand how the feature affects your bill. The minimum recommended retention period is seven days.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Enabling the SFTP endpoint incurs an hourly cost. By thoughtfully disabling SFTP support, and then enabling it as needed, you can avoid passive charges from accruing in your account.", + "service": "Azure Blob Storage", + "text": "Enable SFTP support only when it's used to transfer data.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Encryptions scopes incur a per month charge.", + "service": "Azure Blob Storage", + "text": "Disable any encryption scopes that aren't needed to avoid unnecessary charges.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Create maintenance and emergency recovery plans: Consider data protection features, backup and restore operations, and failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Monitor the health of your storage account: Create Storage insights dashboards to monitor availability, performance, and resilience metrics. Set up alerts to identify and address problems in your system before your customers notice them. Use diagnostic settings to route resource logs to an Azure Monitor Logs workspace. Then you can query logs to investigate alerts more deeply.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Enable blob inventory reports: Enable blob inventory reports to review the retention, legal hold, or encryption status of your storage account contents. You can also use blob inventory reports to understand the total data size, age, tier distribution, or other attributes of your data. Use tools such as Azure Databricks or Azure Synapse Analytics and Power BI to better visualize inventory data and to create reports for stakeholders.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Set up policies that delete blobs or move them to cost-efficient access tiers: Create a lifecycle management policy with an initial set of conditions. Policy runs automatically delete or set the access tier of blobs based on the conditions you define. Periodically analyze container use by using Monitor metrics and blob inventory reports so that you can refine conditions to optimize cost efficiency.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "You can use your existing DevOps processes to deploy new storage accounts, and use Azure Policy to enforce their configuration.", + "service": "Azure Blob Storage", + "text": "Use infrastructure as code (IaC) to define the details of your storage accounts in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "You can track the health and operation of each of your accounts. Easily create dashboards and reports that stakeholders can use to track the health of your storage accounts.", + "service": "Azure Blob Storage", + "text": "Use Storage insights to track the health and performance of your storage accounts. Storage insights provides a unified view of the failures, performance, availability, and capacity for all your storage accounts.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Plan for scale: Understand the scale targets for storage accounts.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Choose the optimal storage account type: If your workload requires high transaction rates, smaller objects, and a consistently low transaction latency, then consider using premium block blob storage accounts. A standard general-purpose v2 account is most appropriate in most cases.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Reduce travel distance between the client and server: Place data in regions nearest to connecting clients (ideally in the same region). Optimize for clients in regions far away by using object replication or a content delivery network. Default network configurations provide the best performance. Modify network settings only to improve security. In general, network settings don't decrease travel distance and don't improve performance.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Choose an efficient naming scheme: Decrease the latency of listing, list, query, and read operations by using hash tag prefixes nearest the beginning of the blob partition key (account, container, virtual directory, or blob name). This scheme benefits mostly accounts that have a flat namespace.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Optimize the performance of data clients: Choose a data transfer tool that's most appropriate for the data size, transfer frequency, and bandwidth of your workloads. Some tools such as AzCopy are optimized for performance and require little intervention. Consider the factors that influence latency, and fine-tune performance by reviewing the performance optimization guidance that's published with each tool.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Optimize the performance of custom code: Consider using Storage SDKs instead of creating your own wrappers for blob REST operations. Azure SDKs are optimized for performance and provide mechanisms to fine-tune performance. Before creating an application, review the performance and scalability checklist for Blob Storage. Consider using query acceleration to filter out unwanted data during the storage request and keep clients from needlessly transferring data across the network.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Blob Storage", + "text": "Collect performance data: Monitor your storage account to identify performance bottlenecks that occur from throttling. For more information, see Monitoring your storage service with Monitor Storage insights. Use both metrics and logs. Metrics provide numbers such as throttling errors. Logs describe activity. If you see throttling metrics, you can use logs to identity which clients are receiving throttling errors. For more information, see Auditing data plane operations.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "Reducing the physical distance between the storage account and VMs, services, and on-premises clients can improve performance and reduce network latency. Reducing the physical distance also reduces cost for applications hosted in Azure because bandwidth usage within a single region is free.", + "service": "Azure Blob Storage", + "text": "Provision storage accounts in the same region where dependent resources are placed. For applications that aren't hosted on Azure, such as mobile device apps or on-premises enterprise services, locate the storage account in a region nearer to those clients. For more information, see Azure geographies.If clients from a different region don't require the same data, then create a separate account in each region.If clients from a different region require only some data, consider using an object-replication policy to asynchronously copy relevant objects to a storage account in the other region.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Content is delivered to clients faster because it uses the Microsoft global edge network with hundreds of global and local points of presence around the world.", + "service": "Azure Blob Storage", + "text": "For broad consumption by web clients (streaming video, audio, or static website content), consider using a content delivery network through Azure Front Door.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Using a hash code or seconds value nearest the beginning of a partition key reduces the time required to list query and read blobs.", + "service": "Azure Blob Storage", + "text": "Add a hash character sequence (such as three digits) as early as possible in the partition key of a blob. The partition key is the account name, container name, virtual directory name, and blob name. If you plan to use timestamps in names, then consider adding a seconds value to the beginning of that stamp. For more information, see Partitioning.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Blob or block sizes above 256 KiB takes advantage of performance enhancements in the platform made specifically for larger blobs and block sizes.", + "service": "Azure Blob Storage", + "text": "When uploading blobs or blocks, use a blob or block size that's greater than 256 KiB.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Select between ExpressRoute circuit or ExpressRoute Direct for business requirements.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure Active-Active ExpressRoute connections between on-premises and Azure.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Set up availability zone aware ExpressRoute Virtual Network Gateways.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure ExpressRoute Virtual Network Gateways in different regions.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure site-to-site VPN as a backup to ExpressRoute private peering.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure service health to receive ExpressRoute circuit maintenance notification.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection. An ExpressRoute circuit allows a private dedicated connection into Azure with the help of a connectivity provider. ExpressRoute Direct allows you to extend on-premises network directly into the Microsoft network at a peering location. You also need to identify the bandwidth requirement and the SKU type requirement for your business needs.", + "service": "Azure Expressroute", + "text": "Plan for ExpressRoute circuit or ExpressRoute Direct", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "For better resiliency, plan to have multiple paths between the on-premises edge and the peering locations (provider/Microsoft edge locations). This configuration can be achieved by going through different service provider or through a different location from the on-premises network.", + "service": "Azure Expressroute", + "text": "Physical layer diversity", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "To plan for disaster recovery, set up ExpressRoute circuits in more than one peering locations. You can create circuits in peering locations in the same metro or different metro and choose to work with different service providers for diverse paths through each circuit. For more information, see Designing for disaster recovery and Designing for high availability.", + "service": "Azure Expressroute", + "text": "Plan for geo-redundant circuits", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "ExpressRoute dedicated circuits guarantee `99.95%` availability when an active-active connectivity is configured between on-premises and Azure. This mode provides higher availability of your Expressroute connection. It's also recommended to configure BFD for faster failover if there's a link failure on a connection.", + "service": "Azure Expressroute", + "text": "Plan for Active-Active connectivity", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Create availability zone aware Virtual Network Gateway for higher resiliency and plan for Virtual Network Gateways in different region for disaster recovery and high availability.", + "service": "Azure Expressroute", + "text": "Planning for Virtual Network Gateways", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Set up monitoring and alerts for ExpressRoute circuits and Virtual Network Gateway health based on various metrics available.", + "service": "Azure Expressroute", + "text": "Monitor circuits and gateway health", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "ExpressRoute uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your ExpressRoute circuits.", + "service": "Azure Expressroute", + "text": "Enable service health", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure Activity log to send logs to archive.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Maintain an inventory of administrative accounts with access to ExpressRoute resources.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure MD5 hash on ExpressRoute circuit.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure MACSec for ExpressRoute Direct resources.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Encrypt traffic over private peering and Microsoft peering for virtual network traffic.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Activity logs provide insights into operations that were performed at the subscription level for ExpressRoute resources. With Activity logs, you can determine who and when an operation was performed at the control plane. Data retention is only 90 days and required to be stored in Log Analytics, Event Hubs or a storage account for archive.", + "service": "Azure Expressroute", + "text": "Configure Activity log to send logs to archive", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Use Azure RBAC to configure roles to limit user accounts that can add, update, or delete peering configuration on an ExpressRoute circuit.", + "service": "Azure Expressroute", + "text": "Maintain inventory of administrative accounts", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "During configuration of private peering or Microsoft peering, apply an MD5 hash to secure messages between the on-premises route and the MSEE routers.", + "service": "Azure Expressroute", + "text": "Configure MD5 hash on ExpressRoute circuit", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Media Access Control security is a point-to-point security at the data link layer. ExpressRoute Direct supports configuring MACSec to prevent security threats to protocols such as ARP, DHCP, LACP not normally secured on the Ethernet link. For more information on how to configure MACSec, see MACSec for ExpressRoute Direct ports.", + "service": "Azure Expressroute", + "text": "Configure MACSec for ExpressRoute Direct resources", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Configure a Site-to-site VPN tunnel over your ExpressRoute circuit to encrypt data transferring between your on-premises network and Azure virtual network. You can configure a tunnel using private peering or using Microsoft peering.", + "service": "Azure Expressroute", + "text": "Encrypt traffic using IPsec", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Familiarize yourself with ExpressRoute pricing.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Determine the ExpressRoute circuit SKU and bandwidth required.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Determine the ExpressRoute virtual network gateway size required.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Monitor cost and create budget alerts.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Deprovision ExpressRoute circuits no longer in use.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "For information about ExpressRoute pricing, see Understand pricing for Azure ExpressRoute. You can also use the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", + "service": "Azure Expressroute", + "text": "Familiarize yourself with ExpressRoute pricing", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "The way you're charged for your ExpressRoute usage varies between the three different SKU types. With Local SKU, you're automatically charged with an Unlimited data plan. With Standard and Premium SKU, you can select between a Metered or an Unlimited data plan. All ingress data are free of charge except when using the Global Reach add-on. It's important to understand which SKU types and data plan works best for your workload to best optimize cost and budget. For more information resizing ExpressRoute circuit, see upgrading ExpressRoute circuit bandwidth.", + "service": "Azure Expressroute", + "text": "Determine SKU and bandwidth required", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "ExpressRoute virtual network gateways are used to pass traffic into a virtual network over private peering. Review the performance and scale needs of your preferred Virtual Network Gateway SKU. Select the appropriate gateway SKU on your on-premises to Azure workload.", + "service": "Azure Expressroute", + "text": "Determine the ExpressRoute virtual network gateway size", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks. For more information, see Monitoring ExpressRoute costs.", + "service": "Azure Expressroute", + "text": "Monitor cost and create budget alerts", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "ExpressRoute circuits are charged from the moment they're created. To reduce unnecessary cost, deprovision the circuit with the service provider and delete the ExpressRoute circuit from your subscription. For steps on how to remove an ExpressRoute circuit, see Deprovisioning an ExpressRoute circuit.", + "service": "Azure Expressroute", + "text": "Deprovision and delete ExpressRoute circuits no longer in use.