diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index fb6bdf419..33ebf4328 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -615,7 +615,8 @@ "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", "id": "D01.02", "severity": "High", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/" }, { "category": "Network Topology and Connectivity", @@ -649,7 +650,8 @@ "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", "id": "D01.04", "severity": "Low", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn" + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/" }, { "category": "Network Topology and Connectivity", @@ -661,7 +663,8 @@ "id": "D01.05", "severity": "Low", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1" + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/" }, { "category": "Network Topology and Connectivity", @@ -697,7 +700,8 @@ "id": "D01.08", "severity": "Medium", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits" + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/" }, { "category": "Network Topology and Connectivity", @@ -709,7 +713,8 @@ "id": "D01.09", "severity": "Medium", "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits" + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/" }, { "category": "Network Topology and Connectivity", @@ -721,7 +726,8 @@ "id": "D01.10", "severity": "High", "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering" + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/" }, { "category": "Network Topology and Connectivity", @@ -732,7 +738,8 @@ "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", "id": "D02.01", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec" + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/" }, { "category": "Network Topology and Connectivity", @@ -829,7 +836,8 @@ "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", "id": "D03.07", "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances" + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "training": "https://learn.microsoft.com/training/courses/az-700t00" }, { "category": "Network Topology and Connectivity", @@ -852,7 +860,8 @@ "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", "id": "D05.01", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview" + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/" }, { "category": "Network Topology and Connectivity", @@ -864,7 +873,8 @@ "id": "D05.02", "severity": "Medium", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet" + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "training":"https://learn.microsoft.com/training/modules/intro-to-azure-bastion/" }, { "category": "Network Topology and Connectivity", @@ -923,7 +933,8 @@ "guid": "b034c01e-110b-463a-b36e-e3346e57f225", "id": "D05.07", "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access" + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "training":"https://learn.microsoft.com/training/modules/configure-virtual-networks/" }, { "category": "Network Topology and Connectivity", @@ -946,7 +957,8 @@ "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", "id": "D05.08", "severity": "High", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp" + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/" }, { "category": "Network Topology and Connectivity", @@ -996,7 +1008,8 @@ "id": "D06.04", "severity": "High", "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost" + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/" }, { "category": "Network Topology and Connectivity", @@ -1008,7 +1021,8 @@ "id": "D06.05", "severity": "High", "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local" + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/" }, { "category": "Network Topology and Connectivity", @@ -1142,7 +1156,8 @@ "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", "id": "D06.16", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager" + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/" }, { "category": "Network Topology and Connectivity", @@ -1165,7 +1180,8 @@ "guid": "d581a947-69a2-4783-942e-9df3664324c8", "id": "D06.18", "severity": "High", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections" + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/" }, { "category": "Network Topology and Connectivity", @@ -1284,7 +1300,8 @@ "id": "D07.04", "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules" + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/" }, { "category": "Network Topology and Connectivity", @@ -1296,7 +1313,8 @@ "id": "D07.05", "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "link": "https://learn.microsoft.com/azure/firewall/premium-features" + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/" }, { "category": "Network Topology and Connectivity", @@ -1320,7 +1338,8 @@ "id": "D07.07", "severity": "High", "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps" + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/" }, { "category": "Network Topology and Connectivity", @@ -1368,7 +1387,8 @@ "id": "D07.11", "severity": "High", "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size" + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/" }, { "category": "Network Topology and Connectivity", @@ -1379,7 +1399,8 @@ "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", "id": "D07.12", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy" + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/" }, { "category": "Network Topology and Connectivity", @@ -1401,7 +1422,8 @@ "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", "id": "D07.13", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat" + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/" }, { "category": "Network Topology and Connectivity", @@ -1412,7 +1434,8 @@ "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", "id": "D07.14", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway" + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/" }, { "category": "Network Topology and Connectivity", @@ -1445,7 +1468,8 @@ "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", "id": "D07.17", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall" + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/" }, { "category": "Network Topology and Connectivity", @@ -1456,7 +1480,8 @@ "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", "id": "D07.18", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/firewall/dns-details" + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "training": "https://learn.microsoft.com/training/courses/az-700t00/" }, { "category": "Network Topology and Connectivity", @@ -1467,7 +1492,8 @@ "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", "id": "D07.19", "severity": "High", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics" + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "training": "https://learn.microsoft.com/training/courses/az-700t00/" }, { "category": "Network Topology and Connectivity", @@ -1478,7 +1504,8 @@ "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", "id": "D07.20", "severity": "Low", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall" + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "training": "https://learn.microsoft.com/training/courses/az-104t00/" }, { "category": "Network Topology and Connectivity", @@ -1645,7 +1672,8 @@ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", "id": "D10.02", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst" + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/" }, { "category": "Network Topology and Connectivity", @@ -1669,7 +1697,8 @@ "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", "id": "D10.04", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology" + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/" }, { "category": "Network Topology and Connectivity", @@ -1680,7 +1709,8 @@ "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", "id": "D10.05", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights" + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/" }, { "category": "Network Topology and Connectivity", @@ -1691,7 +1721,8 @@ "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", "id": "D10.06", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan" + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/" }, { "category": "Network Topology and Connectivity", @@ -1702,7 +1733,8 @@ "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", "id": "D10.07", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference" + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/" }, { "category": "Network Topology and Connectivity", @@ -1713,7 +1745,8 @@ "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", "id": "D10.08", "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels" + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/" }, { "category": "Network Topology and Connectivity", @@ -1724,7 +1757,8 @@ "guid": "9c75dfef-573c-461c-a698-68598595581a", "id": "D10.09", "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation" + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/" }, { "category": "Governance",