From 689b1ef6fd436db6cf04d6f5536081ab5d0725df Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 09:49:38 -0400 Subject: [PATCH 01/22] Remove AMMP --- checklists/alz_checklist.en.json | 55 -------------------------------- 1 file changed, 55 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index ba569af71..68ea23def 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -152,7 +152,6 @@ "service": "Entra", "guid": "348ef254-c27d-442e-abba-c7571559ab91", "id": "B03.01", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "link": "https://learn.microsoft.com/azure/role-based-access-control/overview" @@ -164,7 +163,6 @@ "waf": "Security", "guid": "4348bf81-7573-4512-8f46-9061cc198fea", "id": "B03.02", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator" @@ -177,7 +175,6 @@ "service": "Entra", "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", "id": "B03.02", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts" @@ -214,7 +211,6 @@ "service": "Entra", "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", "id": "B03.05", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks" @@ -294,7 +290,6 @@ "service": "Entra", "guid": "984a859c-773e-47d2-9162-3a765a917e1f", "id": "B03.12", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access" @@ -373,7 +368,6 @@ "waf": "Security", "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a", "id": "C01.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming" }, @@ -460,7 +454,6 @@ "waf": "Security", "guid": "49b82111-2df2-47ee-912e-7f983f630472", "id": "C02.08", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/governance/management-groups/overview" }, @@ -481,7 +474,6 @@ "waf": "Security", "guid": "c68e1d76-6673-413b-9f56-64b5e984a859", "id": "C02.10", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/", "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations" @@ -493,7 +485,6 @@ "waf": "Security", "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", "id": "C02.11", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/monitor-usage-performance-availability-resources-azure-monitor/", "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity" @@ -505,7 +496,6 @@ "waf": "Security", "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", "id": "C02.12", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/", "link": "https://learn.microsoft.com/azure/cost-management-billing/cost-management-billing-overview" @@ -617,7 +607,6 @@ "service": "VNet", "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", "id": "D01.02", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute" }, @@ -723,7 +712,6 @@ "service": "VNet", "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", "id": "D01.10", - "ammp": true, "severity": "High", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering" @@ -759,7 +747,6 @@ "service": "ExpressRoute", "guid": "558fd772-49b8-4211-82df-27ee412e7f98", "id": "D03.01", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing" @@ -785,7 +772,6 @@ "service": "VNet", "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", "id": "D03.03", - "ammp": true, "severity": "High", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", @@ -799,7 +785,6 @@ "service": "VNet", "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", "id": "D03.04", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses" @@ -847,7 +832,6 @@ "service": "DNS", "guid": "614658d3-558f-4d77-849b-821112df27ee", "id": "D03.08", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration" @@ -907,7 +891,6 @@ "service": "WAF", "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", "id": "D05.05", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -920,7 +903,6 @@ "service": "VNet", "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", "id": "D05.06", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures" @@ -933,7 +915,6 @@ "service": "VNet", "guid": "b034c01e-110b-463a-b36e-e3346e57f225", "id": "D05.07", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access" }, @@ -945,7 +926,6 @@ "service": "VNet", "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", "id": "D05.08", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures" @@ -996,7 +976,6 @@ "service": "ExpressRoute", "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", "id": "D06.04", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost" @@ -1009,7 +988,6 @@ "service": "ExpressRoute", "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", "id": "D06.05", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local" @@ -1084,7 +1062,6 @@ "service": "ExpressRoute", "guid": "718cb437-b060-2589-8856-2e93a5c6633b", "id": "D06.11", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about" @@ -1157,7 +1134,6 @@ "service": "ExpressRoute", "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", "id": "D06.17", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))" @@ -1170,7 +1146,6 @@ "service": "ExpressRoute", "guid": "d581a947-69a2-4783-942e-9df3664324c8", "id": "D06.18", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections" }, @@ -1242,7 +1217,6 @@ "service": "Firewall", "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", "id": "D07.01", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/app-service/networking-features" @@ -1279,7 +1253,6 @@ "service": "Firewall", "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", "id": "D07.04", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules" @@ -1292,7 +1265,6 @@ "service": "Firewall", "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", "id": "D07.05", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", "link": "https://learn.microsoft.com/azure/firewall/premium-features" @@ -1305,7 +1277,6 @@ "service": "Firewall", "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", "id": "D07.06", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", "link": "https://learn.microsoft.com/azure/firewall/premium-features" @@ -1318,7 +1289,6 @@ "service": "Firewall", "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", "id": "D07.07", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps" @@ -1331,7 +1301,6 @@ "service": "Firewall", "guid": "a3784907-9836-4271-aafc-93535f8ec08b", "id": "D07.08", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview" @@ -1344,7 +1313,6 @@ "service": "Firewall", "guid": "715d833d-4708-4527-90ac-1b142c7045ba", "id": "D07.09", - "ammp": true, "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs" @@ -1357,7 +1325,6 @@ "service": "Firewall", "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", "id": "D07.10", - "ammp": true, "severity": "Important", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy" @@ -1370,7 +1337,6 @@ "service": "Firewall", "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", "id": "D07.11", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size" @@ -1504,7 +1470,6 @@ "service": "App Gateway", "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", "id": "D07.22", - "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services" @@ -1565,7 +1530,6 @@ "service": "ExpressRoute", "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", "id": "D09.01", - "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway" @@ -1764,7 +1728,6 @@ "service": "VWAN", "guid": "9c75dfef-573c-461c-a698-68598595581a", "id": "D10.10", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation" }, @@ -1776,7 +1739,6 @@ "service": "Policy", "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", "id": "E01.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/governance/policy/overview" }, @@ -2183,7 +2145,6 @@ "service": "VM", "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b", "id": "F05.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview" }, @@ -2195,7 +2156,6 @@ "service": "VM", "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d", "id": "F05.02", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/virtual-machines/availability" }, @@ -2218,7 +2178,6 @@ "service": "WAF", "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", "id": "F06.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs" }, @@ -2261,7 +2220,6 @@ "service": "Key Vault", "guid": "5017f154-e3ab-4369-9829-e7e316183687", "id": "G02.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/key-vault/general/overview" }, @@ -2426,7 +2384,6 @@ "service": "Defender", "guid": "09945bda-4333-44f2-9911-634182ba5275", "id": "G03.03", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management" }, @@ -2438,7 +2395,6 @@ "service": "Defender", "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", "id": "G03.04", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan" }, @@ -2450,7 +2406,6 @@ "service": "Defender", "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", "id": "G03.05", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription" }, @@ -2462,7 +2417,6 @@ "service": "VM", "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", "id": "G03.06", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection" }, @@ -2528,7 +2482,6 @@ "service": "Storage", "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", "id": "G04.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer" }, @@ -2540,7 +2493,6 @@ "service": "Storage", "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", "id": "G04.02", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection" }, @@ -2551,7 +2503,6 @@ "waf": "Security", "guid": "6f704104-85c1-441f-96d3-c9819911645e", "id": "G05.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning" }, @@ -2582,7 +2533,6 @@ "waf": "Operations", "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", "id": "H01.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops" }, @@ -2613,7 +2563,6 @@ "waf": "Operations", "guid": "165eb5e9-b434-448a-9e24-178632186212", "id": "H01.04", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" }, @@ -2635,7 +2584,6 @@ "service": "Key Vault", "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", "id": "H01.06", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds" }, @@ -2656,7 +2604,6 @@ "waf": "Operations", "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b", "id": "H02.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" }, @@ -2697,7 +2644,6 @@ "waf": "Operations", "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73", "id": "H03.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" }, @@ -2708,7 +2654,6 @@ "waf": "Operations", "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f", "id": "H04.01", - "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure" } From ee7fa62ec99636fe2ce39c4ba7d44e45c6f5aa91 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 10:06:36 -0400 Subject: [PATCH 02/22] Review of A items - pausing link scrub --- checklists/alz_checklist.en.