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure connection monitoring between your on-premises and Azure network.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Configure Service Health for receiving notification.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Review metrics and dashboards available through ExpressRoute Insights using Network Insights.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Review ExpressRoute resource metrics.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "Connection monitoring allows you to monitor connectivity between your on-premises resources and Azure over the ExpressRoute private peering and Microsoft peering connection. Connection monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures.", + "service": "Azure Expressroute", + "text": "Configure connection monitoring", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Set up Service Health notifications to alert when planned and upcoming maintenance is happening to all ExpressRoute circuits in your subscription. Service Health also displays past maintenance along with RCA if an unplanned maintenance were to occur.", + "service": "Azure Expressroute", + "text": "Configure Service Health", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "ExpressRoute Insights with Network Insights allow you to review and analyze ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute Insights also provide a topology view of your ExpressRoute connections where you can view details of your peering components all in a single place.Metrics available:- Availability- Throughput- Gateway metrics", + "service": "Azure Expressroute", + "text": "Review metrics with Network Insights", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "ExpressRoute uses Azure Monitor to collect metrics and create alerts base on your configuration. Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.", + "service": "Azure Expressroute", + "text": "Review ExpressRoute resource metrics", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Test ExpressRoute gateway performance to meet work load requirements.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Increase the size of the ExpressRoute gateway.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Upgrade the ExpressRoute circuit bandwidth.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Enable ExpressRoute FastPath for higher throughput.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Expressroute", + "text": "Monitor the ExpressRoute circuit and gateway metrics.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "Use Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection.", + "service": "Azure Expressroute", + "text": "Test ExpressRoute gateway performance to meet work load requirements.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Upgrade to a higher gateway SKU for improved throughput performance between on-premises and Azure environment.", + "service": "Azure Expressroute", + "text": "Increase the size of the ExpressRoute gateway.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Upgrade your circuit bandwidth to meet your work load requirements. Circuit bandwidth is shared between all virtual networks connected to the ExpressRoute circuit. Depending on your work load, one or more virtual networks can use up all the bandwidth on the circuit.", + "service": "Azure Expressroute", + "text": "Upgrade ExpressRoute circuit bandwidth", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "If you're using an Ultra performance or an ErGW3AZ virtual network gateway, you can enable FastPath to improve the data path performance between your on-premises network and Azure virtual network.", + "service": "Azure Expressroute", + "text": "Enable ExpressRoute FastPath for higher throughput", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Set up alerts base on ExpressRoute metrics to proactively notify you when a certain threshold is met. These metrics are useful to understand anomalies that can happen with your ExpressRoute connection such as outages and maintenance happening to your ExpressRoute circuits.", + "service": "Azure Expressroute", + "text": "Monitor ExpressRoute circuit and gateway metrics", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Files", + "text": "Use failure mode analysis: Minimize points of failure by considering internal dependencies such as the availability of virtual networks, Azure Key Vault, or Azure Content Delivery Network or Azure Front Door endpoints. Failures can occur if you need credentials to access Azure Files, and the credentials go missing from Key Vault. Or you might have a failure if your workloads use an endpoint that's based on a missing content delivery network. In these cases, you might need to configure your workloads to connect to an alternative endpoint. For general information about failure mode analysis, see Recommendations for performing failure mode analysis.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Define reliability and recovery targets: Review the Azure service-level agreements (SLAs). Derive the service-level objective (SLO) for the storage account. For example, the redundancy configuration that you chose might affect the SLO. Consider the effect of a regional outage, the potential for data loss, and the time required to restore access after an outage. Also consider the availability of internal dependencies that you identified as part of your failure mode analysis.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Configure data redundancy: For maximum durability, choose a configuration that copies data across availability zones or global regions. For maximum availability, choose a configuration that allows clients to read data from the secondary region during an outage of the primary region.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Design applications: Design your applications to seamlessly shift so that they read data from a secondary region if the primary region is unavailable. This design consideration only applies to geo-redundant storage (GRS) and geo-zone-redundant storage (GZRS) configurations. Design your applications to properly handle outages, which reduces downtime for customers.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Explore features to help you meet your recovery targets: Make files restorable so that you can recover corrupted, edited, or deleted files.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Create a recovery plan: Consider data protection features, backup and restore operations, or failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over. For more information, see Recommendations for designing a disaster recovery strategy.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Monitor potential availability problems: Subscribe to the Azure Service Health dashboard to monitor potential availability problems. Use storage metrics and diagnostic logs in Azure Monitor to investigate alerts.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Redundancy protects your data against unexpected failures. The ZRS and GZRS configuration options replicate across various availability zones and enable applications to continue reading data during an outage. For more information, see Durability and availability by outage scenario and Durability and availability parameters.", + "service": "Azure Files", + "text": "Configure your storage account for redundancy. For maximum availability and durability, configure your account with zone-redundant storage (ZRS), GRS, or GZRS. Limited Azure regions support ZRS for standard and premium file shares. Only standard SMB accounts support GRS and GZRS. Premium SMB shares and NFS shares don't support GRS and GZRS. Azure Files doesn't support read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS). If you configure a storage account to use RA-GRS or RA-GZRS, the file shares are configured and billed as GRS or GZRS.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "This property helps you estimate how much data you might lose if you initiate an account failover. All data and metadata that's written before the last synchronization time is available on the secondary region, but you might lose data and metadata that's written after the last synchronization time because it's not written to the secondary region.", + "service": "Azure Files", + "text": "Before you initiate a failover or failback, check the value of the last synchronization time property to evaluate the potential for data loss. This recommendation applies only to GRS and GZRS configurations.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Soft delete works on a file share level to protect Azure file shares against accidental deletion. Point-in-time restore protects against accidental deletion or corruption because you can restore file shares to an earlier state. For more information, see Data protection overview.", + "service": "Azure Files", + "text": "As a part of your backup and recovery strategy, enable soft delete and use snapshots for point-in-time restore. You can use Azure Backup to back up your SMB file shares. You can also use Azure File Sync to back up on-premises SMB file shares to an Azure file share. Azure Backup also allows you to do a vaulted backup (preview) of Azure Files to protect your data from ransomware attacks or source data loss due to a malicious actor or rogue admin. By using vaulted backup, Azure Backup copies and stores data in the Recovery Services vault. This creates an offsite copy of data that you can retain for up to 99 years. Azure Backup creates and manages the recovery points as per the schedule and retention defined in the backup policy. Learn more.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Review the security baseline for Azure Storage: To get started, review the security baseline for Storage.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Consider using network controls to restrict ingress and egress traffic: You might be comfortable exposing your storage account to the public internet under certain conditions, like if you use identity-based authentication to grant access to file shares. But we recommend that you use network controls to grant the minimum required level of access to users and applications. For more information, see How to approach network security for your storage account.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Reduce the attack surface: Use encryption in transit and prevent access over non-secure (HTTP) connections to reduce the attack surface. Require clients to send and receive data by using the latest version of the Transport Layer Security (TLS) protocol.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Minimize the use of storage account keys: Identity-based authentication provides superior security compared to using a storage account key. But you must use a storage account key to get full administrative control of a file share, including the ability to take ownership of a file. Grant security principals only the necessary permissions that they need to perform their tasks.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Protect sensitive information: Protect sensitive information, such as storage account keys and passwords. We don't recommend that you use these forms of authorization, but if you do, you should make sure to rotate, expire, and store them securely.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Detect threats: Enable Microsoft Defender for Storage to detect potentially harmful attempts to access or exploit your Azure file shares over SMB or FileREST protocols. Subscription administrators get email alerts with details of suspicious activity and recommendations about how to investigate and remediate threats. Defender for Storage doesn't support antivirus capabilities for Azure file shares. If you use Defender for Storage, transaction-heavy file shares incur significant costs, so consider opting out of Defender for Storage for specific storage accounts.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Lock the account to prevent accidental or malicious deletion of the storage account, which can cause data loss.", + "service": "Azure Files", + "text": "Apply an Azure Resource Manager lock on the storage account.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "SMB 3.x is an internet-safe protocol, but you might not have the ability to change organizational or ISP policies. You can use a VPN gateway or an ExpressRoute connection as an alternative option.", + "service": "Azure Files", + "text": "Open TCP port 445 outbound or set up a VPN gateway or Azure ExpressRoute connection for clients outside of Azure to access the file share.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "SMB 1 is an outdated, inefficient, and insecure protocol. Disable it on clients to improve your security posture.", + "service": "Azure Files", + "text": "If you open port 445, be sure to disable SMBv1 on Windows and Linux clients. Azure Files doesn't support SMB 1, but you should still disable it on your clients.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Network traffic travels over the Microsoft backbone network instead of the public internet, which eliminates risk exposure from the public internet.", + "service": "Azure Files", + "text": "Consider disabling public network access to your storage account. Enable public network access only if SMB clients and services that are external to Azure require access to your storage account. If you disable public network access,create a private endpoint for your storage account. Standard data processing rates for private endpoints apply. A private endpoint doesn't block connections to the public endpoint. You should still disable public network access as previously described. If you don't require a static IP address for your file share and want to avoid the cost of private endpoints, you can instead restrict public endpoint access to specific virtual networks and IP addresses.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Minimize the risk of creating openings for attackers.", + "service": "Azure Files", + "text": "Enable firewall rules that limit access to specific virtual networks. Start with zero access, and then methodically and incrementally provide the least amount of access required for clients and services.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Use identity-based authentication to decrease the possibility of an attacker using a storage account key to access file shares.", + "service": "Azure Files", + "text": "When possible, use identity-based authentication with AES-256 Kerberos ticket encryption to authorize access to SMB Azure file shares.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Use Key Vault to retrieve keys at runtime instead of saving them with your application. Key Vault also makes it easy to rotate your keys without interruption to your applications. Periodically rotate the account keys to reduce the risk of exposing your data to malicious attacks.", + "service": "Azure Files", + "text": "If you use storage account keys, store them in Key Vault, and make sure to regenerate them periodically. You can completely disallow storage account key access to the file share by removing NTLMv2 from the share's SMB security settings. But you generally shouldn't remove NTLMv2 from the share's SMB security settings because administrators still need to use the account key for some tasks.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "This setting ensures that all requests that are made against the storage account take place over secure connections (HTTPS). Any requests made over HTTP will fail.", + "service": "Azure Files", + "text": "In most cases, you should enable the Secure transfer required option on all your storage accounts to enable encryption in transit for SMB file shares. Don't enable this option if you need to allow very old clients to access the share. If you disable secure transfer, be sure to use network controls to restrict traffic.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support modern cryptographic algorithms and cipher suites.", + "service": "Azure Files", + "text": "Configure your storage account so that TLS 1.2 is the minimum version for clients to send and receive data.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "SMB 3.1.1, released with Windows 10, contains important security and performance updates. AES-256-GCM offers more secure channel encryption.", + "service": "Azure Files", + "text": "Use only the most recent supported SMB protocol version (currently 3.1.1.), and use only AES-256-GCM for SMB channel encryption. Azure Files exposes settings that you can use to toggle the SMB protocol and make it more compatible or more secure, depending on your organization's requirements. By default, all SMB versions are allowed. However, SMB 2.1 is disallowed if you enable Require secure transfer because SMB 2.1 doesn't support encryption of data in transit. If you restrict these settings to a high level of security, some clients might not be able to connect to the file share.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Review the security baseline for Storage: To get started, review the security baseline for Storage.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Understand your organization's security requirements: NFS Azure file shares only support Linux clients that use the NFSv4.1 protocol, with support for most features from the 4.1 protocol specification. Some security features, such as Kerberos authentication, access control lists (ACLs), and encryption in transit, aren't supported.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Use network-level security and controls to restrict ingress and egress traffic: Identity-based authentication isn't available for NFS Azure file shares, so you must use network-level security and controls to grant the minimum required level of access to users and applications. For more information, see How to approach network security for your storage account.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Lock the account to prevent accidental or malicious deletion of the storage account, which might cause data loss.", + "service": "Azure Files", + "text": "Apply a Resource Manager lock on the storage account.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Open port 2049 to let clients communicate with the NFS Azure file share.", + "service": "Azure Files", + "text": "You must open port 2049 on the clients that you want to mount your NFS share to.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Network traffic travels over the Microsoft backbone network instead of the public internet, which eliminates risk exposure from the public internet.", + "service": "Azure Files", + "text": "NFS Azure file shares are only accessible through restricted networks. So you must create a private endpoint for your storage account or restrict public endpoint access to selected virtual networks and IP addresses. We recommend that you create a private endpoint. You must configure network-level security for NFS shares because Azure Files doesn't support encryption in transit with the NFS protocol. You need to disable the Require secure transfer setting on the storage account to use NFS Azure file shares. Standard data processing rates apply for private endpoints. If you don't require a static IP address for your file share and want to avoid the cost of private endpoints, you can restrict public endpoint access instead.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Disallow the use of storage account keys to make your storage account more secure.", + "service": "Azure Files", + "text": "Consider disallowing storage account key access at the storage account level. You don't need this access to mount NFS file shares. But keep in mind that full administrative control of a file share, including the ability to take ownership of a file, requires use of a storage account key.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Files", + "text": "Decide whether your workload requires the performance of premium file shares (Azure Premium SSD) or if Azure Standard HDD storage is sufficient: Determine your storage account type and billing model based on the type of storage that you need. If you require large amounts of input/output operations per second (IOPS), extremely fast data transfer speeds, or very low latency, then you should choose premium Azure file shares. NFS Azure file shares are only available on the premium tier. NFS and SMB file shares are the same price on the premium tier.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Create a storage account for your file share, and choose a redundancy level: Choose either a standard (GPv2) or premium (FileStorage) account. The redundancy level that you choose affects cost. The more redundancy, the higher the cost. Locally redundant storage (LRS) is the most affordable. GRS is only available for standard SMB file shares. Standard file shares only show transaction information at the storage account level, so we recommend that you deploy only one file share in each storage account to ensure full billing visibility.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Understand how your bill is calculated: Standard Azure file shares provide a pay-as-you-go model. Premium shares use a provisioned model in which you specify and pay for a certain amount of capacity, IOPS, and throughput up front. In the pay-as-you-go model, meters track the amount of data that's stored in the account, or the capacity, and the number and type of transactions based on your usage of that data. The pay-as-you-go model can be cost efficient because you pay only for what you use. With the pay-as-you-go model, you don't need to overprovision or deprovision storage based on performance requirements or demand fluctuations.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Estimate the cost of capacity and operations: You can use the Azure pricing calculator to model the costs associated with data storage, ingress, and egress. Compare the cost associated with various regions, account types, and redundancy configurations. For more information, see Azure Files pricing.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Choose the most cost-effective access tier: Standard SMB Azure file shares offer three access tiers: transaction optimized, hot, and cool. All three tiers are stored on the same standard storage hardware. The main difference for these three tiers is their data at rest storage prices, which are lower in cooler tiers, and the transaction prices, which are higher in cooler tiers. For more information, see Differences in standard tiers.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Decide which value-added services you need: Azure Files supports integrations with value-added services such as Backup, Azure File Sync, and Defender for Storage. These solutions have their own licensing and product costs but are often considered part of the total cost of ownership for file storage. Consider other cost aspects if you use Azure File Sync.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Create guardrails: Create budgets based on subscriptions and resource groups. Use governance policies to restrict resource types, configurations, and locations. Additionally, use role-based access control (RBAC) to block actions that can lead to overspending.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Monitor costs: Ensure costs stay within budgets, compare costs against forecasts, and see where overspending occurs. You can use the cost analysis pane in the Azure portal to monitor costs. You can also export cost data to a storage account, and use Excel or Power BI to analyze that data.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Monitor usage: Continuously monitor usage patterns to detect unused or underused storage accounts and file shares. Check for unexpected increases in capacity, which might indicate that you're collecting numerous log files or soft-deleted files. Develop a strategy for deleting files or moving files to more cost-effective access tiers.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "Migrating to Azure Files is a temporary, transaction-heavy workload. Optimize the price for high-transaction workloads to help reduce migration costs.", + "service": "Azure Files", + "text": "When you migrate to standard Azure file shares, we recommend that you start in the transaction-optimized tier during the initial migration. Transaction usage during migration isn't typically indicative of normal transaction usage. This consideration doesn't apply for premium file shares because the provisioned billing model doesn't charge for transactions.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Select the appropriate access tier for standard file shares to considerably reduce your costs.", + "service": "Azure Files", + "text": "After you migrate your workload, if you use standard file shares, carefully choose the most cost effective access tier for your file share: hot, cool, or transaction optimized. After you operate for a few days or weeks with regular usage, you can insert your transaction counts in the pricing calculator to figure out which tier best suits your workload. Most customers should choose cool even if they actively use the share. But you should examine each share and compare the balance of storage capacity to transactions to determine your tier. If transaction costs make up a significant percentage of your bill, the savings from using the cool access tier often offsets this cost and minimizes the total overall cost. We recommend that you move standard file shares between access tiers only when necessary to optimize for changes in your workload pattern. Each move incurs transactions. For more information, see Switching between standard tiers.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Overprovision premium file shares by a reasonable amount to help maintain performance and account for future growth and performance requirements.", + "service": "Azure Files", + "text": "If you use premium shares, ensure that you provision more than enough capacity and performance for your workload but not so much that you incur unnecessary costs. We recommend overprovisioning by two to three times. You can dynamically scale premium file shares up or down depending on your storage and input/output (IO) performance characteristics.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Three-year reservations can provide a discount up to 36% on the total cost of file storage. Reservations don't affect performance.", + "service": "Azure Files", + "text": "Use Azure Files reservations, also referred to as reserved instances, to precommit to storage usage and get a discount. Use reservations for production workloads or dev/test workloads with consistent footprints. For more information, see Optimize costs with storage reservations. Reservations don't include transaction, bandwidth, data transfer, and metadata storage charges.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Differential snapshots ensure that you're not billed multiple times for storing the same data. However, you should still monitor snapshot usage to help reduce your Azure Files bill.", + "service": "Azure Files", + "text": "Monitor snapshot usage. Snapshots incur charges, but they're billed based on the differential storage usage of each snapshot. You pay only for the difference in each snapshot. For more information, see Snapshots. Azure File Sync takes share-level and file-level snapshots as part of regular usage, which can increase your total Azure Files bill.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Set a retention period so that soft-deleted files don't pile up and increase the cost of capacity. After the configured retention period, permanently deleted data doesn't incur cost.", + "service": "Azure Files", + "text": "Set retention periods for the soft-delete feature, especially when you first start using it. Consider starting with a short retention period to better understand how the feature affects your bill. The minimum recommended retention period is seven days. When you soft delete standard and premium file shares, they're billed as used capacity rather than provisioned capacity. And premium file shares are billed at the snapshot rate while in the soft-delete state. Standard file shares are billed at the regular rate while in the soft-delete state.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Files", + "text": "Create maintenance and emergency recovery plans: Consider data protection features, backup and restore operations, and failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Files", + "text": "Monitor the health of your storage account: Create Storage insights dashboards to monitor availability, performance, and resiliency metrics. Set up alerts to identify and address problems in your system before your customers notice them. Use diagnostic settings to route resource logs to an Azure Monitor Logs workspace. Then you can query logs to investigate alerts more deeply.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Files", + "text": "Periodically review file share activity: Share activity can change over time. Move standard file shares to cooler access tiers, or you can provision or deprovision capacity for premium shares. When you move standard file shares to a different access tier, you incur a transaction charge. Move standard file shares only when needed to reduce your monthly bill.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "You can use your existing DevOps processes to deploy new storage accounts, and use Azure Policy to enforce their configuration.", + "service": "Azure Files", + "text": "Use infrastructure as code (IaC) to define the details of your storage accounts in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "You can track the health and operation of each of your accounts. Easily create dashboards and reports that stakeholders can use to track the health of your storage accounts.", + "service": "Azure Files", + "text": "Use Storage insights to track the health and performance of your storage accounts. Storage insights provides a unified view of the failures, performance, availability, and capacity for all your storage accounts.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Monitor provides a view of availability, performance, and resiliency for your file shares.", + "service": "Azure Files", + "text": "Use Monitor to analyze metrics, such as availability, latency, and usage, and to create alerts.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Files", + "text": "Plan for scale: Understand the scalability and performance targets for storage accounts, Azure Files, and Azure File Sync.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Files", + "text": "Understand your application and usage patterns to achieve predictable performance: Determine latency sensitivity, IOPS and throughput requirements, workload duration and frequency, and workload parallelization. Use Azure Files for multi-threaded applications to help you achieve the upper performance limits of a service. If most of your requests are metadata-centric, such as createfile, openfile, closefile, queryinfo, or querydirectory, the requests create poor latency that's higher than the read and write operations. If you have this problem, consider separating the file share into multiple file shares within the same storage account.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Files", + "text": "Choose the optimal storage account type: If your workload requires large amounts of IOPS, extremely fast data transfer speeds, or very low latency, then you should choose premium (FileStorage) storage accounts. You can use a standard general-purpose v2 account for most SMB file share workloads. The primary tradeoff between the two storage account types is cost versus performance.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Files", + "text": "Create storage accounts in the same regions as connecting clients to reduce latency: The farther you are from the Azure Files service, the greater the latency and the more difficult to achieve performance scale limits. This consideration is especially true when you access Azure Files from on-premises environments. If possible, ensure that your storage account and your clients are co-located in the same Azure region. Optimize for on-premises clients by minimizing network latency or by using an ExpressRoute connection to extend on-premises networks into the Microsoft cloud over a private connection.