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 68ea23def..8a5b6f45a 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -14,7 +14,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Entra ID Tenants", - "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants", + "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants", "waf": "Operations", "service": "Entra", "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", @@ -25,33 +25,33 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Entra ID Tenants", - "text": "Leverage Azure Lighthouse for Multi-Tenant Management", + "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs", "waf": "Operations", "service": "Entra", "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", "id": "A01.03", - "severity": "Low", + "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse" }, { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", - "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner", + "text": "If you give a partner access to administer your tenant, use Azure Lighthouse", "waf": "Cost", "service": "Entra", "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", "id": "A02.01", - "severity": "Medium", + "severity": "High", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations" }, { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", - "text": "Discuss support request and escalation process with CSP partner", + "text": "If you have a CSP partner, define and document your support request and escalation process", "waf": "Cost", "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01", "id": "A02.02", - "severity": "Low", + "severity": "Low [?]", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-cloud-solution-provider#design-recommendations" }, { @@ -92,12 +92,12 @@ "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6", "id": "A03.04", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations" + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/assign-access-acm-data#enable-access-to-costs-in-the-azure-portal" }, { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", - "text": "Make use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads", + "text": "Use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads", "waf": "Cost", "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b", "id": "A03.05", @@ -137,7 +137,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Customer Agreement", - "text": "Periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account", + "text": "Define and document a process to periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account", "waf": "Cost", "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3", "id": "A04.04", From 3cd0d4376efef6e06857b9f042de51e3fc995030 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 10:14:11 -0400 Subject: [PATCH 03/22] link v training --- checklists/alz_checklist.en.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 8a5b6f45a..b87f1825a 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -31,7 +31,8 @@ "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", "id": "A01.03", "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience" }, { "category": "Azure Billing and Microsoft Entra ID Tenants", @@ -92,7 +93,8 @@ "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6", "id": "A03.04", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/assign-access-acm-data#enable-access-to-costs-in-the-azure-portal" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-recommendations", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/assign-access-acm-data#enable-access-to-costs-in-the-azure-portal" }, { "category": "Azure Billing and Microsoft Entra ID Tenants", From c6b720a99474014476f402b3e26fc828394359ee Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 10:34:17 -0400 Subject: [PATCH 04/22] B series --- checklists/alz_checklist.en.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index b87f1825a..113414aa8 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -201,7 +201,7 @@ "service": "Entra", "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", "id": "B03.04", - "severity": "Low", + "severity": "High", "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview" }, @@ -224,7 +224,7 @@ "waf": "Security", "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6", "id": "B03.06", - "severity": "Medium", + "severity": "High", "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations" }, @@ -247,7 +247,7 @@ "waf": "Reliability", "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", "id": "B03.09", - "severity": "Medium", + "severity": "High", "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations" }, @@ -264,7 +264,7 @@ }, { "subcategory": "Identity and Access Management", - "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads", + "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads", "waf": "Security", "service": "Entra", "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", @@ -299,7 +299,7 @@ { "category": "Identity and Access Management", "subcategory": "Microsoft Entra ID", - "text": "When deploying an Microsoft Entra Connect, leverage a staging sever for high availability / Disaster recovery", + "text": "When deploying an Microsoft Entra Connect, use a staging sever for high availability / Disaster recovery", "waf": "Reliability", "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94", "id": "B03.13", @@ -309,7 +309,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.", + "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments.", "waf": "Security", "service": "Entra", "guid": "35037e68-9349-4c15-b371-228514f4cdff", @@ -321,7 +321,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", + "text": "[Move to Application Landing Zone considerations?] Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", "waf": "Security", "service": "Entra", "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", @@ -337,9 +337,9 @@ "waf": "Security", "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8", "id": "B04.01", - "severity": "Medium", + "severity": "High", "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator" }, { "category": "Identity and Access Management", @@ -365,7 +365,7 @@ { "category": "Resource Organization", "subcategory": "Naming and tagging", - "text": "It is recommended to follow Microsoft Best Practice Naming Standards", + "text": "Use a well defined naming scheme for resources, such as Microsoft Best Practice Naming Standards", "description": "Consider using the Azure naming tool available at https://aka.ms/azurenamingtool", "waf": "Security", "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a", From db6b358c1b43db43857c6bd299ab67181232d100 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 10:52:41 -0400 Subject: [PATCH 05/22] C Complete --- checklists/alz_checklist.en.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 113414aa8..ca4a8fad5 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -410,7 +410,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", + "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private non-AD Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", "waf": "Security", "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c", "id": "C02.04", @@ -494,7 +494,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce a process for cost management", + "text": "[this is too vague]Enforce a process for cost management", "waf": "Security", "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", "id": "C02.12", @@ -549,7 +549,7 @@ { "category": "Resource Organization", "subcategory": "Regions", - "text": "Consider a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint", + "text": "Deploy your Azure landing zone in a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint", "waf": "Reliability", "guid": "19ca3f89-397d-44b1-b5b6-5e18661372ac", "id": "C03.02", @@ -571,7 +571,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "App delivery", - "text": "Develop a plan for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front door. You can use the Application Delivery checklist to for recommendations.", + "text": "Document a standard for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front door. You can use the Application Delivery checklist to for recommendations.", "waf": "Operations", "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6", "id": "D01.01", From b4271d0cd15bf635a54fb233ade6d8b0e3992c3c Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 11:54:21 -0400 Subject: [PATCH 06/22] D 1, 2, 3 --- checklists/alz_checklist.en.json | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index ca4a8fad5..3cc237c7d 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -581,7 +581,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.", + "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", "waf": "Security", "service": "VNet", "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", @@ -593,7 +593,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "App delivery", - "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).", + "text": "[Remove?]Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).", "waf": "Security", "guid": "6138a720-0f1c-4e16-bd30-1d6e872e52e3", "id": "D01.02", @@ -604,13 +604,13 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.", + "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", "waf": "Cost", "service": "VNet", "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", "id": "D01.02", "severity": "High", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology" }, { "category": "Network Topology and Connectivity", @@ -620,7 +620,7 @@ "service": "VNet", "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", "id": "D01.03", - "severity": "Medium", + "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview" }, @@ -685,7 +685,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)", + "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000)", "waf": "Reliability", "service": "VNet", "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", @@ -697,7 +697,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "Consider the limit of routes per route table (400).", + "text": "Limit the number of routes per route table to 400", "waf": "Reliability", "service": "VNet", "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", @@ -737,9 +737,9 @@ "service": "ExpressRoute", "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", "id": "D02.02", - "severity": "Low", + "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about" + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering" }, { "category": "Network Topology and Connectivity", @@ -761,7 +761,7 @@ "service": "VNet", "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", "id": "D03.02", - "severity": "Low", + "severity": "Medium", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing" @@ -782,7 +782,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "IP plan", - "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "text": "Do not use overlapping IP address ranges for production and DR sites.", "waf": "Reliability", "service": "VNet", "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", @@ -801,12 +801,12 @@ "id": "D03.05", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances" + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal" }, { "category": "Network Topology and Connectivity", "subcategory": "IP plan", - "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.", + "text": "For environments where name resolution across Azure and on-premises is required, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", "waf": "Security", "service": "DNS", "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", From d5fddcfbe579dc47dde7a5fc535e61874e48f7f7 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 12:04:40 -0400 Subject: [PATCH 07/22] D 4, 5, 6 --- checklists/alz_checklist.en.