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Files", + "text": "Collect performance data: Monitor workload performance, including latency, availability, and usage metrics. Analyze logs to diagnose problems such as timeouts and throttling. Create alerts to notify you if a file share is being throttled, about to be throttled, or experiencing high latency.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Files", + "text": "Optimize for hybrid deployments: If you use Azure File Sync, sync performance depends on many factors: your Windows Server and the underlying disk configuration, network bandwidth between the server and the Azure storage, file size, total dataset size, and the activity on the dataset. To measure the performance of a solution that's based on Azure File Sync, determine the number of objects, such as files and directories, that you process per second.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "Increase throughput and IOPS while reducing the total cost of ownership. Performance benefits increase with the number of files that distribute load.", + "service": "Azure Files", + "text": "Enable SMB Multichannel for premium SMB file shares. SMB Multichannel allows an SMB 3.1.1 client to establish multiple network connections to an SMB Azure file share. SMB Multichannel only works when the feature is enabled on both client-side (your client) and service-side (Azure). On Windows clients, SMB Multichannel is enabled by default, but you need to enable it on your storage account.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Increase performance at scale, and reduce the total cost of ownership for NFS file shares.", + "service": "Azure Files", + "text": "Use the nconnect client-side mount option with NFS Azure file shares on Linux clients. Nconnect enables you to use more TCP connections between the client and the Azure Files premium service for NFSv4.1.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Avoid throttling to provide the best possible client experience.", + "service": "Azure Files", + "text": "Make sure your file share or storage account isn't being throttled, which can result in high latency, low throughput, or low IOPS. Requests are throttled when the IOPS, ingress, or egress limits are reached. For standard storage accounts, throttling occurs at the account level. For premium file shares, throttling usually occurs at the share level.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Deploy Azure Firewall in hub virtual networks or as part of Azure Virtual WAN hubs.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Leverage Availability Zones resiliency.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Create Azure Firewall Policy structure.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Review the Known Issue list.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Monitor Azure Firewall health state.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection. For more information on network topologies, see the Azure Cloud Adoption Framework documentation.", + "service": "Azure Firewall", + "text": "Use Azure Firewall Manager with traditional Hub & Spokes or Azure Virtual WAN network topologies to deploy and manage instances of Azure Firewall.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Delegate incremental firewall policies to local security teams through role-based access control (RBAC). Some settings are specific per instance, for example DNAT Rules and DNS configuration, then multiple specialized policies might be required.", + "service": "Azure Firewall", + "text": "Create Azure Firewall Policies to govern the security posture across global network environments. Assign policies to all instances of Azure Firewall.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "For existing deployments, migrate Azure Firewall rules to Azure Firewall Manager policies. Use Azure Firewall Manager to centrally manage your firewalls and policies. For more information, see Migrate to Azure Firewall Premium.", + "service": "Azure Firewall", + "text": "Migrate Azure Firewall Classic Rules to Azure Firewall Manager Policies for existing deployments.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Azure Firewall Product Group maintains an updated list of known-issues at this location. This list contains important information related to by-design behavior, fixes under construction, platform limitations, along with possible workarounds or mitigation.", + "service": "Azure Firewall", + "text": "Review the list of Azure Firewall Known Issues.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "There are limits on the policy structure, including numbers of Rules and Rule Collection Groups, total policy size, source/target destinations. Be sure to compose your policy and stay behind the documented thresholds.", + "service": "Azure Firewall", + "text": "Ensure your Azure Firewall Policy adheres to Azure Firewall limits and recommendations.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Azure Firewall provides different SLAs when it's deployed in a single availability zone and when it's deployed in multiple zones. For more information, see SLA for Azure Firewall. For information about all Azure SLAs, see SLA summary for Azure services.", + "service": "Azure Firewall", + "text": "Deploy Azure Firewall across multiple availability zones for higher service-level agreement (SLA).", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "For traditional Hub & Spokes architectures, multi-region details are explained in this article. For secured virtual hubs (Azure Virtual WAN), Routing Intent and Policies must be configured to secure inter-hub and branch-to-branch communications. For workloads designed to be resistant to failures and fault tolerant, remember to consider that instances of Azure Firewall and Azure Virtual Network as regional resources.", + "service": "Azure Firewall", + "text": "In multi-region environments, deploy an Azure Firewall instance per region.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Closely monitor key metrics indicator of Azure Firewall health state such as Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics. Additionally, Azure Firewall now integrates with Azure Resource Health. With the Azure Firewall Resource Health check, you can now view the health status of your Azure Firewall and address service problems that might affect your Azure Firewall resource.", + "service": "Azure Firewall", + "text": "Monitor Azure Firewall Metrics and Resource Health state.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Determine if you need Forced Tunneling.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Create rules for Policies based on least privilege access criteria.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Leverage Threat Intelligence.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Enable Azure Firewall DNS proxy.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Direct network traffic through Azure Firewall.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Determine if you want to use third-party security as a service (SECaaS) providers.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Protect your Azure Firewall public IP addresses with DDoS.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in the forced tunneling mode. Using the forced tunneling feature, you'll need another /26 address space for the Azure Firewall Management subnet. You're required to name it AzureFirewallManagementSubnet.If this is an existing Azure Firewall instance that can't be reconfigured in the forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. Associate it with AzureFirewallSubnet to maintain internet connectivity.", + "service": "Azure Firewall", + "text": "If required to route all internet-bound traffic to a designated next hop instead of going directly to the internet, configure Azure Firewall in forced tunneling mode (does not apply to Azure Virtual WAN).", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "When you deploy a new Azure Firewall instance, if you enable the forced tunneling mode, you can set the public IP address to None to deploy a fully private data plane. However, the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks won't use that public IP. For more about forced tunneling, see Azure Firewall forced tunneling.", + "service": "Azure Firewall", + "text": "Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in the forced tunneling mode (does not apply to Azure Virtual WAN).", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Each policy can contains different sets of DNAT, Network and Application rules with specific priority, action and processing order. Create your rules based on least privilege access Zero Trust principle . How rules are processed is explained in this article.", + "service": "Azure Firewall", + "text": "Create rules for Firewall Policies based on least privilege access criteria.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "IDPS is one of the most powerful Azure Firewall (Premium) security features and should be enabled. Based on security and application requirements, and considering the performance impact (see the Cost section below), Alert or Alert and deny modes can be selected.", + "service": "Azure Firewall", + "text": "Enable IDPS in Alert or Alert and deny mode.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Enabling this feature points clients in the VNets to Azure Firewall as a DNS server. It will protect internal DNS infrastructure that will not be directly accessed and exposed. Azure Firewall must be also configured to use custom DNS that will be used to forward DNS queries.", + "service": "Azure Firewall", + "text": "Enable Azure Firewall (DNS) proxy configuration.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "In a traditional Hub & Spokes architecture, configure UDRs to force traffic through Azure Firewall for `SpoketoSpoke`, `SpoketoInternet`, and `SpoketoHybrid` connectivity. In Azure Virtual WAN, instead, configure Routing Intent and Policies to redirect private and/or Internet traffic through the Azure Firewall instance integrated into the hub.", + "service": "Azure Firewall", + "text": "Configure user-defined routes (UDR) to force traffic through Azure Firewall.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "With explicit proxy feature enabled on the outbound path, you can configure a proxy setting on the sending web application (such as a web browser) with Azure Firewall configured as the proxy. As a result, web traffic will reach the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the usage of multiple firewalls without modifying existing network routes.", + "service": "Azure Firewall", + "text": "If not possible to apply UDR, and only web traffic redirection is required, consider using Azure Firewall as an Explicit Proxy", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "You can use your familiar, best-in-breed, third-party SECaaS offerings to protect internet access for your users. This scenario does require Azure Virtual WAN with a S2S VPN Gateway in the Hub, as it uses an IPSec tunnel to connect to the provider's infrastructure. SECaaS providers might charge additional license fees and limit throughput on IPSec connections. Alternative solutions such as ZScaler Cloud Connector exist and might be more suitable.", + "service": "Azure Firewall", + "text": "Configure supported third-party software as a service (SaaS) security providers within Firewall Manager if you want to use these solutions to protect outbound connections.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "You can use FQDN based on DNS resolution in Azure Firewall and firewall policies. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable the Azure Firewall DNS Proxy configuration to use FQDNs in your network rules. To learn how it works, see Azure Firewall FQDN filtering in network rules.", + "service": "Azure Firewall", + "text": "Use Fully Qualified Domain Name (FQDN) filtering in network rules.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. Using Service Tags in Network Rules, it is possible to enable outbound access to specific services in Azure, Dynamics and Office 365 without opening wide ranges of IP addresses. Azure will maintain automatically the mapping between these tags and underlying IP addresses used by each service. The list of Service Tags available to Azure Firewall are listed here: Az Firewall Service Tags.", + "service": "Azure Firewall", + "text": "Use Service Tags in Network Rules to enable selective access to specific Microsoft services.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for some specific Azure services, Office 365, Windows 365 and Intune.", + "service": "Azure Firewall", + "text": "Use FQDN Tags in Application Rules to enable selective access to specific Microsoft services.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "A DDoS protection plan provides enhanced mitigation features to defend your firewall from DDoS attacks. Azure Firewall Manager is an integrated tool to create your firewall infrastructure and DDoS protection plans. For more information, see Configure an Azure DDoS Protection Plan using Azure Firewall Manager.", + "service": "Azure Firewall", + "text": "Use Azure Firewall Manager to create and associate a DDoS protection plan with your hub virtual network (does not apply to Azure Virtual WAN).", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "With Azure Firewall Premium, if TLS Inspection feature is used, it is recommended to leverage an internal Enterprise Certification Authority (CA) for production environment. Self-signed certificates should be used for testing/PoC purposes only.", + "service": "Azure Firewall", + "text": "Use an Enterprise PKI to generate certificates for TLS Inspection.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "If your security requirements necessitate implementing a Zero-Trust approach for web applications (inspection and encryption), it is recommended to follow this guide. In this document, how to integrate together Azure Firewall and Application Gateway will be explained, in both traditional Hub & Spoke and Virtual WAN scenarios.", + "service": "Azure Firewall", + "text": "Review Zero-Trust configuration guide for Azure Firewall and Application Gateway", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Select the Azure Firewall SKU to deploy.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Determine if some instances don't need permanent 24x7 allocation.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Determine where you can optimize firewall use across workloads.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Monitor and optimize firewall instances usage to determine cost-effectiveness.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Review and optimize the number of public IP addresses required and Policies used.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Review logging requirements, estimate cost and control over time.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "Azure Firewall can be deployed in three different SKUs: Basic, Standard and Premium. Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). Azure Firewall Standard is recommended for customers looking for Layer 3–Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. Azure Firewall Basic is recommended for SMB customers with throughput needs of 250 Mbps. If required, downgrade or upgrade is possible between Standard and Premium as documented here. For more information, see Choose the right Azure Firewall SKU to meet your needs.", + "service": "Azure Firewall", + "text": "Deploy the proper Azure Firewall SKU.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "You might have development or testing environments that are used only during business hours. For more information, see Deallocate and allocate Azure Firewall.", + "service": "Azure Firewall", + "text": "Stop Azure Firewall deployments that don't need to run for 24x7.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same firewall across many spoke virtual networks that are connected to the same hub from the same region. Ensure there's no unexpected cross-region traffic as part of the hub-spoke topology.", + "service": "Azure Firewall", + "text": "Share the same instance of Azure Firewall across multiple workloads and Azure Virtual Networks.