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 3cc237c7d..7d5aef231 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -841,7 +841,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Internet", - "text": "Consider using Azure Bastion to securely connect to your network.", + "text": "Use Azure Bastion to securely connect to your network.", "waf": "Security", "service": "Bastion", "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", @@ -888,7 +888,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Internet", - "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", + "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", "waf": "Security", "service": "WAF", "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", @@ -912,7 +912,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Internet", - "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed", + "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed", "waf": "Reliability", "service": "VNet", "guid": "b034c01e-110b-463a-b36e-e3346e57f225", @@ -935,19 +935,19 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.", + "text": "Determine if ExpressRoute should be used as the primary connection to Azure.", "waf": "Performance", "service": "ExpressRoute", "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", "id": "D06.01", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli" + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction#expressroute-cheat-sheet" }, { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.", + "text": "[Clarity]When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.", "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", "waf": "Reliability", "service": "ExpressRoute", @@ -960,7 +960,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", + "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", "waf": "Performance", "service": "ExpressRoute", "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", @@ -968,7 +968,7 @@ "severity": "Medium", "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing" + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku" }, { "category": "Network Topology and Connectivity", @@ -1114,7 +1114,7 @@ "id": "D06.15", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)" }, { @@ -1202,7 +1202,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.", + "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", "waf": "Performance", "service": "ExpressRoute", "guid": "5234c93f-b651-41dd-80c1-234177b91ced", From b68340827d2528cab956caec4dc592e86c894018 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 13:11:18 -0400 Subject: [PATCH 08/22] D7, 8, 9 --- checklists/alz_checklist.en.json | 46 ++++++++++++++++---------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 7d5aef231..a47de00fe 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1221,7 +1221,7 @@ "id": "D07.01", "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "link": "https://learn.microsoft.com/azure/app-service/networking-features" + "link": "https://learn.microsoft.com/azure/firewall/overview" }, { "category": "Network Topology and Connectivity", @@ -1233,7 +1233,7 @@ "id": "D07.02", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall" + "link": "[Revisit]https://learn.microsoft.com/azure/firewall-manager/policy-overview" }, { "category": "Network Topology and Connectivity", @@ -1250,7 +1250,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.", + "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", "waf": "Security", "service": "Firewall", "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", @@ -1262,7 +1262,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Use Azure Firewall Premium for additional security and protection.", + "text": "Use Azure Firewall Premium to enable additional security features.", "waf": "Security", "service": "Firewall", "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", @@ -1281,7 +1281,7 @@ "id": "D07.06", "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "link": "https://learn.microsoft.com/azure/firewall/premium-features" + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules" }, { "category": "Network Topology and Connectivity", @@ -1346,7 +1346,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use", + "text": "[Need to determine what this is really saying]Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use", "waf": "Performance", "service": "Firewall", "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", @@ -1368,7 +1368,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs", + "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs", "waf": "Performance", "service": "Firewall", "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", @@ -1379,7 +1379,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it\u2019s a sign that SNAT exhaustion might be imminent.", + "text": "[Circle back on this]Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it\u2019s a sign that SNAT exhaustion might be imminent.", "waf": "Performance", "service": "Firewall", "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", @@ -1390,7 +1390,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Enable TLS Inspection", + "text": "If you are using Azure Firewall Premium, enable TLS Inspection", "waf": "Performance", "service": "Firewall", "guid": "346840b8-1064-496e-8396-4b1340172d52", @@ -1423,7 +1423,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Enable Azure Firewall DNS proxy configuration ", + "text": "Enable Azure Firewall DNS proxy configuration", "waf": "Security", "service": "Firewall", "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", @@ -1434,12 +1434,12 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines", + "text": "[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines", "waf": "Security", "service": "Firewall", "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", "id": "D07.19", - "severity": "Medium", + "severity": "High", "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp" }, { @@ -1450,7 +1450,7 @@ "service": "Firewall", "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", "id": "D07.20", - "severity": "Low", + "severity": "High", "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics" }, { @@ -1467,7 +1467,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "PaaS", - "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", + "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", "waf": "Security", "service": "App Gateway", "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", @@ -1485,7 +1485,7 @@ "id": "D08.02", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "link": "https://learn.microsoft.com/azure/app-service/networking-features" + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview" }, { "category": "Network Topology and Connectivity", @@ -1497,7 +1497,7 @@ "id": "D08.03", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "link": "https://learn.microsoft.com/azure/app-service/networking-features" + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview" }, { "category": "Network Topology and Connectivity", @@ -1507,10 +1507,10 @@ "service": "VNet", "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", "id": "D08.04", - "severity": "Medium", + "severity": "High", "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "link": "https://learn.microsoft.com/azure/app-service/networking-features" + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview" }, { "category": "Network Topology and Connectivity", @@ -1522,7 +1522,7 @@ "id": "D08.05", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "link": "https://learn.microsoft.com/azure/app-service/networking-features" + "link": "azure/private-link/inspect-traffic-with-azure-firewall" }, { "category": "Network Topology and Connectivity", @@ -1544,7 +1544,7 @@ "service": "NSG", "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", "id": "D09.02", - "severity": "Medium", + "severity": "High", "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags" }, @@ -1574,7 +1574,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Segmentation", - "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", + "text": "[Move to Application Landing Zone list?] Use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", "waf": "Security", "service": "NSG", "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563", @@ -1605,12 +1605,12 @@ "id": "D09.07", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works" + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview" }, { "category": "Network Topology and Connectivity", "subcategory": "Segmentation", - "text": "Consider the limit of NSG rules per NSG (1000).", + "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules", "waf": "Reliability", "service": "NSG", "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", From 4de81a1fa91f024e7a1c592e473fd1df16b2f8da Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 13:36:40 -0400 Subject: [PATCH 09/22] D10 --- checklists/alz_checklist.en.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index a47de00fe..b1945af16 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1623,7 +1623,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs", + "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs", "waf": "Operations", "service": "VWAN", "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", @@ -1641,12 +1641,12 @@ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", "id": "D10.02", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst" }, { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network", + "text": "[This is too vague, discussion might be needed]Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network", "waf": "Performance", "service": "VWAN", "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", @@ -1665,12 +1665,12 @@ "severity": "Medium", "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about" + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall" }, { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.", + "text": "[This is too vague, lets decompose into recs?] Ensure that the network architecture is within the Azure Virtual WAN limits.", "waf": "Reliability", "service": "VWAN", "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", @@ -1692,7 +1692,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", + "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", "waf": "Reliability", "service": "VWAN", "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", @@ -1714,7 +1714,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", + "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", "waf": "Reliability", "service": "VWAN", "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", @@ -1725,7 +1725,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.", + "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available", "waf": "Reliability", "service": "VWAN", "guid": "9c75dfef-573c-461c-a698-68598595581a", From a51bf608691333fb51c327b6b2daa844402d73f8 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 14:22:26 -0400 Subject: [PATCH 10/22] E & F --- checklists/alz_checklist.en.json | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index b1945af16..2f1125292 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1774,7 +1774,7 @@ "service": "Policy", "guid": "3829e7e3-1618-4368-9a04-77a209945bda", "id": "E01.05", - "severity": "Medium", + "severity": "High", "link": "https://learn.microsoft.com/azure/governance/policy/overview" }, { @@ -1796,7 +1796,7 @@ "service": "Policy", "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", "id": "E01.07", - "severity": "Medium", + "severity": "High", "link": "https://learn.microsoft.com/azure/governance/policy/overview" }, { @@ -1864,7 +1864,8 @@ "service": "Policy", "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", "id": "E01.13", - "severity": "Medium" + "severity": "Medium", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives" }, { "category": "Governance", @@ -1896,7 +1897,7 @@ "service": "Monitor", "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", "id": "F01.03", - "severity": "Medium", + "severity": "High", "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work" }, @@ -1997,7 +1998,7 @@ "guid": "e3ab3693-829e-47e3-8618-3687a0477a20", "id": "F01.13", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard" + "link": "[Need a better link since this recommendation isn't for Sentinel