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Top Flows log (known in the industry as Fat Flows), shows the top connections that are contributing to the highest throughput through the firewall. It is recommended to regularly review traffic processed by the Azure Firewall and search for possible optimizations to reduce the amount of traffic traversing the firewall.", + "service": "Azure Firewall", + "text": "Regularly review traffic processed by Azure Firewall and look for originating workload optimizations", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "To identify unused Azure Firewall deployments, start by analyzing the monitoring metrics and UDRs associated with subnets pointing to the firewall's private IP. Combine that information with other validations, such as if your instance of Azure Firewall has any rules (classic) for NAT, Network and Application, or even if the DNS Proxy setting is configured to Disabled, and with internal documentation about your environment and deployments. You can detect deployments that are cost-effective over time. For more information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics and SNAT port utilization.", + "service": "Azure Firewall", + "text": "Review under-utilized Azure Firewall instances. Identify and delete unused Azure Firewall deployments.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Review your Firewall Manager policies, associations, and inheritance carefully. Policies are billed based on firewall associations. A policy with zero or one firewall association is free of charge. A policy with multiple firewall associations is billed at a fixed rate.For more information, see Pricing - Azure Firewall Manager.", + "service": "Azure Firewall", + "text": "Use Azure Firewall Manager and its Policies to reduce operational costs, increase efficiency, and reduce management overhead.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Validate whether all the associated public IP addresses are in use. If they aren't in use, disassociate and delete them. Evaluate SNAT port utilization before removing any IP addresses.You'll only use the number of public IPs your firewall needs. For more information, see Monitor Azure Firewall logs and metrics and SNAT port utilization.", + "service": "Azure Firewall", + "text": "Delete unused public IP addresses.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Azure Firewall has the ability to comprehensively log metadata of all traffic it sees, to Log Analytics Workspaces, Storage or third party solutions through Event Hubs. However, all logging solutions incur costs for data processing and storage. At very large volumes these costs can be significant, a cost effective approach and alternative to Log Analytics should be considered and cost estimated. Consider whether it is required to log traffic metadata for all logging categories and modify in Diagnostic Settings if needed.", + "service": "Azure Firewall", + "text": "Review logging requirements.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Maintain inventory and backup of Azure Firewall configuration and Policies.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Leverage diagnostic logs for firewall monitoring and troubleshooting.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Leverage Azure Firewall Monitoring workbook.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Regularly review your Policy insights and analytics.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Integrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "Azure Firewall should be used to control traffic across VNets, between VNets and on-premises networks, outbound traffic to the Internet and incoming non-HTTP/s traffic. For intra-VNet traffic control, it is recommended to use Network Security Groups.", + "service": "Azure Firewall", + "text": "Do not use Azure Firewall for intra-VNet traffic control.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "If Infrastructure-as-Code (IaC) approach is used to maintain Azure Firewall and all dependencies then backup and versioning of Azure Firewall Policies should be already in place. If not, a companion mechanism based on external Logic App can be deployed to automate and provide an effective solution.", + "service": "Azure Firewall", + "text": "Maintain regular backups of Azure Policy artifacts.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Diagnostic Logs is a key component for many monitoring tools and strategies for Azure Firewall and should be enabled. You can monitor Azure Firewall by using firewall logs or workbooks. You can also use activity logs for auditing operations on Azure Firewall resources.", + "service": "Azure Firewall", + "text": "Enable Diagnostic Logs for Azure Firewall.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Structured Firewall Logs are a type of log data that are organized in a specific new format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze. The latest monitoring tools are based on this type of logs hence it is often a pre-requisite. Use the previous Diagnostic Logs format only if there is an existing tool with a pre-requisite on that. Do not enable both logging formats at the same time.", + "service": "Azure Firewall", + "text": "Use Structured Firewall Logs format.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Azure Firewall portal experience now includes a new workbook under the Monitoring section UI, a separate installation is no more required. With the Azure Firewall Workbook, you can extract valuable insights from Azure Firewall events, delve into your application and network rules, and examine statistics regarding firewall activities across URLs, ports, and addresses.", + "service": "Azure Firewall", + "text": "Use the built-in Azure Firewall Monitoring Workbook.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Alerts should be created to monitor at least Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics.For information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics.", + "service": "Azure Firewall", + "text": "Monitor key metrics and create alerts for indicators of the utilization of Azure Firewall capacity.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "If these tools are available in the environment, it is recommended to leverage integration with Microsoft Defender for Cloud and Microsoft Sentinel solutions. With Microsoft Defender for Cloud integration, you can visualize the all-up status of network infrastructure and network security in one place, including Azure Network Security across all VNets and Virtual Hubs spread across different regions in Azure. Integration with Microsoft Sentinel provides threat detection and prevention capabilities.", + "service": "Azure Firewall", + "text": "Configure Azure Firewall integration with Microsoft Defender for Cloud and Microsoft Sentinel.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.", + "service": "Azure Firewall", + "text": "Regularly review Policy Analytics dashboard to identify potential issues.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Sample queries are provided for Azure Firewall. Those will enable you to quickly identify what's happening inside your firewall and check to see which rule was triggered, or which rule is allowing/blocking a request.", + "service": "Azure Firewall", + "text": "Become familiar with KQL (Kusto Query Language) queries to allow quick analysis and troubleshooting using Azure Firewall logs.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Regularly review and optimize firewall rules.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Review policy requirements and opportunities to summarize IP ranges and URLs list.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Assess your SNAT port requirements.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Plan load tests to test auto-scale performance in your environment.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Firewall", + "text": "Do not enable diagnostic tools and logging if not required.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.", + "service": "Azure Firewall", + "text": "Use Policy Analytics dashboard to identify potential optimizations for Firewall Policies.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Instead of explicitly building and maintaining a long list of public Internet sites, consider the usage of Azure Firewall Web Categories. This feature will dynamically categorize web content and will permit the creation of compact Application Rules.", + "service": "Azure Firewall", + "text": "Consider Web Categories to allow or deny outbound access in bulk.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "If Azure Firewall is required to operate in IDPS mode Alert and deny, carefully consider the performance impact as documented in this page.", + "service": "Azure Firewall", + "text": "Evaluate the performance impact of IDPS in Alert and deny mode.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Azure Firewall currently supports 2496 ports per Public IP address per backend Virtual Machine Scale Set instance. By default, there are two Virtual Machine Scale Set instances. So, there are 4992 ports per flow destination IP, destination port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances. You can work around the limits by configuring Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion.", + "service": "Azure Firewall", + "text": "Assess potential SNAT port exhaustion problem.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Create initial traffic that isn't part of your load tests 20 minutes before the test. Use diagnostics settings to capture scale-up and scale-down events. You can use the Azure Load Testing service to generate the initial traffic. Allows the Azure Firewall instance to scale up its instances to the maximum.", + "service": "Azure Firewall", + "text": "Properly warm up Azure Firewall before any performance test.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Azure Firewall is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the instance of Azure Firewall. Azure Firewall provisions more capacity as it scales.A /26 address space for its subnets ensures that the firewall has enough IP addresses available to accommodate the scaling. Azure Firewall doesn't need a subnet bigger than /26. The Azure Firewall subnet name must be AzureFirewallSubnet.", + "service": "Azure Firewall", + "text": "Configure an Azure Firewall subnet (AzureFirewallSubnet) with a /26 address space.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Azure Firewall provides some advanced logging capabilities that can be expensive to maintain always active. Instead, they should be used for troubleshooting purposes only, and limited in duration, then disabled when no more necessary. For example, Top flows and Flow trace logs are expensive can cause excessive CPU and storage usage on the Azure Firewall infrastructure.", + "service": "Azure Firewall", + "text": "Do not enable advanced logging if not required", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Estimate the traffic pattern and volume. The number of requests from the client to the Azure Front Door edge might influence your tier choice. If you need to support a high volume of requests, consider the Azure Front Door Premium tier because performance ultimately impacts availability. However, there's a cost tradeoff. These tiers are described in Performance Efficiency.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Choose your deployment strategy. The fundamental deployment approaches are active-active and active-passive. Active-active deployment means that multiple environments or stamps that run the workload serve traffic. Active-passive deployment means that only the primary region handles all traffic, but it fails over to the secondary region when necessary. In a multiregion deployment, stamps run in different regions for higher availability with a global load balancer, like Azure Front Door, that distributes traffic. Therefore, it's important to configure the load balancer for the appropriate deployment approach.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Use the same host name on Azure Front Door and origin servers. To ensure that cookies or redirect URLs work properly, preserve the original HTTP host name when you use a reverse proxy, like a load balancer, in front of a web application.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Implement the health endpoint monitoring pattern. Your application should expose health endpoints, which aggregate the state of the critical services and dependencies that your application needs to serve requests. Azure Front Door health probes use the endpoint to detect origin servers' health. For more information, see Health Endpoint Monitoring pattern.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Take advantage of the built-in content delivery network functionality in Azure Front Door. The content delivery network feature of Azure Front Door has hundreds of edge locations and can help withstand distributed denial of service (DDoS) attacks. These capabilities help improve reliability.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Consider a redundant traffic management option. Azure Front Door is a globally distributed service that runs as a singleton in an environment. Azure Front Door is a potential single point of failure in the system. If the service fails, then clients can't access your application during the downtime.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "You can select the best origin resource by using a series of decision steps and your design. The selected origin serves traffic within the allowable latency range in the specified ratio of weights.", + "service": "Azure Front Door", + "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Multiple origins support redundancy by distributing traffic across multiple instances of the application. If one instance is unavailable, then other back-end origins can still receive traffic.", + "service": "Azure Front Door", + "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Enabled health probes are part of the health monitoring pattern implementation. Health probes make sure that Azure Front Door only routes traffic to instances that are healthy enough to handle requests. For more information, see Best practices on health probes.", + "service": "Azure Front Door", + "text": "Set up health probes on the origin. Configure Azure Front Door to conduct health checks to determine if the back-end instance is available and ready to continue receiving requests.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Timeouts help prevent performance issues and availability issues by terminating requests that take longer than expected to complete.", + "service": "Azure Front Door", + "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout. For more information, see Troubleshooting unresponsive requests.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Set the same host name to prevent malfunction with session affinity, authentication, and authorization. For more information, see Preserve the original HTTP host name between a reverse proxy and its back-end web application.", + "service": "Azure Front Door", + "text": "Use the same host name on Azure Front Door and your origin. Azure Front Door can rewrite the host header of incoming requests, which is useful when you have multiple custom domain names that route to one origin. However, rewriting the host header might cause issues with request cookies and URL redirection.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "With session affinity, user connections stay on the same origin during the user session. If that origin becomes unavailable, the user experience might be disrupted.", + "service": "Azure Front Door", + "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Limit requests to prevent clients from sending too much traffic to your application. Rate limiting can help you avoid problems like a retry storm.", + "service": "Azure Front Door", + "text": "Take advantage of the rate-limiting rules that are included with a web application firewall (WAF).", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Review the security baseline for Azure Front Door.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Protect the back-end servers. The front end acts as the single point of ingress to the application.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Allow only authorized access to the control plane. Use Azure Front Door role-based access control (RBAC) to restrict access to only the identities that need it.