specifically]https://learn.microsoft.com/azure/sentinel/quickstart-onboard" }, { "category": "Management", @@ -2055,7 +2056,7 @@ { "category": "Management", "subcategory": "Monitoring", - "text": "Establish monitoring for platform components of your landing zone, AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy", + "text": "Deploy AMBA to establish monitoring for platform components of your landing zone - AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy", "waf": "Operations", "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610", "id": "F01.19", @@ -2066,7 +2067,7 @@ { "category": "Management", "subcategory": "Data Protection", - "text": "Consider cross-region replication in Azure for BCDR with paired regions", + "text": "Enable cross-region replication in Azure for BCDR with paired regions", "waf": "Reliability", "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb", "id": "F02.01", @@ -2076,18 +2077,18 @@ { "category": "Management", "subcategory": "Data Protection", - "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS", + "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS", "waf": "Reliability", "service": "Backup", "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", "id": "F02.02", - "severity": "Medium", + "severity": "Low", "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy" }, { "category": "Management", "subcategory": "Operational compliance", - "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", "waf": "Security", "service": "VM", "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", @@ -2100,7 +2101,7 @@ "subcategory": "Operational compliance", "text": "Monitor VM security configuration drift via Azure Policy.", "service": "VM", - "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", "waf": "Security", "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", "id": "F03.02", @@ -2121,7 +2122,7 @@ { "category": "Management", "subcategory": "Protect and Recover", - "text": "Ensure to use and test native PaaS service disaster recovery capabilities.", + "text": "Use native PaaS service disaster recovery capabilities. Perform failover testing with these capabilities.", "waf": "Operations", "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a", "id": "F04.02", @@ -2142,7 +2143,7 @@ { "category": "Management", "subcategory": "Fault Tolerance", - "text": "Leverage Availability Zones for your VMs in regions where they are supported.", + "text": "[Remove for VM checklist] Deploy your VMs into multiple Availability Zones in regions where they are supported.", "waf": "Reliability", "service": "VM", "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b", @@ -2153,7 +2154,7 @@ { "category": "Management", "subcategory": "Fault Tolerance", - "text": "Avoid running a production workload on a single VM.", + "text": "[Remove for VM checklist] Do not run a production workload on a single VM.", "waf": "Reliability", "service": "VM", "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d", @@ -2164,7 +2165,7 @@ { "category": "Management", "subcategory": "Fault Tolerance", - "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", + "text": " [Remove for VM checklist]Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", "waf": "Reliability", "service": "VM", "guid": "84101f59-1941-4195-a270-e28034290e3a", From 4554ebafac171945c57424890433d408743f508c Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 31 May 2024 15:02:32 -0400 Subject: [PATCH 11/22] G & H --- checklists/alz_checklist.en.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 2f1125292..ca8ef944c 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -2208,7 +2208,7 @@ { "category": "Security", "subcategory": "Access control", - "text": "Implement a zero-trust approach for access to the Azure platform, where appropriate.", + "text": "Apply a zero-trust approach for access to the Azure platform.", "waf": "Security", "guid": "01365d38-e43f-49cc-ad86-8266abca264f", "id": "G01.02", @@ -2475,12 +2475,12 @@ "guid": "874a748b-662d-46d1-9051-2a66498f6dfe", "id": "G03.11", "severity": "Low", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security" + "link": "https://learn.microsoft.com/azure/event-grid/set-alerts" }, { "category": "Security", "subcategory": "Overview", - "text": "Secure transfer to storage accounts should be enabled", + "text": "Enable secure transfer to storage accounts", "waf": "Security", "service": "Storage", "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", @@ -2502,7 +2502,7 @@ { "category": "Security", "subcategory": "Secure privileged access", - "text": "Separate privileged admin accounts for Azure administrative tasks.", + "text": "[Remove? This is part of Identity, and the link isn't clear] Separate privileged admin accounts for Azure administrative tasks.", "waf": "Security", "guid": "6f704104-85c1-441f-96d3-c9819911645e", "id": "G05.01", @@ -2512,7 +2512,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "Plan how new azure services will be implemented", + "text": "[REMOVE/REVISE]Plan how new azure services will be implemented", "waf": "Security", "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215", "id": "G06.01", @@ -2522,7 +2522,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "Plan how service request will be fulfilled for Azure services", + "text": "[REMOVE/REVISE]Plan how service request will be fulfilled for Azure services", "waf": "Security", "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b", "id": "G06.02", @@ -2532,7 +2532,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", + "text": "[REMOVE/REVISE - I don't think we can expect customers to have dedicated teams]Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", "waf": "Operations", "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", "id": "H01.01", @@ -2542,7 +2542,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "Aim to define functions for Azure Landing Zone Platform team.", + "text": "[REMOVE/REVISE]Aim to define functions for Azure Landing Zone Platform team.", "waf": "Operations", "guid": "634146bf-7085-4419-a7b5-f96d2726f6da", "id": "H01.02", @@ -2552,7 +2552,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", + "text": "[REMOVE/REVISE]Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", "waf": "Operations", "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5", "id": "H01.03", @@ -2566,7 +2566,7 @@ "waf": "Operations", "guid": "165eb5e9-b434-448a-9e24-178632186212", "id": "H01.04", - "severity": "High", + "severity": "Medium", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" }, { From 8fd5b612e09c4ab454dcca1115d94b33694c9b95 Mon Sep 17 00:00:00 2001 From: Igor Pagliai Date: Fri, 21 Jun 2024 09:40:41 +0200 Subject: [PATCH 12/22] Update alz_checklist.en.json based on contribution guidelines --- checklists/alz_checklist.en.json | 34 ++++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index ca8ef944c..5c2f95c97 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -196,7 +196,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments", "waf": "Security", "service": "Entra", "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", @@ -243,7 +243,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "When deploying Active Directory on Windows Server, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set", + "text": "When deploying Active Directory Domain Controllers, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set", "waf": "Reliability", "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", "id": "B03.09", @@ -271,7 +271,7 @@ "id": "B03.10", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview" + "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview" }, { "category": "Identity and Access Management", @@ -344,7 +344,7 @@ { "category": "Identity and Access Management", "subcategory": "Landing zones", - "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.G - Data Operations across Key Vault, Storage Account and Database Services.", + "text": "Use Azure RBAC to manage data plane access to resources, if possible.", "waf": "Security", "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4", "id": "B04.02", @@ -571,7 +571,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "App delivery", - "text": "Document a standard for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front door. You can use the Application Delivery checklist to for recommendations.", + "text": "Document a standard for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front Door. You can use the Application Delivery checklist to for recommendations.", "waf": "Operations", "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6", "id": "D01.01", @@ -615,7 +615,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "App delivery", - "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", "waf": "Security", "service": "VNet", "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", @@ -782,7 +782,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "IP plan", - "text": "Do not use overlapping IP address ranges for production and DR sites.", + "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", "waf": "Reliability", "service": "VNet", "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", @@ -985,7 +985,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.", + "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", "waf": "Cost", "service": "ExpressRoute", "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", @@ -1120,7 +1120,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.", + "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", "waf": "Reliability", "service": "ExpressRoute", "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", @@ -1825,7 +1825,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them", + "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them", "waf": "Security", "service": "Policy", "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", @@ -1837,7 +1837,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.", + "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", "waf": "Security", "service": "Policy", "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", @@ -1848,7 +1848,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.", + "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", "waf": "Security", "service": "Policy", "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", @@ -1859,7 +1859,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.", + "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", "waf": "Security", "service": "Policy", "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", @@ -1923,7 +1923,7 @@ "id": "F01.06", "severity": "Medium", "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations " + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations" }, { "category": "Management", @@ -2448,7 +2448,7 @@ { "category": "Security", "subcategory": "Operations", - "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.", + "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", "waf": "Security", "service": "Entra", "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", @@ -2459,7 +2459,7 @@ { "category": "Security", "subcategory": "Operations", - "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.", + "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", "waf": "Security", "service": "Entra", "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", @@ -2751,4 +2751,4 @@ "waf": "all", "timestamp": "May 09, 2024" } -} \ No newline at end of file +} From 32401aa6d653f9cf99a4c91af7bffe75aaf266b3 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 21 Jun 2024 09:26:44 -0400 Subject: [PATCH 13/22] Review Updates --- checklists/alz_checklist.en.json | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 5c2f95c97..873f72b60 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -309,7 +309,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments.", + "text": "#Revisit-Do not use on-premises synced accounts for Microsoft Entra ID role assignments.", "waf": "Security", "service": "Entra", "guid": "35037e68-9349-4c15-b371-228514f4cdff", @@ -494,13 +494,13 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "[this is too vague]Enforce a process for cost management", + "text": "As part of your cloud adoption, implement a detailed cost management plan using the 'Managed cloud costs' process.", "waf": "Security", "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", "id": "C02.12", "severity": "High", "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/", - "link": "https://learn.microsoft.com/azure/cost-management-billing/cost-management-billing-overview" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/get-started/manage-costs" }, { "category": "Resource Organization", @@ -516,7 +516,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Ensure tags are used for billing and cost management", + "text": "Ensure tags are used for billing and cost management.", "waf": "Security", "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3", "id": "C02.14", @@ -590,17 +590,6 @@ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity" }, - { - "category": "Network Topology and Connectivity", - "subcategory": "App delivery", - "text": "[Remove?]Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).", - "waf": "Security", - "guid": "6138a720-0f1c-4e16-bd30-1d6e872e52e3", - "id": "D01.02", - "severity": "Medium", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator" - }, { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", @@ -806,7 +795,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "IP plan", - "text": "For environments where name resolution across Azure and on-premises is required, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", + "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", "waf": "Security", "service": "DNS", "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", @@ -1670,7 +1659,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "[This is too vague, lets decompose into recs?] Ensure that the network architecture is within the Azure Virtual WAN limits.", + "text": "[This is too vague, lets decompose into recs? -- Agree, could maybe consolidate with D10.02] Ensure that the network architecture is within the Azure Virtual WAN limits.", "waf": "Reliability", "service": "VWAN", "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", From 37a56760855b2b4101d9ae27f101ae0ecb40a169 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 21 Jun 2024 10:36:01 -0400 Subject: [PATCH 14/22] Sentence structure --- checklists/alz_checklist.en.json | 132 +++++++++++++++---------------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 873f72b60..fd8a43c1c 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -14,7 +14,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Entra ID Tenants", - "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants", + "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", "waf": "Operations", "service": "Entra", "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", @@ -25,7 +25,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Entra ID Tenants", - "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs", + "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", "waf": "Operations", "service": "Entra", "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", @@ -37,7 +37,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", - "text": "If you give a partner access to administer your tenant, use Azure Lighthouse", + "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", "waf": "Cost", "service": "Entra", "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", @@ -48,7 +48,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", - "text": "If you have a CSP partner, define and document your support request and escalation process", + "text": "If you have a CSP partner, define and document your support request and escalation process.", "waf": "Cost", "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01", "id": "A02.02", @@ -58,7 +58,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Cloud Solution Provider", - "text": "Setup Cost Reporting and Views with Azure Cost Management", + "text": "Setup Cost Reporting and Views with Azure Cost Management.", "waf": "Cost", "guid": "32952499-58c8-4e6f-ada5-972e67893d55", "id": "A02.03", @@ -68,7 +68,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", - "text": "Configure Notification Contacts to a group mailbox", + "text": "Configure Notification Contacts to a group mailbox.", "waf": "Cost", "guid": "685cb4f2-ac9c-4b19-9167-993ed0b32415", "id": "A03.01", @@ -99,7 +99,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Enterprise Agreement", - "text": "Use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads", + "text": "Use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads.", "waf": "Cost", "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b", "id": "A03.05", @@ -109,7 +109,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Customer Agreement", - "text": "Configure Agreement billing account notification contact email", + "text": "Configure Agreement billing account notification contact email.", "waf": "Cost", "guid": "6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c", "id": "A04.01", @@ -119,7 +119,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Customer Agreement", - "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management", + "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management.", "waf": "Cost", "guid": "90e87802-602f-4dfb-acea-67c60689f1d7", "id": "A04.02", @@ -129,7 +129,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Customer Agreement", - "text": "Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production workloads", + "text": "Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production workloads.", "waf": "Cost", "guid": "e81a73f0-84c4-4641-b406-14db3b4d1f50", "id": "A04.03", @@ -139,7 +139,7 @@ { "category": "Azure Billing and Microsoft Entra ID Tenants", "subcategory": "Microsoft Customer Agreement", - "text": "Define and document a process to periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account", + "text": "Define and document a process to periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account.", "waf": "Cost", "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3", "id": "A04.04", @@ -196,7 +196,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", "waf": "Security", "service": "Entra", "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", @@ -208,7 +208,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Enforce multi-factor authentication for any user with rights to the Azure environments", + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", "waf": "Security", "service": "Entra", "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", @@ -220,7 +220,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements", + "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements.", "waf": "Security", "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6", "id": "B03.06", @@ -231,7 +231,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", "waf": "Security", "service": "Entra", "guid": "14658d35-58fd-4772-99b8-21112df27ee4", @@ -243,7 +243,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "When deploying Active Directory Domain Controllers, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set", + "text": "When deploying Active Directory Domain Controllers, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set.", "waf": "Reliability", "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", "id": "B03.09", @@ -264,7 +264,7 @@ }, { "subcategory": "Identity and Access Management", - "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads", + "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", "waf": "Security", "service": "Entra", "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", @@ -287,7 +287,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout", + "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout.", "waf": "Security", "service": "Entra", "guid": "984a859c-773e-47d2-9162-3a765a917e1f", @@ -299,7 +299,7 @@ { "category": "Identity and Access Management", "subcategory": "Microsoft Entra ID", - "text": "When deploying an Microsoft Entra Connect, use a staging sever for high availability / Disaster recovery", + "text": "When deploying an Microsoft Entra Connect, use a staging sever for high availability / Disaster recovery.", "waf": "Reliability", "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94", "id": "B03.13", @@ -365,7 +365,7 @@ { "category": "Resource Organization", "subcategory": "Naming and tagging", - "text": "Use a well defined naming scheme for resources, such as Microsoft Best Practice Naming Standards", + "text": "Use a well defined naming scheme for resources, such as Microsoft Best Practice Naming Standards.", "description": "Consider using the Azure naming tool available at https://aka.ms/azurenamingtool", "waf": "Security", "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a", @@ -388,7 +388,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure", + "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure.", "waf": "Security", "guid": "667313b4-f566-44b5-b984-a859c773e7d2", "id": "C02.02", @@ -399,7 +399,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment", + "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment.", "waf": "Security", "guid": "61623a76-5a91-47e1-b348-ef254c27d42e", "id": "C02.03", @@ -421,7 +421,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce no subscriptions are placed under the root management group", + "text": "Enforce no subscriptions are placed under the root management group.", "waf": "Security", "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34", "id": "C02.05", @@ -432,7 +432,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings", + "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings.", "waf": "Security", "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19", "id": "C02.06", @@ -483,7 +483,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels", + "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels.", "waf": "Security", "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", "id": "C02.11", @@ -538,7 +538,7 @@ { "category": "Resource Organization", "subcategory": "Regions", - "text": "Select the right Azure region/s for your deployment. Azure is a global-scale cloud platform that provide global coverage through many regions and geographies. Different Azure regions have different characteristics, access and availability models, costs, capacity, and services offered, then it is important to consider all criteria and requirements", + "text": "Select the right Azure region/s for your deployment. Azure is a global-scale cloud platform that provide global coverage through many regions and geographies. Different Azure regions have different characteristics, access and availability models, costs, capacity, and services offered, then it is important to consider all criteria and requirements.", "waf": "Reliability", "guid": "250d81ce-8bbe-4f85-9051-6a18a8221e50", "id": "C03.01", @@ -549,7 +549,7 @@ { "category": "Resource Organization", "subcategory": "Regions", - "text": "Deploy your Azure landing zone in a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint", + "text": "Deploy your Azure landing zone in a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint.", "waf": "Reliability", "guid": "19ca3f89-397d-44b1-b5b6-5e18661372ac", "id": "C03.02", @@ -560,7 +560,7 @@ { "category": "Resource Organization", "subcategory": "Regions", - "text": "Ensure required services and features are available within the chosen deployment regions", + "text": "Ensure required services and features are available within the chosen deployment regions.", "waf": "Reliability", "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908", "id": "C03.03", @@ -616,7 +616,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance", + "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", "waf": "Reliability", "service": "NVA", "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", @@ -674,7 +674,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000)", + "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", "waf": "Reliability", "service": "VNet", "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", @@ -686,7 +686,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "Limit the number of routes per route table to 400", + "text": "Limit the number of routes per route table to 400.", "waf": "Reliability", "service": "VNet", "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", @@ -698,7 +698,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hub and spoke", - "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings", + "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", "waf": "Reliability", "service": "VNet", "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", @@ -733,7 +733,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "IP plan", - "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used", + "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", "waf": "Security", "service": "ExpressRoute", "guid": "558fd772-49b8-4211-82df-27ee412e7f98", @@ -758,7 +758,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "IP plan", - "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)", + "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", "waf": "Performance", "service": "VNet", "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", @@ -901,7 +901,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Internet", - "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed", + "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", "waf": "Reliability", "service": "VNet", "guid": "b034c01e-110b-463a-b36e-e3346e57f225", @@ -1048,7 +1048,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs", + "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", "waf": "Cost", "service": "ExpressRoute", "guid": "718cb437-b060-2589-8856-2e93a5c6633b", @@ -1203,7 +1203,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", "waf": "Security", "service": "Firewall", "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", @@ -1287,7 +1287,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance", + "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", "waf": "Security", "service": "Firewall", "guid": "a3784907-9836-4271-aafc-93535f8ec08b", @@ -1335,7 +1335,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "[Need to determine what this is really saying]Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use", + "text": "[Need to determine what this is really saying]Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", "waf": "Performance", "service": "Firewall", "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", @@ -1346,7 +1346,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Use IP Groups or IP prefixes to reduce number of IP table rules", + "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", "waf": "Performance", "service": "Firewall", "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", @@ -1357,7 +1357,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs", + "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", "waf": "Performance", "service": "Firewall", "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", @@ -1379,7 +1379,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "If you are using Azure Firewall Premium, enable TLS Inspection", + "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", "waf": "Performance", "service": "Firewall", "guid": "346840b8-1064-496e-8396-4b1340172d52", @@ -1412,7 +1412,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "Enable Azure Firewall DNS proxy configuration", + "text": "Enable Azure Firewall DNS proxy configuration.", "waf": "Security", "service": "Firewall", "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", @@ -1423,7 +1423,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines", + "text": "[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines.", "waf": "Security", "service": "Firewall", "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", @@ -1516,7 +1516,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Segmentation", - "text": "Use at least a /27 prefix for your Gateway subnets", + "text": "Use at least a /27 prefix for your Gateway subnets.", "waf": "Security", "service": "ExpressRoute", "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", @@ -1599,7 +1599,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Segmentation", - "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules", + "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", "waf": "Reliability", "service": "NSG", "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", @@ -1612,7 +1612,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs", + "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", "waf": "Operations", "service": "VWAN", "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", @@ -1635,7 +1635,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "[This is too vague, discussion might be needed]Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network", + "text": "#REVISIT[This is too vague, discussion might be needed]Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", "waf": "Performance", "service": "VWAN", "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", @@ -1646,7 +1646,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs", + "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", "waf": "Security", "service": "VWAN", "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", @@ -1659,7 +1659,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "[This is too vague, lets decompose into recs? -- Agree, could maybe consolidate with D10.02] Ensure that the network architecture is within the Azure Virtual WAN limits.", + "text": "#REVISIT[This is too vague, lets decompose into recs? -- Agree, could maybe consolidate with D10.02] Ensure that the network architecture is within the Azure Virtual WAN limits.", "waf": "Reliability", "service": "VWAN", "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", @@ -1714,7 +1714,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available", + "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", "waf": "Reliability", "service": "VWAN", "guid": "9c75dfef-573c-461c-a698-68598595581a", @@ -1747,7 +1747,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", "waf": "Security", "service": "Policy", "guid": "223ace8c-b123-408c-a501-7f154e3ab369", @@ -1769,7 +1769,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "Use Azure Policy to control which services users can provision at the subscription/management group level", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", "waf": "Security", "service": "Policy", "guid": "43334f24-9116-4341-a2ba-527526944008", @@ -1814,7 +1814,7 @@ { "category": "Governance", "subcategory": "Governance", - "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them", + "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", "waf": "Security", "service": "Policy", "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", @@ -1929,7 +1929,7 @@ { "category": "Management", "subcategory": "Monitoring", - "text": "Use Network Watcher to proactively monitor traffic flows", + "text": "Use Network Watcher to proactively monitor traffic flows.", "waf": "Operations", "service": "Network Watcher", "guid": "90483845-c986-4cb2-a131-56a12476e49f", @@ -1972,7 +1972,7 @@ { "category": "Management", "subcategory": "Monitoring", - "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned", + "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned.", "waf": "Operations", "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c", "id": "F01.12", @@ -2024,7 +2024,7 @@ { "category": "Management", "subcategory": "Monitoring", - "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied", + "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied.", "waf": "Operations", "guid": "859c3900-4514-41eb-b010-475d695abd74", "id": "F01.18", @@ -2045,7 +2045,7 @@ { "category": "Management", "subcategory": "Monitoring", - "text": "Deploy AMBA to establish monitoring for platform components of your landing zone - AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy", + "text": "Deploy AMBA to establish monitoring for platform components of your landing zone - AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy.", "waf": "Operations", "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610", "id": "F01.19", @@ -2056,7 +2056,7 @@ { "category": "Management", "subcategory": "Data Protection", - "text": "Enable cross-region replication in Azure for BCDR with paired regions", + "text": "Enable cross-region replication in Azure for BCDR with paired regions.", "waf": "Reliability", "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb", "id": "F02.01", @@ -2066,7 +2066,7 @@ { "category": "Management", "subcategory": "Data Protection", - "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS", + "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", "waf": "Reliability", "service": "Backup", "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", @@ -2207,7 +2207,7 @@ { "category": "Security", "subcategory": "Encryption and keys", - "text": "Use Azure Key Vault to store your secrets and credentials", + "text": "Use Azure Key Vault to store your secrets and credentials.", "waf": "Security", "service": "Key Vault", "guid": "5017f154-e3ab-4369-9829-e7e316183687", @@ -2459,7 +2459,7 @@ { "category": "Security", "subcategory": "Operations", - "text": "Use an Azure Event Grid-based solution for log-oriented, real-time alerts", + "text": "Use an Azure Event Grid-based solution for log-oriented, real-time alerts.", "waf": "Security", "guid": "874a748b-662d-46d1-9051-2a66498f6dfe", "id": "G03.11", @@ -2469,7 +2469,7 @@ { "category": "Security", "subcategory": "Overview", - "text": "Enable secure transfer to storage accounts", + "text": "Enable secure transfer to storage accounts.", "waf": "Security", "service": "Storage", "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", @@ -2501,7 +2501,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "[REMOVE/REVISE]Plan how new azure services will be implemented", + "text": "[REMOVE/REVISE]Plan how new azure services will be implemented.", "waf": "Security", "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215", "id": "G06.01", @@ -2511,7 +2511,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "[REMOVE/REVISE]Plan how service request will be fulfilled for Azure services", + "text": "[REMOVE/REVISE]Plan how service request will be fulfilled for Azure services.", "waf": "Security", "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b", "id": "G06.02", @@ -2582,7 +2582,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "Implement automation for new landing zone for applications and workloads through subscription vending", + "text": "Implement automation for new landing zone for applications and workloads through subscription vending.", "waf": "Operations", "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4", "id": "H01.07", From 38bd6ec9d169b9e29a74e538b95ea7142537fbc1 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 21 Jun 2024 10:47:49 -0400 Subject: [PATCH 15/22] Added #REVISIT to items with discussions --- checklists/alz_checklist.en.json | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index fd8a43c1c..8a8ba34a6 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -321,7 +321,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "[Move to Application Landing Zone considerations?] Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", + "text": "#REVISIT[Move to Application Landing Zone considerations?] Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", "waf": "Security", "service": "Entra", "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", @@ -936,7 +936,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "[Clarity]When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.", + "text": "#REVISIT[Clarity]When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.", "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", "waf": "Reliability", "service": "ExpressRoute", @@ -1335,7 +1335,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "[Need to determine what this is really saying]Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", + "text": "#REVISIT[Need to determine what this is really saying]Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", "waf": "Performance", "service": "Firewall", "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", @@ -1368,7 +1368,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "[Circle back on this]Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it\u2019s a sign that SNAT exhaustion might be imminent.", + "text": "#REVISIT[Circle back on this]Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it\u2019s a sign that SNAT exhaustion might be imminent.", "waf": "Performance", "service": "Firewall", "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", @@ -1423,7 +1423,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines.", + "text": "#REVISIT[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines.", "waf": "Security", "service": "Firewall", "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", @@ -1563,7 +1563,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Segmentation", - "text": "[Move to Application Landing Zone list?] Use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", + "text": "#REVISIT[Move to Application Landing Zone list?] Use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", "waf": "Security", "service": "NSG", "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563", @@ -2154,7 +2154,7 @@ { "category": "Management", "subcategory": "Fault Tolerance", - "text": " [Remove for VM checklist]Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", + "text": "#REVISIT[Remove for VM checklist]Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", "waf": "Reliability", "service": "VM", "guid": "84101f59-1941-4195-a270-e28034290e3a", @@ -2491,7 +2491,7 @@ { "category": "Security", "subcategory": "Secure privileged access", - "text": "[Remove? This is part of Identity, and the link isn't clear] Separate privileged admin accounts for Azure administrative tasks.", + "text": "#REVISIT[Remove? This is part of Identity, and the link isn't clear] Separate privileged admin accounts for Azure administrative tasks.", "waf": "Security", "guid": "6f704104-85c1-441f-96d3-c9819911645e", "id": "G05.01", @@ -2501,7 +2501,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "[REMOVE/REVISE]Plan how new azure services will be implemented.", + "text": "#REVISIT[REMOVE/REVISE]Plan how new azure services will be implemented.", "waf": "Security", "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215", "id": "G06.01", @@ -2511,7 +2511,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "[REMOVE/REVISE]Plan how service request will be fulfilled for Azure services.", + "text": "#REVISIT[REMOVE/REVISE]Plan how service request will be fulfilled for Azure services.", "waf": "Security", "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b", "id": "G06.02", @@ -2521,7 +2521,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "[REMOVE/REVISE - I don't think we can expect customers to have dedicated teams]Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", + "text": "#REVISIT[REMOVE/REVISE - I don't think we can expect customers to have dedicated teams]Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", "waf": "Operations", "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", "id": "H01.01", @@ -2531,7 +2531,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "[REMOVE/REVISE]Aim to define functions for Azure Landing Zone Platform team.", + "text": "#REVISIT[REMOVE/REVISE]Aim to define functions for Azure Landing Zone Platform team.", "waf": "Operations", "guid": "634146bf-7085-4419-a7b5-f96d2726f6da", "id": "H01.02", @@ -2541,7 +2541,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "[REMOVE/REVISE]Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", + "text": "#REVISIT[REMOVE/REVISE]Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", "waf": "Operations", "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5", "id": "H01.03", From 310ac9bbadb50a82058f7729cfa1fdb3e558bba5 Mon Sep 17 00:00:00 2001 From: Brandon Stephenson Date: Fri, 21 Jun 2024 10:59:18 -0400 Subject: [PATCH 16/22] Updates --- checklists/alz_checklist.en.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 8a8ba34a6..80a15f52f 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -924,7 +924,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "Determine if ExpressRoute should be used as the primary connection to Azure.", + "text": "#REVISITDetermine if ExpressRoute should be used as the primary connection to Azure.", "waf": "Performance", "service": "ExpressRoute", "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", @@ -936,7 +936,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "#REVISIT[Clarity]When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.", + "text": "#REVISITWhen you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", "waf": "Reliability", "service": "ExpressRoute", From 188f8406aafb2b360fe411241fe25a568c1679f1 Mon Sep 17 00:00:00 2001 From: brsteph <96074545+brsteph@users.noreply.github.com> Date: Tue, 2 Jul 2024 18:07:10 -0400 Subject: [PATCH 17/22] Update alz_checklist.en.json --- checklists/alz_checklist.en.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index f735edd5f..ecbf447db 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -309,7 +309,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "#Revisit-Do not use on-premises synced accounts for Microsoft Entra ID role assignments.", + "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", "waf": "Security", "service": "Entra", "guid": "35037e68-9349-4c15-b371-228514f4cdff", @@ -321,7 +321,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "#REVISIT[Move to Application Landing Zone considerations?] Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).", + "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", "waf": "Security", "service": "Entra", "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", From fac51dcf0c360f15bf61dae272294ae575ca3069 Mon Sep 17 00:00:00 2001 From: brsteph <96074545+brsteph@users.noreply.github.com> Date: Tue, 2 Jul 2024 18:15:32 -0400 Subject: [PATCH 18/22] Update alz_checklist.en.json Making adjustments from Review --- checklists/alz_checklist.en.json | 36 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index ecbf447db..f5092dcee 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -924,19 +924,19 @@ { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "#REVISITDetermine if ExpressRoute should be used as the primary connection to Azure.", + "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", "waf": "Performance", "service": "ExpressRoute", "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", "id": "D06.01", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction#expressroute-cheat-sheet" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure" }, { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", - "text": "#REVISITWhen you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", + "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", "waf": "Reliability", "service": "ExpressRoute", @@ -1222,7 +1222,7 @@ "id": "D07.02", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "link": "[Revisit]https://learn.microsoft.com/azure/firewall-manager/policy-overview" + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview" }, { "category": "Network Topology and Connectivity", @@ -1335,7 +1335,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "#REVISIT[Need to determine what this is really saying]Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", + "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", "waf": "Performance", "service": "Firewall", "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", @@ -1368,13 +1368,13 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "#REVISIT[Circle back on this]Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it\u2019s a sign that SNAT exhaustion might be imminent.", + "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it\u2019s a sign that SNAT exhaustion might be imminent.", "waf": "Performance", "service": "Firewall", "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", "id": "D07.14", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall" + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway" }, { "category": "Network Topology and Connectivity", @@ -1423,7 +1423,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Firewall", - "text": "#REVISIT[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines.", + "text": "#REVISIT[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", "waf": "Security", "service": "Firewall", "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", @@ -1563,7 +1563,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Segmentation", - "text": "#REVISIT[Move to Application Landing Zone list?] Use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", + "text": "#REVISITUse application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", "waf": "Security", "service": "NSG", "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563", @@ -1635,7 +1635,7 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "#REVISIT[This is too vague, discussion might be needed]Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", + "text": "#REVISITFollow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", "waf": "Performance", "service": "VWAN", "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", @@ -1659,13 +1659,13 @@ { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", - "text": "#REVISIT[This is too vague, lets decompose into recs? -- Agree, could maybe consolidate with D10.02] Ensure that the network architecture is within the Azure Virtual WAN limits.", + "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", "waf": "Reliability", "service": "VWAN", "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", "id": "D10.05", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology" }, { "category": "Network Topology and Connectivity", @@ -2491,7 +2491,7 @@ { "category": "Security", "subcategory": "Secure privileged access", - "text": "#REVISIT[Remove? This is part of Identity, and the link isn't clear] Separate privileged admin accounts for Azure administrative tasks.", + "text": "Separate