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Block common threats at the edge. WAF is integrated with Azure Front Door. Enable WAF rules on the front ends to protect applications from common exploits and vulnerabilities at the network edge, closer to the attack source.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Protect Azure Front Door against unexpected traffic. Azure Front Door uses the basic plan of Azure DDoS protection to protect application endpoints from DDoS attacks. If you need to expose other public IP addresses from your application, consider adding the DDoS Protection standard plan for those addresses for advanced protection and detection capabilities.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Protect data in transit. Enable end-to-end Transport Layer Security (TLS), HTTP to HTTPS redirection, and managed TLS certificates when applicable. For more information, see TLS best practices for Azure Front Door.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Monitor anomalous activity. Regularly review the logs to check for attacks and false positives. Send WAF logs from Azure Front Door to your organization's centralized security information and event management (SIEM), such as Microsoft Sentinel, to detect threat patterns and incorporate preventative measures in the workload design.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Default rule sets are updated frequently based on OWASP top-10 attack types and information from Microsoft Threat Intelligence. The specialized rule sets detect certain use cases. For example, bot rules classify bots as good, bad, or unknown based on the client IP addresses. They also block bad bots and known IP addresses and restrict traffic based on geographical location of the callers. By using a combination of rule sets, you can detect and block attacks with various intents.", + "service": "Azure Front Door", + "text": "Enable WAF rule sets that detect and block potentially malicious traffic. This feature is available on the Premium tier. We recommend these rule sets: - Default- Bot protection- IP restriction- Geo-filtering- Rate limiting", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Reduce false positives and allow legitimate requests for your application.", + "service": "Azure Front Door", + "text": "Create exclusions for managed rule sets. Test a WAF policy in detection mode for a few weeks and adjust any false positives before you deploy it.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "TLS ensures that data exchanges between the browser, Azure Front Door, and the back-end origins are encrypted to prevent tampering. Key Vault offers managed certificate support and simple certificate renewal and rotation.", + "service": "Azure Front Door", + "text": "Enable end-to-end TLS, HTTP to HTTPS redirection, and managed TLS certificates when applicable. Review the TLS best practices for Azure Front Door. Use TLS version 1.2 as the minimum allowed version with ciphers that are relevant for your application. Azure Front Door managed certificates should be your default choice for ease of operations. However, if you want to manage the lifecycle of the certificates, use your own certificates in Azure Front Door custom domain endpoints and store them in Key Vault.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Review Azure Front Door tiers and pricing. Use the pricing calculator to estimate the realistic costs for each tier. Compare the features and suitability of each tier for your scenario. For instance, only the Premium tier supports connecting to your origin via Private Link.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Consider bandwidth costs. The bandwidth costs of Azure Front Door depend on the tier that you choose and the type of data transfer. Azure Front Door provides built-in reports for billable metrics. To assess your costs related to bandwidth and where you can focus your optimization efforts, see Azure Front Door reports.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Optimize incoming requests. Azure Front Door bills the incoming requests. You can set restrictions in your design configuration.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Use resources efficiently. Azure Front Door uses a routing method that helps with resource optimization. Unless the workload is extremely latency sensitive, distribute traffic evenly across all environments to effectively use deployed resources.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Consider using a shared instance that's provided by the organization. Costs incurred from centralized services are shared between the workloads. However, consider the tradeoff with reliability. For mission-critical applications that have high availability requirements, we recommend an autonomous instance.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Pay attention to the amount of data logged. Costs related to both bandwidth and storage can accrue if certain requests aren't necessary or if logging data is retained for a long period of time.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "Caching optimizes data transfer costs because it reduces the number of calls from your Azure Front Door instance to the origin.", + "service": "Azure Front Door", + "text": "Use caching for endpoints that support it.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Compression reduces bandwidth consumption and improves performance.", + "service": "Azure Front Door", + "text": "Consider enabling file compression. For this configuration, the application must support compression and caching must be enabled.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "You can save on bandwidth costs by disabling requests that aren't required to make routing decisions.", + "service": "Azure Front Door", + "text": "Disable health checks in single back-end pools.If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Use infrastructure as code (IaC) technologies. Use IaC technologies like Bicep and Azure Resource Manager templates to provision the Azure Front Door instance. These declarative approaches provide consistency and straightforward maintenance. For example, by using IaC technologies, you can easily adopt new ruleset versions.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Simplify configurations. Use Azure Front Door to easily manage configurations. For example, suppose your architecture supports microservices. Azure Front Door supports redirection capabilities, so you can use path-based redirection to target individual services.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Handle progressive exposure by using Azure Front Door routing methods. For a weighted load balancing approach you can use a canary deployment to send a specific percentage of traffic to a back end. This approach helps you test new features and releases in a controlled environment before you roll them out.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Collect and analyze Azure Front Door operational data as part of your workload monitoring. Capture relevant Azure Front Door logs and metrics with Azure Monitor Logs. This data helps you troubleshoot, understand user behaviors, and optimize operations.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Offload certificate management to Azure. Ease the operational burden associated with certification rotation and renewals.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "When redirection is enabled, Azure Front Door automatically redirects clients that are using older protocol to use HTTPS for a secure experience.", + "service": "Azure Front Door", + "text": "Use HTTP to HTTPS redirection to support forward compatibility.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Monitoring ingress flow is a crucial part of monitoring an application. You want to track requests and make performance and security improvements. You need data to debug your Azure Front Door configuration. With alerts in place, you can get instant notifications of any critical operational issues.", + "service": "Azure Front Door", + "text": "Capture logs and metrics. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "A holistic view of your Azure Front Door profile helps drive improvements based on traffic and security reports through WAF metrics.", + "service": "Azure Front Door", + "text": "Review the built-in analytics reports.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Azure Front Door can issue and manage certificates for you. This feature eliminates the need for certificate renewals and minimizes the risk of an outage due to an invalid or expired TLS certificate.", + "service": "Azure Front Door", + "text": "Use managed TLS certificates when possible.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "You don't need to modify the configuration to add or specify each subdomain separately.", + "service": "Azure Front Door", + "text": "Use wildcard TLS certificates.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Plan capacity by analyzing your expected traffic patterns. Conduct thorough testing to understand how your application performs under different loads. Consider factors like simultaneous transactions, request rates, and data transfer.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Analyze performance data by regularly reviewing Azure Front Door reports. These reports provide insights into various metrics that serve as performance indicators at the technology level.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Optimize data transfers.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Optimize the use of health probes. Get health information from health probes only when the state of the origins change. Strike a balance between monitoring accuracy and minimizing unnecessary traffic.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Review the origin routing method. Azure Front Door provides various routing methods, including latency-based, priority-based, weighted, and session affinity-based routing, to the origin. These methods significantly affect your application's performance. To learn more about the best traffic routing option for your scenario, see Traffic routing methods to origin.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Front Door", + "text": "Review the location of origin servers. Your origin servers' location impacts the responsiveness of your application. Origin servers should be closer to the users. Azure Front Door ensures that users from a specific location access the nearest Azure Front Door entry point. The performance benefits include faster user experience, better use of latency-based routing by Azure Front Door, and minimized data transfer time by using caching, which stores content closer to users.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "Azure Front Door offers a robust content delivery network solution that caches content at the edge of the network. Caching reduces the load on the back-end servers and reduces data movement across the network, which helps offload bandwidth usage.", + "service": "Azure Front Door", + "text": "Enable caching. You can optimize query strings for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Compression in Azure Front Door helps deliver content in the optimal format, has a smaller payload, and delivers content to the users faster.", + "service": "Azure Front Door", + "text": "Use file compression when you're accessing downloadable content.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "`HEAD` requests let you query a state change without fetching its entire content.", + "service": "Azure Front Door", + "text": "When you configure health probes in Azure Front Door, consider using `HEAD` requests instead of `GET` requests. The health probe reads only the status code, not the content.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Optimize performance and maintain continuity for user sessions, especially when applications rely on maintaining state information locally.", + "service": "Azure Front Door", + "text": "Evaluate whether you should enable session affinity when requests from the same user should be directed to the same back-end server. From a reliability perspective, we don't recommend this approach. If you use this option, the application should gracefully recover without disrupting user sessions. There's also a tradeoff on load balancing because it restricts the flexibility of distributing traffic across multiple back ends evenly.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: For critical workloads, use availability zones for your AKS clusters.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Plan the IP address space to ensure your cluster can reliably scale, including handling of failover traffic in multi-cluster topologies.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Enable Container insights to monitor your cluster and configure alerts for reliability-impacting events.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Ensure workloads are built to support horizontal scaling and report application readiness and health.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Ensure your workload is running on user node pools and chose the right size SKU. At a minimum, include two nodes for user node pools and three nodes for the system node pool.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use the AKS Uptime SLA to meet availability targets for production workloads.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Allows the Kubernetes scheduler to logically isolate workloads by hardware in the node. Unlike tolerations, pods without a matching node selector can be scheduled on labeled nodes, which allows unused resources on the nodes to consume, but gives priority to pods that define the matching node selector. Use node affinity for more flexibility, which allows you to define what happens if the pod can't be matched with a node.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Control pod scheduling using node selectors and affinity.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Azure CNI is required for specific scenarios, for example, Windows-based node pools, specific networking requirements and Kubernetes Network Policies. Reference Kubenet versus Azure CNI for more information.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Ensure proper selection of network plugin based on network requirements and cluster sizing.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "The AKS Uptime SLA guarantees: - `99.95%` availability of the Kubernetes API server endpoint for AKS Clusters that use Azure Availability Zones, or - `99.9%` availability for AKS Clusters that don't use Azure Availability Zones.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Use the AKS Uptime SLA for production grade clusters.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Container insights help monitor the health and performance of controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Integration with Prometheus enables collection of application and workload metrics.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down. If colocality requirements exist, either a regular VMSS-based AKS deployment into a single zone or proximity placement groups can be used to minimize internode latency.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use availability zones to maximize resilience within an Azure region by distributing AKS agent nodes across physically separate data centers.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Container CPU and memory resource limits are necessary to prevent resource exhaustion in your Kubernetes cluster.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Define Pod resource requests and limits in application deployment manifests, and enforce with Azure Policy.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "System node pools require a VM SKU of at least 2 vCPUs and 4 GB memory, but 4 vCPU or more is recommended. Reference System and user node pools for detailed requirements.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Keep the System node pool isolated from application workloads.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Applications may share the same configuration and need GPU-enabled VMs, CPU or memory optimized VMs, or the ability to scale-to-zero. Avoid large number of node pools to reduce extra management overhead.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Separate applications to dedicated node pools based on specific requirements.