privileged admin accounts for Azure administrative tasks.", "waf": "Security", "guid": "6f704104-85c1-441f-96d3-c9819911645e", "id": "G05.01", @@ -2501,7 +2501,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "#REVISIT[REMOVE/REVISE]Plan how new azure services will be implemented.", + "text": "Plan how new azure services will be implemented.", "waf": "Security", "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215", "id": "G06.01", @@ -2511,7 +2511,7 @@ { "category": "Security", "subcategory": "Service enablement framework", - "text": "#REVISIT[REMOVE/REVISE]Plan how service request will be fulfilled for Azure services.", + "text": "Plan how service request will be fulfilled for Azure services.", "waf": "Security", "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b", "id": "G06.02", @@ -2521,7 +2521,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "#REVISIT[REMOVE/REVISE - I don't think we can expect customers to have dedicated teams]Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", + "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", "waf": "Operations", "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", "id": "H01.01", @@ -2531,7 +2531,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "#REVISIT[REMOVE/REVISE]Aim to define functions for Azure Landing Zone Platform team.", + "text": "Aim to define functions for Azure Landing Zone Platform team.", "waf": "Operations", "guid": "634146bf-7085-4419-a7b5-f96d2726f6da", "id": "H01.02", @@ -2541,7 +2541,7 @@ { "category": "Platform Automation and DevOps", "subcategory": "DevOps Team Topologies", - "text": "#REVISIT[REMOVE/REVISE]Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", + "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", "waf": "Operations", "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5", "id": "H01.03", From bc3eaa7b893ee85529f855ffbdbb0151da490d80 Mon Sep 17 00:00:00 2001 From: brsteph <96074545+brsteph@users.noreply.github.com> Date: Tue, 2 Jul 2024 18:18:13 -0400 Subject: [PATCH 19/22] Update alz_checklist.en.json Adjusted priority for Public IP policy --- checklists/alz_checklist.en.json | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index f5092dcee..5cfb1905c 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -921,6 +921,17 @@ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures" }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Internet", + "text": "Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", + "waf": "Security", + "service": "Policy", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "id": "D05.08", + "severity": "High", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp" + }, { "category": "Network Topology and Connectivity", "subcategory": "Hybrid", @@ -1420,17 +1431,6 @@ "severity": "Medium", "link": "https://learn.microsoft.com/azure/firewall/dns-details" }, - { - "category": "Network Topology and Connectivity", - "subcategory": "Firewall", - "text": "#REVISIT[This might be miscategorized as firewall]Ensure there is a policy assignment to deny Public IP addresses\u00a0directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", - "waf": "Security", - "service": "Firewall", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "id": "D07.19", - "severity": "High", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp" - }, { "category": "Network Topology and Connectivity", "subcategory": "Firewall", @@ -1438,7 +1438,7 @@ "waf": "Operations", "service": "Firewall", "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "id": "D07.20", + "id": "D07.19", "severity": "High", "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics" }, @@ -1449,7 +1449,7 @@ "waf": "Operations", "service": "Firewall", "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "id": "D07.21", + "id": "D07.20", "severity": "Low", "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall" }, @@ -1460,7 +1460,7 @@ "waf": "Security", "service": "App Gateway", "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "id": "D07.22", + "id": "D07.21", "severity": "High", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services" From 56a9c8f1ddb9df60b443641cd423a1c1ae508626 Mon Sep 17 00:00:00 2001 From: brsteph <96074545+brsteph@users.noreply.github.com> Date: Tue, 2 Jul 2024 18:24:41 -0400 Subject: [PATCH 20/22] Update alz_checklist.en.json Reorganizing from meeting --- checklists/alz_checklist.en.json | 87 ++++++++------------------------ 1 file changed, 21 insertions(+), 66 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 5cfb1905c..6245000ff 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -1210,6 +1210,17 @@ "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Hybrid", + "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", + "waf": "Performance", + "service": "N/A", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "id": "D06.25", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about" }, { "category": "Network Topology and Connectivity", @@ -1560,18 +1571,6 @@ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation" }, - { - "category": "Network Topology and Connectivity", - "subcategory": "Segmentation", - "text": "#REVISITUse application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.", - "waf": "Security", - "service": "NSG", - "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563", - "id": "D09.05", - "severity": "Medium", - "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/" - }, { "category": "Network Topology and Connectivity", "subcategory": "Segmentation", @@ -1579,7 +1578,7 @@ "waf": "Security", "service": "NSG", "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "id": "D09.06", + "id": "D09.05", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works" @@ -1591,7 +1590,7 @@ "waf": "Security", "service": "NSG", "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "id": "D09.07", + "id": "D09.06", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview" @@ -1603,7 +1602,7 @@ "waf": "Reliability", "service": "NSG", "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "id": "D09.08", + "id": "D09.07", "severity": "Medium", "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", @@ -1632,17 +1631,6 @@ "severity": "Medium", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst" }, - { - "category": "Network Topology and Connectivity", - "subcategory": "Virtual WAN", - "text": "#REVISITFollow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", - "waf": "Performance", - "service": "VWAN", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "id": "D10.03", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about" - }, { "category": "Network Topology and Connectivity", "subcategory": "Virtual WAN", @@ -1650,7 +1638,7 @@ "waf": "Security", "service": "VWAN", "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "id": "D10.04", + "id": "D10.03", "severity": "Medium", "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", @@ -1663,7 +1651,7 @@ "waf": "Reliability", "service": "VWAN", "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "id": "D10.05", + "id": "D10.04", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology" }, @@ -1674,7 +1662,7 @@ "waf": "Operations", "service": "VWAN", "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "id": "D10.06", + "id": "D10.05", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights" }, @@ -1685,7 +1673,7 @@ "waf": "Reliability", "service": "VWAN", "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "id": "D10.07", + "id": "D10.06", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan" }, @@ -1696,7 +1684,7 @@ "waf": "Reliability", "service": "VWAN", "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "id": "D10.08", + "id": "D10.07", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference" }, @@ -1707,7 +1695,7 @@ "waf": "Reliability", "service": "VWAN", "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "id": "D10.09", + "id": "D10.08", "severity": "Medium", "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels" }, @@ -1718,7 +1706,7 @@ "waf": "Reliability", "service": "VWAN", "guid": "9c75dfef-573c-461c-a698-68598595581a", - "id": "D10.10", + "id": "D10.09", "severity": "High", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation" }, @@ -2129,39 +2117,6 @@ "severity": "Medium", "link": "https://learn.microsoft.com/azure/backup/backup-center-overview" }, - { - "category": "Management", - "subcategory": "Fault Tolerance", - "text": "[Remove for VM checklist] Deploy your VMs into multiple Availability Zones in regions where they are supported.", - "waf": "Reliability", - "service": "VM", - "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b", - "id": "F05.01", - "severity": "High", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview" - }, - { - "category": "Management", - "subcategory": "Fault Tolerance", - "text": "[Remove for VM checklist] Do not run a production workload on a single VM.", - "waf": "Reliability", - "service": "VM", - "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d", - "id": "F05.02", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability" - }, - { - "category": "Management", - "subcategory": "Fault Tolerance", - "text": "#REVISIT[Remove for VM checklist]Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.", - "waf": "Reliability", - "service": "VM", - "guid": "84101f59-1941-4195-a270-e28034290e3a", - "id": "F05.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview" - }, { "category": "Management", "subcategory": "App delivery", From 49a8cb024a6eaee5eab142efae78e02c26006fe6 Mon Sep 17 00:00:00 2001 From: brsteph <96074545+brsteph@users.noreply.github.com> Date: Tue, 2 Jul 2024 18:25:47 -0400 Subject: [PATCH 21/22] Update alz_checklist.en.json Merge conflict resolution --- checklists/alz_checklist.en.json | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 6245000ff..f0682c4a7 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -483,13 +483,14 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels.", + "text": "Establish dashboards and/or visualizations to monitor compute and storage capacity metrics. (i.e. CPU, memory, disk space)", "waf": "Security", "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", "id": "C02.11", - "severity": "High", - "training": "https://learn.microsoft.com/learn/paths/monitor-usage-performance-availability-resources-azure-monitor/", - "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity" + "ammp": true, + "severity": "Medium", + "training": "https://learn.microsoft.com/en-gb/training/modules/visualize-data-workbooks/", + "link": "https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-dashboards" }, { "category": "Resource Organization", From 878d24a12137cf12f9870c3f188a9689d95f74e0 Mon Sep 17 00:00:00 2001 From: brsteph <96074545+brsteph@users.noreply.github.com> Date: Tue, 2 Jul 2024 18:28:46 -0400 Subject: [PATCH 22/22] Update alz_checklist.en.json Removing inline notes --- checklists/alz_checklist.en.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index f0682c4a7..3283aee04 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -52,7 +52,7 @@ "waf": "Cost", "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01", "id": "A02.02", - "severity": "Low [?]", + "severity": "Low", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-cloud-solution-provider#design-recommendations" }, { @@ -1976,7 +1976,7 @@ "guid": "e3ab3693-829e-47e3-8618-3687a0477a20", "id": "F01.13", "severity": "Medium", - "link": "[Need a better link since this recommendation isn't for Sentinel specifically]https://learn.microsoft.com/azure/sentinel/quickstart-onboard" + "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard" }, { "category": "Management",