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "To avoid reliability issues with Azure Load Balancer limitations with high concurrent outbound traffic, us a NAT Gateway instead to support reliable egress traffic at scale.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use a NAT gateway for clusters that run workloads that make many concurrent outbound connections.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use Managed Identities to avoid managing and rotating service principles.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use Kubernetes role-based access control (RBAC) with Microsoft Entra ID for least privilege access and minimize granting administrator privileges to protect configuration, and secrets access.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use Microsoft Defender for containers with Azure Sentinel to detect and quickly respond to threats across your cluster and workloads running on them.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Deploy a private AKS cluster to ensure cluster management traffic to your API server remains on your private network. Or use the API server allow list for non-private clusters.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Ensure your CI/CID pipeline is hardened with container-aware scanning.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "Using Microsoft Entra ID centralizes the identity management component. Any change in user account or group status is automatically updated in access to the AKS cluster. The developers and application owners of your Kubernetes cluster need access to different resources.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use Microsoft Entra integration.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "AKS and Microsoft Entra ID enables authentication with Azure Container Registry without the use of `imagePullSecrets` secrets. Review Authenticate with Azure Container Registry from Azure Kubernetes Service for more information.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Authenticate with Microsoft Entra ID to Azure Container Registry.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "By default, network traffic between your node pools and the API server travels the Microsoft backbone network; by using a private cluster, you can ensure network traffic to your API server remains on the private network only.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Secure network traffic to your API server with private AKS cluster.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "When using public clusters, you can still limit the traffic that can reach your clusters API server by using the authorized IP range feature. Include sources like the public IPs of your deployment build agents, operations management, and node pools' egress point (such as Azure Firewall).", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: For non-private AKS clusters, use API server authorized IP ranges.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Securing access to the Kubernetes API Server is one of the most important things you can do to secure your cluster. Integrate Kubernetes role-based access control (RBAC) with Microsoft Entra ID to control access to the API server. Disable local accounts to enforce all cluster access using Microsoft Entra ID-based identities.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Protect the API server with Microsoft Entra RBAC.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Secure and control network traffic between pods in a cluster.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use Azure network policies or Calico.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Azure Policy can help to apply at-scale enforcement and safeguards on your clusters in a centralized, consistent manner. It can also control what functions pods are granted and if anything is running against company policy.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Secure clusters and pods with Azure Policy.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Limit access to actions that containers can perform. Provide the least number of permissions, and avoid the use of root or privileged escalation.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Secure container access to resources.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "To scan incoming traffic for potential attacks, use a web application firewall such as Azure Web Application Firewall (WAF) on Azure Application Gateway or Azure Front Door.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Ensure your cluster's outbound traffic is passing through a network security point such as Azure Firewall or an HTTP proxy.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Control cluster egress traffic.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Protect and rotate secrets, certificates, and connection strings in Azure Key Vault with strong encryption. Provides an access audit log, and keeps core secrets out of the deployment pipeline.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use the open-source Microsoft Entra Workload ID and Secrets Store CSI Driver with Azure Key Vault.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Monitor and maintain the security of your clusters, containers, and their applications.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use Microsoft Defender for Containers.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use appropriate VM SKU per node pool and reserved instances where long-term capacity is expected.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Use appropriate managed disk tier and size.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Review performance metrics, starting with CPU, memory, storage, and network, to identify cost optimization opportunities by cluster, nodes, and namespace.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architecture: Use autoscalers to scale in when workloads are less active.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "Matching your selection to your workload demands ensures you don't pay for unneeded resources.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Align SKU selection and managed disk size with workload requirements.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Selecting the right virtual machine instance type is critical as it directly impacts the cost of running applications on AKS. Choosing a high-performance instance without proper utilization can lead to wasteful spending, while choosing a powerful instance can lead to performance issues and increased downtime. To determine the right virtual machine instance type, consider workload characteristics, resource requirements, and availability needs.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Select the right virtual machine instance type.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "AKS supports creating ARM64 Ubuntu agent nodes, as well as a of mix Intel and ARM architecture nodes within a cluster that can bring better performance at a lower cost.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Select virtual machines based on the Arm architecture.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Spot VMs allow you to take advantage of unutilized Azure capacity with significant discounts (up to 90% as compared to pay-as-you-go prices). If Azure needs capacity back, the Azure infrastructure evicts the Spot nodes.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Select Azure Spot Virtual Machines.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Due to many factors, cost of resources varies per region in Azure. Evaluate the cost, latency, and compliance requirements to ensure you are running your workload cost-effectively and it doesn't affect your end-users or create extra networking charges.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Select the appropriate region.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Streamlining your images helps reduce costs since new nodes need to download these images. Build images in a way that allows the container start as soon as possible to help avoid user request failures or timeouts while the application is starting up, potentially leading to overprovisioning.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Maintain small and optimized images.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Automatically scaling down the number of nodes in your AKS cluster lets you run an efficient cluster when demand is low and scale up when demand returns.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Enable Cluster Autoscaler to automatically reduce the number of agent nodes in response to excess resource capacity.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Node Autoprovision simplifies the SKU selection process and decides, based on pending pod resource requirements, the optimal VM configuration to run workloads in the most efficient and cost effective manner.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Enable Node Autoprovision to automate VM SKU selection.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Adjust the number of pods in a deployment depending on CPU utilization or other select metrics, which support cluster scale-in operations.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use the Horizontal Pod Autoscaler.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Rightsize your pods and dynamically set requests and limits based on historic usage.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use Vertical Pod Autoscaler (preview).", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Scale based on the number of events being processed. Choose from a rich catalogue of 50+ KEDA scalers.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use Kubernetes Event Driven Autoscaling (KEDA).", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "The foundation of enabling cost optimization is the spread of a cost saving cluster. A financial operations approach (FinOps) is often used to help organizations reduce cloud costs. It is a practice involving collaboration between finance, operations, and engineering teams to drive alignment on cost saving goals and bring transparency to cloud costs.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Adopt a cloud financial discipline and cultural practice to drive ownership of cloud usage.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "If you properly planned for capacity, your workload is predictable and exists for an extended period of time, sign up for an Azure Reservation or a savings plan to further reduce your resource costs.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Sign up for Azure Reservations or Azure Savings Plan.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "Container insights help provides actionable insights into your clusters idle and unallocated resources. Container insights also supports collecting Prometheus metrics and integrates with Azure Managed Grafana to get a holistic view of your application and infrastructure.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Configure monitoring of cluster with Container insights.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "The cost analysis cluster extension enables you to obtain granular insight into costs associated with various Kubernetes resources in your clusters or namespaces.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Configure the AKS Cost Analysis add-on.", + "type": "recommendation", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use a template-based deployment using Bicep, Terraform, or others. Make sure that all deployments are repeatable, traceable, and stored in a source code repo.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Build an automated process to ensure your clusters are bootstrapped with the necessary cluster-wide configurations and deployments. This is often performed using GitOps.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use a repeatable and automated deployment processes for your workload within your software development lifecycle.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Enable diagnostics settings to ensure control plane or core API server interactions are logged.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Enable Container insights to collect metrics, logs, and diagnostics to monitor the availability and performance of the cluster and workloads running on it.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: The workload should be designed to emit telemetry that can be collected, which should also include liveliness and readiness statuses.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Use chaos engineering practices that target Kubernetes to identify application or platform reliability issues.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Optimize your workload to operate and deploy efficiently in a container.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Enforce cluster and workload governance using Azure Policy.", + "type": "checklist", + "waf": "Operations" + }, + { + "description": "To build and run applications successfully in AKS, there are key considerations to understand and implement. These areas include multi-tenancy and scheduler features, cluster, and pod security, or business continuity and disaster recovery.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Review AKS best practices documentation.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Azure Chaos Studio can help simulate faults and trigger disaster recovery situations.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Review Azure Chaos Studio.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Container insights help monitor the performance of containers by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API and container logs.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Configure Application Insights for code-based monitoring of applications running in an AKS cluster.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Monitor application performance with Azure Monitor.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Container insights, which are part of Azure Monitor, provide a seamless onboarding experience to collect Prometheus metrics. Reference Configure scraping of Prometheus metrics for more information.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Configure scraping of Prometheus metrics with Container insights.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Azure Policy can help to apply at-scale enforcement and safeguards on your clusters in a centralized, consistent manner. It can also control what functions pods are granted and if anything is running against company policy.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Operationalize clusters and pods configuration standards with Azure Policy.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Kubernetes and ingress controllers support many advanced deployment patterns for inclusion in your release engineering process. Consider patterns like blue-green deployments or canary releases.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use platform capabilities in your release engineering process.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "Automate your mission-critical design areas, including deployment and testing.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: For mission-critical workloads, use stamp-level blue/green deployments.", + "type": "recommendation", + "waf": "Operations" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Perform and iterate on a detailed capacity plan exercise that includes SKU, autoscale settings, IP addressing, and failover considerations.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Enable cluster autoscaler to automatically adjust the number of agent nodes in response workload demands.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Use the Horizontal pod autoscaler to adjust the number of pods in a deployment depending on CPU utilization or other select metrics.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Perform ongoing load testing activities that exercise both the pod and cluster autoscaler.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Separate workloads into different node pools allowing independent scalling.", + "type": "checklist", + "waf": "Performance" + }, + { + "description": "After formalizing your capacity plan, it should be frequently updated by continuously observing the resource utilization of the cluster.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Develop a detailed capacity plan and continually review and revise.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "The ability to automatically scale up or down the number of nodes in your AKS cluster lets you run an efficient, cost-effective cluster.", + "service": "Azure Kubernetes Service", + "text": "Cluster architecture: Enable cluster autoscaler to automatically adjust the number of agent nodes in response to resource constraints.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Unlike System node pools that always require running nodes, user node pools allow you to scale up or down.", + "service": "Azure Kubernetes Service", + "text": "Cluster and workload architectures: Separate workloads into different node pools and consider scaling user node pools.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Helps control balancing of resources for workloads that require them.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use AKS advanced scheduler features.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "Not all scale decisions can be derived from CPU or memory metrics. Often scale considerations will come from more complex or even external data points. Use KEDA to build a meaningful auto scale ruleset based on signals that are specific to your workload.", + "service": "Azure Kubernetes Service", + "text": "Workload architecture: Use meaningful workload scaling metrics.", + "type": "recommendation", + "waf": "Performance" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Resiliency: Deploy models to environments that support availability zones, such as AKS. By ensuring deployments are distributed across availability zones, you're ensuring a deployment is available even in the event of a datacenter failure. For enhanced reliability and availability, consider a multi-region deployment topology.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Resiliency: Ensure you have sufficient compute for both training and inferencing. Through resource planning, make sure your compute SKU and scale settings meet the requirements of your workload.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Resiliency: Segregate Machine Learning workspaces used for exploratory work from those used for production.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Resiliency: When using managed online endpoints for inferencing, use a release strategy such as blue-green deployments to minimize downtime and reduce the risk associated with deploying new versions.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Business requirements: Select your use of compute clusters, compute instances, and externalized inference hosts based on reliability needs, considering service-level agreements (SLAs) as a factor.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Recovery: Ensure you have self-healing capabilities, such as checkpointing features supported by Machine Learning, when training large models.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Recovery: Ensure you have a recovery strategy defined. Machine Learning doesn't have automatic failover. Therefore, you must design a strategy that encompasses the workspace and all its dependencies, such as Key Vault, Azure Storage, and Azure Container Registry.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "A multi-region deployment ensures that your Machine Learning workloads continue to run even if one region experiences an outage. Multi-region deployment improves load distribution across regions, potentially enhancing performance for users located in different geographical areas. For more information, see Failover for business continuity and disaster recovery.", + "service": "Azure Machine Learning", + "text": "Multi-region model deployment: For enhanced reliability and availability, consider a multi-region deployment environment when possible.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Model checkpointing periodically saves the state of your machine learning model during training, so that it can be restored in case of interruption, failure, or termination. For more information, see Boost checkpoint speed and reduce cost with Nebula.", + "service": "Azure Machine Learning", + "text": "Model training resiliency: Use checkpointing features supported by Machine Learning including Azure Container for PyTorch, the TensorFlow Estimator class, or the Run object and the FileDataset class that support model checkpointing.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Low-priority virtual machines come at a reduced price but are preemptible. Clusters that use the Dedicated virtual machine tier aren't preempted.", + "service": "Azure Machine Learning", + "text": "Use the Dedicated virtual machine tier for compute clusters: Use the Dedicated virtual machine tier for compute clusters for batch inferencing to ensure your batch job isn't preempted.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Availability: Reduce the attack surface of the Machine Learning workspace by restricting access to the workspace to resources within the virtual network.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Confidentiality: Guard against data exfiltration from the Machine Learning workspace by implementing network isolation. Ensure access to all external resources is explicitly approved and access to all other external resources isn't permitted.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Integrity: Implement access controls that authenticate and authorize the Machine Learning workspace for external resources based on the least privilege principle.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Integrity: Implement use case segregation for Machine Learning workspaces by setting up workspaces based on specific use cases or projects. This approach adheres to the principle of least privilege by ensuring that workspaces are only accessible to individuals that require access to data and experimentation assets for the use case or project.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Integrity: Regulate access to foundational models. Ensure only approved registries have access to models in the model registry.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Integrity: Regulate access to approved container registries. Ensure Machine Learning compute can only access approved registries.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Integrity: Regulate the Python packages that can be run on Machine Learning compute. Regulating the Python packages ensures only trusted packages are run.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Integrity: Require code used for training in Machine Learning compute environments to be signed. Requiring code signing ensures that the code running is from a trusted source and hasn't been tampered with.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Confidentiality: Adhere to the principle of least privilege for role-based access control (RBAC) to the Machine Learning workspace and related resources, such as the workspace storage account, to ensure individuals have only the necessary permissions for their role, thereby minimizing potential security risks.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Integrity: Establish trust and verified access by implementing encryption for data at rest and data in transit.", + "type": "checklist", + "waf": "Reliability" + }, + { + "description": "The security baseline provides tailored guidance on crucial security aspects such as network security, identity management, data protection, and privileged access. For optimal security, use Microsoft Defender for Cloud to monitor these aspects.", + "service": "Azure Machine Learning", + "text": "Security baseline: To enhance the security and compliance of your Machine Learning Service, apply the Azure security baseline for Machine Learning.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Managed virtual network isolation enhances security by isolating your workspace from other networks, reducing the risk of unauthorized access. In a scenario in which a breach occurs in another network within your organization, the isolated network of your Machine Learning workspace remains unaffected, protecting your machine learning workloads.", + "service": "Azure Machine Learning", + "text": "Managed virtual network isolation: Configure managed virtual network isolation for Machine Learning. When you enable managed virtual network isolation, a managed virtual network is created for the workspace. Managed compute resources you create for the workspace automatically use this managed virtual network. If you can't implement managed virtual network isolation, then you must follow the network topology recommendations to separate compute into a dedicated subnet away from the rest of the resources in the solution, including the private endpoints for workspace resources.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Machine Learning network isolation enhances security by ensuring that access to your workspace is secure and controlled. With a private endpoint configured for your workspace, you can then limit access to your workspace to only occur over the private IP addresses.", + "service": "Azure Machine Learning", + "text": "Machine Learning network isolation: Configure a private endpoint for your Machine Learning workspace and connect to the workspace over that private endpoint.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "This configuration minimizes the risk of data exfiltration, improving data security. With this configuration enabled, a malicious actor who gains access to your system can’t send your data to an unapproved external destination.", + "service": "Azure Machine Learning", + "text": "Allow only approved outbound access: Configure the outbound mode on the Machine Learning workspace managed outbound access to `Allow only approved outbound` to minimize the risk of data exfiltration. Configure private endpoints, service tags, or fully qualified domain names (FQDNs) for resources that you need to access.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Network isolation bolsters security by restricting access to Azure platform as a service (PaaS) solutions to private IP addresses only.", + "service": "Azure Machine Learning", + "text": "Virtual network isolation for dependent services: Configure dependent services, such as Storage, Key Vault, and Container Registry with private endpoints and disable public access.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Managed identities improve security by eliminating the need to store credentials and manually manage and rotate service principals.", + "service": "Azure Machine Learning", + "text": "Managed identity: Use managed identities for authentication between Machine Learning and other services.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Disabling local authentication increases the security of your Machine Learning compute and provides centralized control and management of identities and resource credentials.", + "service": "Azure Machine Learning", + "text": "Disable local authentication: Disable local authentication for Machine Learning compute clusters and instances.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Disabling SSH access helps prevent unauthorized individuals from gaining access and potentially causing harm to your system and protects you against brute force attacks.", + "service": "Azure Machine Learning", + "text": "Disable the public SSH port: Ensure the public Secure Shell (SSH) port is closed on the Machine Learning compute cluster by setting `remoteLoginPortPublicAccess` to `Disabled`. Apply a similar configuration if you use a different compute.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Refrain from provisioning public IP addresses to enhance security by limiting the potential for unauthorized access to your compute instance or clusters.", + "service": "Azure Machine Learning", + "text": "Don't provision public IP addresses for Machine Learning compute: Set enableNodePublicIp to `false` when provisioning Machine Learning compute clusters or compute instances. Apply a similar configuration if you use a different compute.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Using the latest images ensures you're maintaining a consistent, stable, and secure environment, including ensuring you have the latest security patches.", + "service": "Azure Machine Learning", + "text": "Get the latest operating system image: Recreate compute instances to get the latest operating system image.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Strict workspace access controls enhance security by ensuring that individuals have only the necessary permissions for their role. A data scientist, for instance, might have access to run experiments but not to modify security settings, minimizing potential security risks.", + "service": "Azure Machine Learning", + "text": "Strict Machine Learning workspace access controls: Use Microsoft Entra ID groups to manage workspace access and adhere to the principle of least privilege for RBAC.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Restricting the deployments from the model catalog to specific registries ensures you only deploy models to approved registries. This approach helps regulate access to the open-source foundational models.", + "service": "Azure Machine Learning", + "text": "Restrict model catalog deployments: Restrict model deployments to specific registries.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Encrypting data at rest enhances data security by ensuring that sensitive data is encrypted by using keys directly managed by you. If you have a regulatory requirement to manage your own encryption keys, use this feature to comply with that requirement.", + "service": "Azure Machine Learning", + "text": "Encrypt data at rest: Consider using customer-managed keys with Machine Learning.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "Minimize the risk of data exfiltration by limiting inbound and outbound requirements.", + "service": "Azure Machine Learning", + "text": "Minimize the risk of data exfiltration: Implement data exfiltration prevention. For example, create a service endpoint policy to filter egress virtual network traffic and permit data exfiltration only to specific Azure Storage accounts.", + "type": "recommendation", + "waf": "Reliability" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Usage optimization: Choose the appropriate resources to ensure that they align with your workload requirements. For example, choose between CPUs or GPUs, various SKUs, or low versus regular-priority VMs.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Usage optimization: Ensure compute resources that aren't being used are scaled down or shut down when idle to reduce waste.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Usage optimization: Apply policies and configure quotas to comply with the design's upper and lower limits.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Usage optimization: Test parallelizing training workloads to determine if training requirements can be met on lower cost SKUs.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Rate optimization: Purchase Azure Reserved Virtual Machine Instances if you have a good estimate of usage over the next one to three years.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "", + "service": "Azure Machine Learning", + "text": "Monitor and optimize: Monitor your resource usage such as CPU and GPU usage when training models. If the resources aren't being fully used, modify your code to better use resources or scale down to smaller or cheaper VM sizes.", + "type": "checklist", + "waf": "Cost" + }, + { + "description": "Selecting the right compute is critical as it directly impacts the cost of running your workload. Choosing a GPU or a high-performance SKU without proper usage can lead to wasteful spending, while choosing undersized compute can lead to prohibitively long training times and performance problems.", + "service": "Azure Machine Learning", + "text": "Optimize compute resources: Optimize your compute resources based on the requirements of your workload. Choose the SKU that best suits your workload: