From 35354c9c60e3c3367d78c0d17f08c19642e9d380 Mon Sep 17 00:00:00 2001 From: erjosito <9462396+erjosito@users.noreply.github.com> Date: Sun, 10 Nov 2024 23:06:17 +0000 Subject: [PATCH] [create-pull-request] automated change --- .../appservicewebapps_sg_checklist.en.json | 22 +- ...ureapplicationgateway_sg_checklist.en.json | 22 +- .../azureblobstorage_sg_checklist.en.json | 22 +- .../azureexpressroute_sg_checklist.en.json | 284 +++++++---- .../azurefiles_sg_checklist.en.json | 22 +- .../azurefirewall_sg_checklist.en.json | 22 +- .../azurefrontdoor_sg_checklist.en.json | 22 +- ...zurekubernetesservice_sg_checklist.en.json | 32 +- .../azuremachinelearning_sg_checklist.en.json | 22 +- .../azureopenai_sg_checklist.en.json | 22 +- .../virtualmachines_sg_checklist.en.json | 22 +- checklists-ext/wafsg_checklist.en.json | 474 ++++++++++++------ 12 files changed, 638 insertions(+), 350 deletions(-) diff --git a/checklists-ext/appservicewebapps_sg_checklist.en.json b/checklists-ext/appservicewebapps_sg_checklist.en.json index 8e5c28a6..a219a493 100644 --- a/checklists-ext/appservicewebapps_sg_checklist.en.json +++ b/checklists-ext/appservicewebapps_sg_checklist.en.json @@ -189,10 +189,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -201,22 +198,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -253,6 +253,6 @@ "name": "App Service Web Apps Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureapplicationgateway_sg_checklist.en.json b/checklists-ext/azureapplicationgateway_sg_checklist.en.json index f497f846..1a2b01a1 100644 --- a/checklists-ext/azureapplicationgateway_sg_checklist.en.json +++ b/checklists-ext/azureapplicationgateway_sg_checklist.en.json @@ -149,10 +149,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -161,22 +158,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -213,6 +213,6 @@ "name": "Azure Application Gateway Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureblobstorage_sg_checklist.en.json b/checklists-ext/azureblobstorage_sg_checklist.en.json index 6ad0b389..67463d8c 100644 --- a/checklists-ext/azureblobstorage_sg_checklist.en.json +++ b/checklists-ext/azureblobstorage_sg_checklist.en.json @@ -213,10 +213,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -225,22 +222,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -277,6 +277,6 @@ "name": "Azure Blob Storage Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureexpressroute_sg_checklist.en.json b/checklists-ext/azureexpressroute_sg_checklist.en.json index c87889e4..3b970e19 100644 --- a/checklists-ext/azureexpressroute_sg_checklist.en.json +++ b/checklists-ext/azureexpressroute_sg_checklist.en.json @@ -4,211 +4,320 @@ { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Plan for ExpressRoute circuit or ExpressRoute Direct", - "description": "During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection. An ExpressRoute circuit allows a private dedicated connection into Azure with the help of a connectivity provider. ExpressRoute Direct allows you to extend the on-premises network directly into the Microsoft network at a peering location. You also need to identify the bandwidth requirement and the SKU type requirement for your business needs.", + "text": "Anticipate and mitigate potential failures when you design and architect Azure ExpressRoute.", + "description": "Anticipating failures leads to the design of a more robust and resilient network architecture that can withstand various failure scenarios.", "type": "recommendation", - "guid": "e89fb4a5-9cdd-4fd5-bb8b-388dee7bc217" + "guid": "258c7323-ba82-4aef-822b-3b0866d8db65" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Plan for geo-redundant circuits", - "description": "To plan for disaster recovery, set up ExpressRoute circuits in more than one peering locations. You can create circuits in peering locations in the same metro or different metro and choose to work with different service providers for diverse paths through each circuit. For more information, see Designing for disaster recovery and Designing for high availability.", + "text": "Plan for site resiliency. For Maximum or High resiliency, plan to have multiple paths between the on-premises edge and the peering locations (provider/Microsoft edge locations). For Maximum Resiliency, configure multiple circuits to different peering locations. For High Resiliency, configure a circuit between multiple peering locations within the same metropolitan area (also referred to as ExpressRoute Metro) from the on-premises network.", + "description": "By having multiple paths between the on-premises edge and the peering locations, the network can continue to operate even if one path fails. This redundancy is crucial for maintaining continuous connectivity and minimizing downtime.", "type": "recommendation", - "guid": "14b83764-dab1-4741-85ee-7b3cf55cde49" + "guid": "e8d51cec-0150-4e80-9326-4d67c73f6853" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Plan for Active-Active connectivity", - "description": "This mode provides higher availability of your Expressroute connections. It's also recommended to configure BFD for faster failover if there's a link failure on a connection.", + "text": "Plan for multiple region and availability zones.", + "description": "Availability zones are physically separate locations within a region, providing fault isolation. This means that failures in one zone don't affect the others, enhancing overall system reliability.", "type": "recommendation", - "guid": "f28fea39-a9e2-45ef-a711-997456c3d42c" + "guid": "855fe034-337b-4bac-846c-1648796fa973" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Planning for Virtual Network Gateways", - "description": "Create availability zone aware Virtual Network Gateway for higher resiliency and plan for Virtual Network Gateways in different regions for resiliency, disaster recovery, and high availability.", + "text": "Plan for ExpressRoute circuit or ExpressRoute Direct. During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection. You also need to identify the bandwidth requirement and the SKU type requirement for your business needs.", + "description": "An ExpressRoute circuit allows a private dedicated connection into Azure with the help of a connectivity provider. ExpressRoute Direct allows you to extend on-premises network directly into the Microsoft network at a peering location.", "type": "recommendation", - "guid": "8e29e63c-2da5-4242-8a86-c7083b231b0f" + "guid": "305a5ee6-d91b-4f47-bf27-78e5de9b6f53" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Monitor circuits and gateway health", - "description": "Set up monitoring and alerts for ExpressRoute circuits and Virtual Network Gateway health based on various metrics available.", + "text": "Choose the right circuit SKU for redundancy by using geographic expansion. The Local, Standard, and Premium SKUs offer different levels of connectivity, access, and performance capabilities. Premium SKU provides the highest level of redundancy with global connectivity to any Azure region worldwide.", + "description": "Choosing the right circuit SKU ensures that you have the appropriate level of redundancy and connectivity for your workloads.", "type": "recommendation", - "guid": "0367cde8-2954-4b20-8be0-fb2b7e50eb91" + "guid": "f2470372-39f4-4cd6-883b-f4d358c9f458" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Enable service health", - "description": "ExpressRoute uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your ExpressRoute circuits.", + "text": "Plan for Active-Active connectivity. To improve high availability, redundancy, and resiliency, we recommend operating both connections of an ExpressRoute circuit in active-active mode. Additionally, configure Bi-Directional Forwarding Detection (BFD) over both private and Microsoft Peering for faster failover during a link failure.", + "description": "Active-active mode mode provides higher availability of your ExpressRoute connections. BFD provides rapid detection of link failures, enabling quicker failover to backup paths. This minimizes downtime and ensures continuous connectivity.", "type": "recommendation", - "guid": "c7bf09c0-317f-4f7f-be8d-3d74444757c8" + "guid": "8ac61d99-fd1a-48e6-9f98-16085f7c7801" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Plan for geo-redundant circuits.", + "description": "There are scenarios where an ExpressRoute peering location or an entire regional service might experience degradation. Geo-redundancy enhances disaster recovery and high availability by ensuring that there are multiple, geographically diverse paths between on-premises networks and Azure. This reduces the risk of a single point of failure causing a network outage, thereby increasing the reliability and availability of the connection.", + "type": "recommendation", + "guid": "be6e3838-8e4f-4d68-88f0-56c73ec15a0f" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "With ExpressRoute Global Reach you can link ExpressRoute circuits together to make a private network between your on-premises networks. Configure ExpressRoute Global Reach on your ExpressRoute circuit Premium SKU.", + "description": "ExpressRoute Global Reach provides an additional layer of redundancy by linking your on-premises networks across different geographical locations directly through the Azure backbone network. This ensures that your network remains connected and operational even if one Azure region becomes unavailable.", + "type": "recommendation", + "guid": "6211a069-a50c-46cc-a223-24593b9be03c" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Choose different ExpressRoute service providers for each circuit.", + "description": "Diversity in service providers minimizes the risk of network downtime due to a single provider's outage. By choosing different service providers for each circuit, you can ensure that your network remains operational even if one provider experiences an outage. This redundancy is essential for maintaining continuous connectivity and minimizing downtime.", + "type": "recommendation", + "guid": "1f9cdca6-66de-4a38-9749-875c6e71517e" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Configure Site-to-Site VPN over Microsoft peering as a backup to ExpressRoute private peering. Site-to-site VPN provides an additional layer of redundancy and ensures that your network remains operational even if the ExpressRoute connection experiences an outage.", + "description": "By configuring a site-to-site VPN as a backup to ExpressRoute private peering, you can maintain continuous connectivity and minimize downtime.", + "type": "recommendation", + "guid": "75a39e22-e1f9-43be-aa4a-19597fba91fa" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Planning for zone-redundant Virtual Network Gateways. Select the right ExpressRoute Virtual Network Gateway SKU to reflect the correct performance and throughput for your business. Consider deploying a scalable virtual network gateway that allows you to achieve 40-Gbps connectivity and will auto-scale based on your required throughput. Deploy ExpressRoute virtual network gateways that are zone-redundant for maximum resiliency and redundancy across Availability Zones.", + "description": "Choosing the appropriate SKU ensures that the gateway can handle the required performance and throughput for your business needs. A scalable virtual network gateway autoscales based on required throughput, allowing the network to adapt to changing demands. This flexibility helps maintain performance during peak usage times and prevents overloading. Additionally, deploying zone-redundant virtual network gateways ensures that the network remains operational even if one availability zone experiences an outage, enhancing overall reliability and resiliency.", + "type": "recommendation", + "guid": "fb274d46-92fa-4d1d-91c8-cf37b2bad49c" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Conduct reliability testing with the Azure Connectivity Toolkit to ensure that the network design is resilient and can withstand failures.", + "description": "Reliability testing helps identify potential issues and weaknesses in the network design, allowing you to address them proactively. By conducting reliability testing, you can ensure that the network is robust and resilient, minimizing downtime and ensuring continuous connectivity.", + "type": "recommendation", + "guid": "a81b9b20-ec9e-4bb8-99e1-6a7e4d0af91d" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Configure monitoring and alerts for ExpressRoute circuits, peering, ports, and Virtual Network Gateway resource health based on various available metrics. This helps in proactively managing and maintaining the health of your network. Use Network Insights for ExpressRoute to visualize topological maps and health dashboards, providing a clear view of your configurations and their status.", + "description": "By setting up monitoring and alerts based on various metrics, you can proactively detect and address issues such as increased latency, traffic drops, or circuit downtimes before they impact your services.", + "type": "recommendation", + "guid": "0fd855e2-be6d-4de1-aac9-5bf18c9d958b" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Configure service health to notify you about planned and unplanned maintenance. Configuring service health notifies you about changes made to your ExpressRoute circuits.", + "description": "With Service Health, you can view planned and past maintenance in the Azure portal along with configuring alerts and notifications that best suits your needs.", + "type": "recommendation", + "guid": "e3d21ad5-8838-4677-9a86-653d03ebf37a" + }, + { + "waf": "Security", + "service": "Azure Expressroute", + "text": "Leverage Azure Security Baseline for ExpressRoute. This security baseline applies guidance from the Microsoft Cloud Security Benchmark version 1.0 to ExpressRoute.", + "description": "The content is organized by the security controls defined in the benchmark and includes related guidance specific to ExpressRoute.", + "type": "recommendation", + "guid": "a7a82205-ca2c-4d1e-8518-df2eb4d3153b" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Configure Activity log to send logs to archive", - "description": "Activity logs provide insights into operations that were performed at the subscription level for ExpressRoute resources. With Activity logs, you can determine who and when an operation was performed at the control plane. Data retention is only 90 days and required to be stored in Log Analytics, Event Hubs or a storage account for archive.", + "text": "Implement Azure Role-Based Access Control (RBAC) to control who can manage ExpressRoute resources such as ExpressRoute circuits and gateways.", + "description": "By providing granular access management to resources, you can maintain an inventory of administrative accounts with access to ExpressRoute resources and ensure that only authorized users can perform specific actions.", "type": "recommendation", - "guid": "b1f76928-0fc3-407e-8658-f93f2812873f" + "guid": "a8dbacb0-ab66-422c-beb3-1668dd85e32a" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Maintain inventory of administrative accounts", - "description": "Use Azure RBAC to configure roles to limit user accounts that can add, update, or delete peering configuration on an ExpressRoute circuit.", + "text": "Configure MACsec for ExpressRoute Direct ports.", + "description": "MACsec (Media Access Control security) enhances security by encrypting data, ensuring data integrity, protecting vulnerable protocols. It secures protocols that are typically not protected on Ethernet links, such as ARP, DHCP, and LACP, thereby preventing potential security threats targeting these protocols.", "type": "recommendation", - "guid": "61fced7c-71af-4061-a73a-b880e8ee4f78" + "guid": "0f252dc6-47b1-417d-9db8-8ebd7c18edb4" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Configure MD5 hash on ExpressRoute circuit", - "description": "During configuration of private peering or Microsoft peering, apply an MD5 hash to secure messages between the on-premises route and the MSEE routers.", + "text": "Encrypt traffic using IPsec (Internet Protocol Security) for ExpressRoute private peering or configure a tunnel using private peering.", + "description": "IPsec encrypts data at the network layer (Layer 3) and enhances security by providing encryption, authentication, integrity protection, and compliance. This ensures that data transmitted over ExpressRoute circuits is secure and protected from unauthorized access and tampering.", "type": "recommendation", - "guid": "7091a086-8128-45f8-81e6-c93548433b87" + "guid": "4e2e4461-bb5a-4069-abfe-f9b6ab602f0c" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Configure MACSec for ExpressRoute Direct resources", - "description": "Media Access Control security is a point-to-point security at the data link layer. ExpressRoute Direct supports configuring MACSec to prevent security threats to protocols such as ARP, DHCP, LACP not normally secured on the Ethernet link. For more information on how to configure MACSec, see MACSec for ExpressRoute Direct ports.", + "text": "Configure MD5 hash on ExpressRoute circuit during configuration of private peering or Microsoft peering to secure messages between the on-premises route and the MSEE routers.", + "description": "By generating an MD5 hash of the data before transmission and comparing it with the hash generated after reception, you can ensure that the data hasn't been tampered with during transit.", "type": "recommendation", - "guid": "90d32454-fcb9-496d-a411-166a2fe50b6b" + "guid": "19478001-73ae-459d-a8b2-cfc311ff8e02" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Encrypt traffic using IPsec", - "description": "Configure a Site-to-site VPN tunnel over your ExpressRoute circuit to encrypt data transferring between your on-premises network and Azure virtual network. You can configure a tunnel using private peering or using Microsoft peering.", + "text": "Configure activity logs and send logs an to archive. Data retention is only 90 days and required to be stored in Log Analytics, Event Hubs or a storage account for archive. For more information about Activity logs in ExpressRoute, see Monitor Azure ExpressRoute.", + "description": "Activity logs provide insights into operations that were performed at the subscription level for ExpressRoute resources. With Activity logs, you can determine who and when an operation was performed at the control plane.", "type": "recommendation", - "guid": "ef702434-e1ce-4c4b-a2a6-553c1d58f881" + "guid": "451166af-f6ab-4c25-addd-3c24fc032dea" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Familiarize yourself with ExpressRoute pricing", - "description": "For information about ExpressRoute pricing, see Understand pricing for Azure ExpressRoute. You can also use the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", + "text": "Familiarize yourself with ExpressRoute pricing. Use the Azure Pricing Calculator to estimate the cost. ExpressRoute Direct has a monthly port fee that includes the circuit fee for Local and Standard SKU ExpressRoute circuits. For Premium SKU circuits, there's an additional circuit fee. Outbound data transfer is charged per GB used, depending on the zone number of the peering location. The outbound data charge applies only to Standard and Premium SKUs. For more information, see plan and manage costs for Azure ExpressRoute.", + "description": "Understanding ExpressRoute pricing enables better cost management, informed decision-making, avoidance of unexpected charges and maximization of value.", "type": "recommendation", - "guid": "8ae8772a-7131-42f9-9d2f-ce2aa5bcdd2b" + "guid": "5fe0c692-ece0-4a00-8735-b7617d72206e" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Determine SKU and bandwidth required", - "description": "The way you're charged for your ExpressRoute usage varies between the three different SKU types. With Local SKU, you're automatically charged with an Unlimited data plan. With Standard and Premium SKU, you can select between a Metered or an Unlimited data plan. All ingress data are free of charge except when using the Global Reach add-on. It's important to understand which SKU types and data plan works best for your workload to best optimize cost and budget. For more information resizing ExpressRoute circuit, see upgrading ExpressRoute circuit bandwidth.", + "text": "Determine circuit SKU and bandwidth required. The way you're charged for your ExpressRoute usage varies between the three different SKU types. With the Local SKU, you're automatically charged with an Unlimited data plan. With the Standard and Premium SKUs, you can choose between a Metered or an Unlimited data plan. All ingress data is free of charge, except when using the Global Reach add-on, which incurs additional costs for data transfer between different geographical locations. It's important to review and resize your ExpressRoute circuit.", + "description": "It's important to understand which SKU types and data plan works best for your workload to best optimize cost and budget.", "type": "recommendation", - "guid": "18ef72cd-862c-43e8-b9ee-921fb5f079f0" + "guid": "539cd3f2-c97f-4f32-a9fb-4d8801992956" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Determine the ExpressRoute virtual network gateway size", - "description": "ExpressRoute virtual network gateways are used to pass traffic into a virtual network over private peering. Review the performance and scale needs of your preferred Virtual Network Gateway SKU. Select the appropriate gateway SKU on your on-premises to Azure workload.", + "text": "Determine the size of the ExpressRoute Virtual Network Gateway. ExpressRoute virtual network gateways are used to pass traffic into a virtual network over private peering. Select the appropriate gateway SKU on your on-premises to Azure workload. Understand ExpressRoute Gateway pricing based on region and type. ExpressRoute Gateways are charged at an hourly rate plus the cost of an ExpressRoute circuit. Configure scalable ExpressRoute gateways to set minimum and maximum scale units for the gateway, which auto-scales based on active bandwidth or flow count. See ExpressRoute pricing and select ExpressRoute Gateways to see rates for different gateway SKUs.", + "description": "This benefits you by enabling right-sizing of resources, providing flexibility to scale, optimizing performance, and supporting proactive cost management. This approach ensures that you're using resources efficiently and cost-effectively.", "type": "recommendation", - "guid": "3655e3bc-9d56-47f6-b7bc-c1a568aa3c8a" + "guid": "5171306d-f8fd-4243-aaab-9d5e482cfb77" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Monitor cost and create budget alerts", - "description": "Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks. For more information, see Monitoring ExpressRoute costs.", + "text": "Monitor costs and create budget alerts. Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks.", + "description": "Monitoring and alerts provide you with tools to control spending, enhance financial planning, ensure accountability, and optimize resource usage.", "type": "recommendation", - "guid": "3ade6188-d99d-47de-99e7-639136d3ac36" + "guid": "f0735018-99ea-40e5-9e25-96a7d39261ae" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Deprovision and delete ExpressRoute circuits no longer in use.", - "description": "ExpressRoute circuits are charged from the moment they're created. To reduce unnecessary cost, deprovision the circuit with the service provider and delete the ExpressRoute circuit from your subscription. For steps on how to remove an ExpressRoute circuit, see Deprovisioning an ExpressRoute circuit.", + "text": "Deprovision and delete unused ExpressRoute circuits. Azure Advisor can detect ExpressRoute circuits that have been deployed for a significant time but have a provider status of Not Provisioned.", + "description": "ExpressRoute circuits are charged from the moment they're created. To reduce unnecessary cost, deprovision the circuit with the service provider and delete the ExpressRoute circuit from your subscription.", "type": "recommendation", - "guid": "ca8f1e36-5762-4510-b0af-5a073cc9185a" + "guid": "7c97f009-f790-4071-98a0-8d4190694e03" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Configure connection monitoring", - "description": "Connection monitoring allows you to monitor connectivity between your on-premises resources and Azure over the ExpressRoute private peering and Microsoft peering connection. Connection monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures.", + "text": "Choose the closest peering locations to your on-premises network to reduce latency and costs.", + "description": "By choosing the closest peering location to your on-premises network, you can reduce latency and costs, ensuring optimal performance and cost-effectiveness.", "type": "recommendation", - "guid": "c1dcf762-0191-4963-89d7-3cc1df34b653" + "guid": "66ab8dd7-9a66-46c5-96b0-7aecf2945f54" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Configure Service Health", - "description": "Set up Service Health notifications to alert when planned and upcoming maintenance is happening to all ExpressRoute circuits in your subscription. Service Health also displays past maintenance along with RCA if an unplanned maintenance were to occur.", + "text": "Configure Connection Monitor between your on-premises and Azure network.", + "description": "Connection Monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures. Connection Monitor is part of Azure Monitor logs.", "type": "recommendation", - "guid": "60f840b9-1818-4967-a115-68e90f47daf3" + "guid": "f3f15f82-0019-4af4-bb4d-86c3c607c76a" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Review metrics with Network Insights", - "description": "ExpressRoute Insights with Network Insights allow you to review and analyze ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute Insights also provide a topology view of your ExpressRoute connections where you can view details of your peering components all in a single place.Metrics available:- Availability- Throughput- Gateway metrics", + "text": "Configure dynamic routing your Microsoft peering enabled ExpressRoute circuit.", + "description": "Dynamic routing allows for more efficient and flexible routing, ensuring optimal path selection and automatic updates to routing tables in response to network changes.", "type": "recommendation", - "guid": "c3c5fe66-1901-4786-99ea-845944bd6ca3" + "guid": "f660a5dc-fbe4-41ec-861c-a943d57f05e7" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Review ExpressRoute resource metrics", - "description": "ExpressRoute uses Azure Monitor to collect metrics and create alerts base on your configuration. Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.", + "text": "Configure Service Health notifications to alert you when planned and upcoming maintenance is scheduled for all ExpressRoute circuits in your subscription. Service Health also displays past maintenance events along with Root Cause Analysis (RCA) if unplanned maintenance event occurs.", + "description": "Service Health notifications provide timely alerts about planned and unplanned maintenance, outages, and early warnings about potential issues. This allows you to stay informed about the status of your ExpressRoute circuits.", "type": "recommendation", - "guid": "03914313-6287-41c4-9e4a-4980c2ee3aa9" + "guid": "6d849db1-74ba-4e60-aebf-b727c30f2974" + }, + { + "waf": "Operations", + "service": "Azure Expressroute", + "text": "Configure Traffic Collector for ExpressRoute", + "description": "ExpressRoute Traffic Collector enables the sampling of network flows over your ExpressRoute circuits. It supports both Private peering and Microsoft peering, providing near real-time visibility into network throughput and performance.", + "type": "recommendation", + "guid": "e039bf9c-5270-4496-b328-b2a244ffa140" + }, + { + "waf": "Operations", + "service": "Azure Expressroute", + "text": "Review metrics with Network Insights. ExpressRoute Insights with Network Insights allow you to review and analyze ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute Insights also provide a topology view of your ExpressRoute connections where you can view details of your peering components all in a single place.", + "description": "Network Insights offers a centralized platform to monitor various metrics across ExpressRoute circuits, gateways, and connections, providing a comprehensive view of network health and performance.", + "type": "recommendation", + "guid": "1fe59e6d-04a8-4eaa-9913-c3172a32b5ae" + }, + { + "waf": "Operations", + "service": "Azure Expressroute", + "text": "Review ExpressRoute resource metrics. Use Azure Monitor to collect metrics and create alerts based on your configuration.", + "description": "Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.", + "type": "recommendation", + "guid": "f0727bb1-db42-4c0a-a98d-0ddfa603bccf" + }, + { + "waf": "Operations", + "service": "Azure Expressroute", + "text": "Review ExpressRoute metrics and create alerts. ExpressRoute uses Azure Monitor to collect metrics and create alerts based on your configuration. Follow the recommendations for designing and creating a monitoring system to implement your monitoring strategy for ExpressRoute and your workloads.", + "description": "Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.", + "type": "recommendation", + "guid": "0f593631-0968-46e9-a32d-35b1fd9c7c19" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Test ExpressRoute gateway performance to meet work load requirements.", - "description": "Use Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection.", + "text": "Test ExpressRoute gateway performances to meet work load requirements with the Azure Connectivity Toolkit. Schedule bandwidth-intensive operations such as backups and performance testing at times of low production traffic.", + "description": "The toolkit provides user-friendly tools and interfaces that simplify the process of configuring and managing network connections to Azure. The toolkit includes tools to optimize network performance, ensuring efficient and reliable connectivity to Azure services.", "type": "recommendation", - "guid": "07fac8bb-13c5-44b8-a4e8-7e2ed1a84b48" + "guid": "9c0251dc-a65a-4dd2-8c7e-d5c0e5f475df" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Increase the size of the ExpressRoute gateway.", - "description": "Upgrade to a higher gateway SKU for improved throughput performance between on-premises and Azure environment.", + "text": "Plan for scaling of ExpressRoute circuits. Upgrade your ExpressRoute circuit bandwidth to meet your production workload requirements. Circuit bandwidth is shared between all virtual networks connected to the ExpressRoute circuit. Depending on your workload, one or more virtual networks can use up all the bandwidth on the circuit. For more information, see ExpressRoute limits.", + "description": "Upgrading the bandwidth ensures that the network can handle increasing data volumes and more users without compromising performance.", "type": "recommendation", - "guid": "7f788e1a-71dd-4a3e-b19f-6bd8ef8ad815" + "guid": "1ad287a3-c816-4024-a1f0-d7294689ccd0" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Upgrade ExpressRoute circuit bandwidth", - "description": "Upgrade your circuit bandwidth to meet your work load requirements. Circuit bandwidth is shared between all virtual networks connected to the ExpressRoute circuit. Depending on your work load, one or more virtual networks can use up all the bandwidth on the circuit.", + "text": "Plan for scaling of ExpressRoute Virtual Network Gateway. Upgrade your ExpressRoute Virtual Network Gateway SKU to meet your production workload requirements.", + "description": "Upgrading to a larger gateway SKU provides higher throughput capabilities, allowing more data to be transferred between on-premises networks and Azure more quickly. A larger gateway can manage more simultaneous connections and higher volumes of traffic, reducing the likelihood of network congestion and bottlenecks.", "type": "recommendation", - "guid": "5cd4120c-3a0b-42d0-8114-2663988f43b8" + "guid": "9189a846-bfbc-4d20-a19e-f06c2f516f2b" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Enable ExpressRoute FastPath for higher throughput", - "description": "If you're using an Ultra performance or an ErGW3AZ virtual network gateway, you can enable FastPath to improve the data path performance between your on-premises network and Azure virtual network.", + "text": "Configure Scalable Gateways to automatically scale for performance.", + "description": "Scalable Gateways allows you to scale up and down automatically with your gateway instances to accommodate performance needs. ErGwScale SKU also enables you to achieve 40-Gbps connectivity to virtual machines and Private Endpoints within the virtual network.", "type": "recommendation", - "guid": "ef778b99-5006-4adf-bef1-d709456a4c51" + "guid": "21bc0cb5-c803-4f6f-873c-3cc589045157" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Monitor ExpressRoute circuit and gateway metrics", - "description": "Set up alerts base on ExpressRoute metrics to proactively notify you when a certain threshold is met. These metrics are useful to understand anomalies that can happen with your ExpressRoute connection such as outages and maintenance happening to your ExpressRoute circuits.", + "text": "Enable ExpressRoute FastPath for higher throughput on your virtual network gateway.", + "description": "This feature improves the data path performance between your on-premises network and your virtual network resources by bypassing the gateway. As business needs grow, FastPath provides the necessary bandwidth and performance to support increasing data volumes and more users without compromising performance. Enabling FastPath ensures that the network can handle future expansions and new applications, providing long-term performance efficiency.", "type": "recommendation", - "guid": "4a0e8302-106d-48a3-abc4-9e4875a48309" + "guid": "d3d715ef-2f26-4220-adc6-3d8cbaf18055" + }, + { + "waf": "Performance", + "service": "Azure Expressroute", + "text": "Monitor Monitor ExpressRoute circuit, port, and gateway metrics. Configure alerts for ExpressRoute metrics to proactively notify you when a certain threshold is met. ExpressRoute circuit metrics supports metrics such as Arp Availability, BitsInPerSecond, DroppedInBitsPerSecond. ExpressRoute port metrics supports metrics such as AdminState, BitsInPerSecond, and FastPathRoutesCount. ExpressRoute Gateway metrics supports metrics such as Bits In Per Second, Active Flows, and Count Of Routes Advertised to Peer.
Monitor performance targets with Connection Monitor.", + "description": "ExpressRoute circuit, port, and gateway metrics are useful to understand anomalies that can happen with your ExpressRoute connection such as outages and maintenance happening to your ExpressRoute circuits. Connection Monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures.", + "type": "recommendation", + "guid": "44ffd0df-8599-45a9-80aa-73770cf1799b" } ], "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -217,22 +326,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -269,6 +381,6 @@ "name": "Azure Expressroute Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefiles_sg_checklist.en.json b/checklists-ext/azurefiles_sg_checklist.en.json index 979d7c5a..959677b7 100644 --- a/checklists-ext/azurefiles_sg_checklist.en.json +++ b/checklists-ext/azurefiles_sg_checklist.en.json @@ -237,10 +237,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -249,22 +246,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -301,6 +301,6 @@ "name": "Azure Files Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefirewall_sg_checklist.en.json b/checklists-ext/azurefirewall_sg_checklist.en.json index 5bcd6293..46387720 100644 --- a/checklists-ext/azurefirewall_sg_checklist.en.json +++ b/checklists-ext/azurefirewall_sg_checklist.en.json @@ -245,10 +245,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -257,22 +254,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -309,6 +309,6 @@ "name": "Azure Firewall Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefrontdoor_sg_checklist.en.json b/checklists-ext/azurefrontdoor_sg_checklist.en.json index e00c8dc1..9a2dea3d 100644 --- a/checklists-ext/azurefrontdoor_sg_checklist.en.json +++ b/checklists-ext/azurefrontdoor_sg_checklist.en.json @@ -181,10 +181,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -193,22 +190,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -245,6 +245,6 @@ "name": "Azure Front Door Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurekubernetesservice_sg_checklist.en.json b/checklists-ext/azurekubernetesservice_sg_checklist.en.json index 10fd2600..f4158325 100644 --- a/checklists-ext/azurekubernetesservice_sg_checklist.en.json +++ b/checklists-ext/azurekubernetesservice_sg_checklist.en.json @@ -29,7 +29,7 @@ "waf": "Reliability", "service": "Azure Kubernetes Service", "text": "Cluster architecture: Use availability zones to maximize resilience within an Azure region by distributing AKS agent nodes across physically separate data centers.", - "description": "By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down. If colocality requirements exist, either a regular VMSS-based AKS deployment into a single zone or proximity placement groups can be used to minimize internode latency.", + "description": "By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down. If colocality requirements exist, either a regular Virtual Machine Scale Sets based AKS deployment into a single zone or proximity placement groups can be used to minimize internode latency.", "type": "recommendation", "guid": "29400c1f-e4ff-4ab5-89ff-be93d51d5fa8" }, @@ -189,7 +189,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Cluster architecture: Select virtual machines based on the Arm architecture.", - "description": "AKS supports creating ARM64 Ubuntu agent nodes, as well as a of mix Intel and ARM architecture nodes within a cluster that can bring better performance at a lower cost.", + "description": "AKS supports creating Arm64 Ubuntu agent nodes, as well as a mix of Intel and ARM architecture nodes within a cluster that can bring better performance at a lower cost.", "type": "recommendation", "guid": "f0572fdc-24e3-4e6c-8c90-0ba85cc6f52a" }, @@ -205,7 +205,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Cluster architecture: Select the appropriate region.", - "description": "Due to many factors, cost of resources varies per region in Azure. Evaluate the cost, latency, and compliance requirements to ensure you are running your workload cost-effectively and it doesn't affect your end-users or create extra networking charges.", + "description": "Due to many factors, cost of resources varies per region in Azure. Evaluate the cost, latency, and compliance requirements to ensure you're running your workload cost-effectively and it doesn't affect your end-users or create extra networking charges.", "type": "recommendation", "guid": "41a6e1ef-d63a-4e26-842f-1a0cde3abaa6" }, @@ -253,7 +253,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Workload architecture: Use Kubernetes Event Driven Autoscaling (KEDA).", - "description": "Scale based on the number of events being processed. Choose from a rich catalogue of 50+ KEDA scalers.", + "description": "Scale based on the number of events being processed. Choose from a rich catalog of 50+ KEDA scalers.", "type": "recommendation", "guid": "fe15f362-a48d-4a25-aa3e-7938b3d1f5e2" }, @@ -261,7 +261,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Cluster and workload architectures: Adopt a cloud financial discipline and cultural practice to drive ownership of cloud usage.", - "description": "The foundation of enabling cost optimization is the spread of a cost saving cluster. A financial operations approach (FinOps) is often used to help organizations reduce cloud costs. It is a practice involving collaboration between finance, operations, and engineering teams to drive alignment on cost saving goals and bring transparency to cloud costs.", + "description": "The foundation of enabling cost optimization is the spread of a cost saving cluster. A financial operations approach (FinOps) is often used to help organizations reduce cloud costs. It's a practice involving collaboration between finance, operations, and engineering teams to drive alignment on cost saving goals and bring transparency to cloud costs.", "type": "recommendation", "guid": "d0ed8b85-2072-4952-a00c-697135e435a2" }, @@ -373,10 +373,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -385,22 +382,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -437,6 +437,6 @@ "name": "Azure Kubernetes Service Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azuremachinelearning_sg_checklist.en.json b/checklists-ext/azuremachinelearning_sg_checklist.en.json index d42e8c4b..a16ad86b 100644 --- a/checklists-ext/azuremachinelearning_sg_checklist.en.json +++ b/checklists-ext/azuremachinelearning_sg_checklist.en.json @@ -269,10 +269,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -281,22 +278,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -333,6 +333,6 @@ "name": "Azure Machine Learning Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureopenai_sg_checklist.en.json b/checklists-ext/azureopenai_sg_checklist.en.json index e2b1032d..f1e6fe78 100644 --- a/checklists-ext/azureopenai_sg_checklist.en.json +++ b/checklists-ext/azureopenai_sg_checklist.en.json @@ -109,10 +109,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -121,22 +118,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -173,6 +173,6 @@ "name": "Azure Openai Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/virtualmachines_sg_checklist.en.json b/checklists-ext/virtualmachines_sg_checklist.en.json index 4b3cd509..8146c24c 100644 --- a/checklists-ext/virtualmachines_sg_checklist.en.json +++ b/checklists-ext/virtualmachines_sg_checklist.en.json @@ -229,10 +229,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -241,22 +238,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -293,6 +293,6 @@ "name": "Virtual Machines Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file diff --git a/checklists-ext/wafsg_checklist.en.json b/checklists-ext/wafsg_checklist.en.json index f08136c8..064fbedc 100644 --- a/checklists-ext/wafsg_checklist.en.json +++ b/checklists-ext/wafsg_checklist.en.json @@ -1324,410 +1324,586 @@ { "waf": "reliability", "service": "Azure Expressroute", - "text": "Select between ExpressRoute circuit or ExpressRoute Direct for business requirements.", + "text": "Build redundancy, strengthen resiliency: Eliminate single points of failure as much as practical. Plan for redundancy in the network design by configuring multiple ExpressRoute circuits, diverse paths, and multiple peering locations closest to your on-premises locations.", "description": "", "type": "checklist", - "guid": "473b3683-6d53-4521-89c4-d8aa1d1df633" + "guid": "32de863a-e7fd-4bfb-aa2b-163509bb969d" }, { "waf": "reliability", "service": "Azure Expressroute", - "text": "Configure ExpressRoute circuits with Maximum or High Resiliency for production workloads.", + "text": "Anticipate potential failures: Plan mitigation strategies for potential failures. The following table shows examples of failure mode analysis.", + "description": "", + "type": "checklist", + "guid": "a67a6739-c1af-48d6-a3d1-001fb5105139" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Plan for site resiliency: Planning for site resiliency is crucial to ensure high availability. ExpressRoute offers three architectures of site resiliency: Standard, High, and Maximum. Standard resiliency provides basic protection against link failures, but does not provide protection against site failures. High resiliency offers enhanced protection with additional failover mechanisms, and Maximum resiliency ensures the highest level of protection with multiple redundant systems and failover mechanisms.", + "description": "", + "type": "checklist", + "guid": "02a558e6-f9e4-4a38-9590-5a71ee20d41b" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Plan for regions and availability zones: Plan for multiple region and availability zones closest to your on-premises locations to provide resiliency and high availability.", + "description": "", + "type": "checklist", + "guid": "3fabb33e-e282-48d9-864c-216b53a3b626" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Plan for ExpressRoute circuit or ExpressRoute Direct: During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection.", + "description": "", + "type": "checklist", + "guid": "5f7a7897-e891-452e-91a2-9fb096bb3afe" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Choose the right circuit SKU: ExpressRoute circuit SKUs provide redundancy through the use of geographic expansion. ExpressRoute have three SKUs: Local, Standard, and Premium.", + "description": "", + "type": "checklist", + "guid": "7e7bd921-bbb9-4ffe-a4cf-3d0403825ea0" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Plan for Active-Active connectivity: ExpressRoute dedicated circuits provide availability when an active-active connectivity is configured between on-premises and Azure. This configuration provides higher availability of your ExpressRoute connection.", + "description": "", + "type": "checklist", + "guid": "cc63fe77-e8f6-407f-9906-fc0c765a6f56" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Plan for geo-redundant circuits: Configure ExpressRoute circuits in more than one peering location to ensure that there are multiple, geographically diverse paths between on-premises networks and Azure. This reduces the risk of a single point of failure causing a network outage, thereby increasing the reliability and availability of the connection.", "description": "", "type": "checklist", - "guid": "e58c1767-6db4-4b40-a26e-1ab8967517f4" + "guid": "a14c6933-25b6-4ea6-9fb3-7f4933d6d265" }, { "waf": "reliability", "service": "Azure Expressroute", - "text": "Configure Active-Active ExpressRoute connections between on-premises and Azure.", + "text": "Configure ExpressRoute Global Reach: As an ExpressRoute circuit Premium SKU feature, ExpressRoute Global Reach allows you to link your on-premises networks across different geographical locations directly through the Azure backbone network. By connecting your on-premises networks to multiple Azure regions, Global Reach provides an additional layer of redundancy. If one Azure region becomes unavailable, you can quickly reroute traffic to another region without relying on the public internet, maintaining secure and reliable connectivity.", "description": "", "type": "checklist", - "guid": "b356e60e-cb41-4ee6-a8d5-290b429619f7" + "guid": "d08a5125-0bad-4fae-a940-639eb82080db" }, { "waf": "reliability", "service": "Azure Expressroute", - "text": "Set up availability zone aware ExpressRoute Virtual Network Gateways.", + "text": "Configure site-to-site VPN as a backup to ExpressRoute private peering: This configuration provides an additional layer of redundancy and ensures that your network remains operational even if the ExpressRoute connection experiences an outage.", "description": "", "type": "checklist", - "guid": "877b9a2d-8171-441b-ba7f-b8c6191f12bc" + "guid": "69563db0-dbb3-4a88-91c2-dd1967b7ff28" }, { "waf": "reliability", "service": "Azure Expressroute", - "text": "Configure ExpressRoute Virtual Network Gateways in different regions.", + "text": "Plan for Virtual Network Gateways: When selecting and configuring your ExpressRoute Virtual Network Gateway for resiliency, consider the following best practices:", "description": "", "type": "checklist", - "guid": "64ad6a67-7f17-4d55-a365-0ec8716fb135" + "guid": "24b8719d-0bcd-4286-ac94-6437c314e7e9" }, { "waf": "reliability", "service": "Azure Expressroute", - "text": "Configure site-to-site VPN as a backup to ExpressRoute private peering.", + "text": "Plan for service providers: Choose different service providers for each circuit to ensure diverse paths. This diversity in service providers minimizes the risk of network downtime due to a single provider's outage.", "description": "", "type": "checklist", - "guid": "20bbf3a5-e3d8-42eb-9b88-9c4a811a483a" + "guid": "046e32c2-cb9f-45bd-a418-7b16acc959a7" }, { "waf": "reliability", "service": "Azure Expressroute", - "text": "Configure service health to receive ExpressRoute circuit maintenance notifications.", + "text": "Conduct reliability testing: Test the network design for resiliency to ensure that the network can withstand failures. Testing can be achieved by using Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection. Confirm failover mechanisms are working as expected.", "description": "", "type": "checklist", - "guid": "da08260d-363c-4fcb-a555-ed4448d0be3a" + "guid": "7e76e019-8787-4ada-90b3-06151c2e84cc" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Configure monitoring for ExpressRoute circuits and ExpressRoute Virtual Network Gateway health: Configure monitoring and alerts for ExpressRoute circuit and ExpressRoute Virtual Network Gateway health based on various metrics available.", + "description": "", + "type": "checklist", + "guid": "9ba255c5-91a6-43f2-b504-983ae6a1dd6e" + }, + { + "waf": "reliability", + "service": "Azure Expressroute", + "text": "Use health indicators to identify disruptions: Configure monitoring and alerts for ExpressRoute circuit and ExpressRoute Virtual Network Gateway health based on various metrics available.", + "description": "", + "type": "checklist", + "guid": "f67cf680-9128-4ecd-8814-f1142e7b782e" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Anticipate and mitigate potential failures when you design and architect Azure ExpressRoute.", + "description": "Anticipating failures leads to the design of a more robust and resilient network architecture that can withstand various failure scenarios.", + "type": "recommendation", + "guid": "1bb0e204-0fe0-40c8-8d70-701f9ed8ee56" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Plan for site resiliency. For Maximum or High resiliency, plan to have multiple paths between the on-premises edge and the peering locations (provider/Microsoft edge locations). For Maximum Resiliency, configure multiple circuits to different peering locations. For High Resiliency, configure a circuit between multiple peering locations within the same metropolitan area (also referred to as ExpressRoute Metro) from the on-premises network.", + "description": "By having multiple paths between the on-premises edge and the peering locations, the network can continue to operate even if one path fails. This redundancy is crucial for maintaining continuous connectivity and minimizing downtime.", + "type": "recommendation", + "guid": "80cf104d-42ef-46d9-886f-1f901cebe4eb" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Plan for multiple region and availability zones.", + "description": "Availability zones are physically separate locations within a region, providing fault isolation. This means that failures in one zone don't affect the others, enhancing overall system reliability.", + "type": "recommendation", + "guid": "4e9190ce-cc78-4f4f-a648-3058df325c58" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Plan for ExpressRoute circuit or ExpressRoute Direct. During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection. You also need to identify the bandwidth requirement and the SKU type requirement for your business needs.", + "description": "An ExpressRoute circuit allows a private dedicated connection into Azure with the help of a connectivity provider. ExpressRoute Direct allows you to extend on-premises network directly into the Microsoft network at a peering location.", + "type": "recommendation", + "guid": "b96ec4b0-3082-4117-b168-a1232aac87c6" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Choose the right circuit SKU for redundancy by using geographic expansion. The Local, Standard, and Premium SKUs offer different levels of connectivity, access, and performance capabilities. Premium SKU provides the highest level of redundancy with global connectivity to any Azure region worldwide.", + "description": "Choosing the right circuit SKU ensures that you have the appropriate level of redundancy and connectivity for your workloads.", + "type": "recommendation", + "guid": "6678e45e-636b-497a-9e94-bbd3be9878db" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Plan for Active-Active connectivity. To improve high availability, redundancy, and resiliency, we recommend operating both connections of an ExpressRoute circuit in active-active mode. Additionally, configure Bi-Directional Forwarding Detection (BFD) over both private and Microsoft Peering for faster failover during a link failure.", + "description": "Active-active mode mode provides higher availability of your ExpressRoute connections. BFD provides rapid detection of link failures, enabling quicker failover to backup paths. This minimizes downtime and ensures continuous connectivity.", + "type": "recommendation", + "guid": "83c0b35b-9946-4ac0-b002-f671d360dc2e" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Plan for geo-redundant circuits.", + "description": "There are scenarios where an ExpressRoute peering location or an entire regional service might experience degradation. Geo-redundancy enhances disaster recovery and high availability by ensuring that there are multiple, geographically diverse paths between on-premises networks and Azure. This reduces the risk of a single point of failure causing a network outage, thereby increasing the reliability and availability of the connection.", + "type": "recommendation", + "guid": "c272ebae-5c6e-4fb1-ad14-bbaefdf93363" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Plan for ExpressRoute circuit or ExpressRoute Direct", - "description": "During the initial planning phase, you want to decide whether you want to configure an ExpressRoute circuit or an ExpressRoute Direct connection. An ExpressRoute circuit allows a private dedicated connection into Azure with the help of a connectivity provider. ExpressRoute Direct allows you to extend the on-premises network directly into the Microsoft network at a peering location. You also need to identify the bandwidth requirement and the SKU type requirement for your business needs.", + "text": "With ExpressRoute Global Reach you can link ExpressRoute circuits together to make a private network between your on-premises networks. Configure ExpressRoute Global Reach on your ExpressRoute circuit Premium SKU.", + "description": "ExpressRoute Global Reach provides an additional layer of redundancy by linking your on-premises networks across different geographical locations directly through the Azure backbone network. This ensures that your network remains connected and operational even if one Azure region becomes unavailable.", "type": "recommendation", - "guid": "09e0dd1a-b1f7-46c3-8df1-48e841f53dca" + "guid": "b1d05887-bd07-4e3f-9863-83d8e5ac7a06" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Plan for geo-redundant circuits", - "description": "To plan for disaster recovery, set up ExpressRoute circuits in more than one peering locations. You can create circuits in peering locations in the same metro or different metro and choose to work with different service providers for diverse paths through each circuit. For more information, see Designing for disaster recovery and Designing for high availability.", + "text": "Choose different ExpressRoute service providers for each circuit.", + "description": "Diversity in service providers minimizes the risk of network downtime due to a single provider's outage. By choosing different service providers for each circuit, you can ensure that your network remains operational even if one provider experiences an outage. This redundancy is essential for maintaining continuous connectivity and minimizing downtime.", "type": "recommendation", - "guid": "257031a8-f034-436c-9f54-e82aab53c559" + "guid": "471bcfb6-9755-415f-9da4-0db051072d96" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Plan for Active-Active connectivity", - "description": "This mode provides higher availability of your Expressroute connections. It's also recommended to configure BFD for faster failover if there's a link failure on a connection.", + "text": "Configure Site-to-Site VPN over Microsoft peering as a backup to ExpressRoute private peering. Site-to-site VPN provides an additional layer of redundancy and ensures that your network remains operational even if the ExpressRoute connection experiences an outage.", + "description": "By configuring a site-to-site VPN as a backup to ExpressRoute private peering, you can maintain continuous connectivity and minimize downtime.", "type": "recommendation", - "guid": "068037d8-673f-4e86-bc9d-bf83fbe61d12" + "guid": "edf3297f-ecbf-462f-b3c4-2473de5f548b" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Planning for Virtual Network Gateways", - "description": "Create availability zone aware Virtual Network Gateway for higher resiliency and plan for Virtual Network Gateways in different regions for resiliency, disaster recovery, and high availability.", + "text": "Planning for zone-redundant Virtual Network Gateways. Select the right ExpressRoute Virtual Network Gateway SKU to reflect the correct performance and throughput for your business. Consider deploying a scalable virtual network gateway that allows you to achieve 40-Gbps connectivity and will auto-scale based on your required throughput. Deploy ExpressRoute virtual network gateways that are zone-redundant for maximum resiliency and redundancy across Availability Zones.", + "description": "Choosing the appropriate SKU ensures that the gateway can handle the required performance and throughput for your business needs. A scalable virtual network gateway autoscales based on required throughput, allowing the network to adapt to changing demands. This flexibility helps maintain performance during peak usage times and prevents overloading. Additionally, deploying zone-redundant virtual network gateways ensures that the network remains operational even if one availability zone experiences an outage, enhancing overall reliability and resiliency.", "type": "recommendation", - "guid": "21f65e89-ffe2-489f-89f2-16cbc2e257d9" + "guid": "595ff451-e6d3-4c0c-bb7c-e96b425603de" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Monitor circuits and gateway health", - "description": "Set up monitoring and alerts for ExpressRoute circuits and Virtual Network Gateway health based on various metrics available.", + "text": "Conduct reliability testing with the Azure Connectivity Toolkit to ensure that the network design is resilient and can withstand failures.", + "description": "Reliability testing helps identify potential issues and weaknesses in the network design, allowing you to address them proactively. By conducting reliability testing, you can ensure that the network is robust and resilient, minimizing downtime and ensuring continuous connectivity.", "type": "recommendation", - "guid": "0f875bf3-de86-41b5-80d2-477de2f769a2" + "guid": "9654ddf0-e888-41a8-a3da-87c5f9615515" }, { "waf": "Reliability", "service": "Azure Expressroute", - "text": "Enable service health", - "description": "ExpressRoute uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your ExpressRoute circuits.", + "text": "Configure monitoring and alerts for ExpressRoute circuits, peering, ports, and Virtual Network Gateway resource health based on various available metrics. This helps in proactively managing and maintaining the health of your network. Use Network Insights for ExpressRoute to visualize topological maps and health dashboards, providing a clear view of your configurations and their status.", + "description": "By setting up monitoring and alerts based on various metrics, you can proactively detect and address issues such as increased latency, traffic drops, or circuit downtimes before they impact your services.", "type": "recommendation", - "guid": "c84ca8b2-74f8-4d25-8fc3-5b30c9969b5f" + "guid": "5106fe4b-4ed3-4d8e-811d-bf6233c94535" + }, + { + "waf": "Reliability", + "service": "Azure Expressroute", + "text": "Configure service health to notify you about planned and unplanned maintenance. Configuring service health notifies you about changes made to your ExpressRoute circuits.", + "description": "With Service Health, you can view planned and past maintenance in the Azure portal along with configuring alerts and notifications that best suits your needs.", + "type": "recommendation", + "guid": "4cf9d373-331a-4bb4-8a3b-88ecb0e40460" }, { "waf": "security", "service": "Azure Expressroute", - "text": "Configure Activity log to send logs to archive.", + "text": "Leverage Azure Security Baseline for ExpressRoute: The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure.", "description": "", "type": "checklist", - "guid": "ca1c5676-1b0a-426e-baaf-da74ab806cb4" + "guid": "2cdb2c3e-56b6-48b3-ade8-33e1c3cd9293" }, { "waf": "security", "service": "Azure Expressroute", - "text": "Maintain an inventory of administrative accounts with access to ExpressRoute resources.", + "text": "Implement Azure Role-Based Access Control (RBAC): Use Azure RBAC to configure roles to limit user accounts that can add, update, or delete peering configurations on an ExpressRoute circuit or change ExpressRoute resources.", "description": "", "type": "checklist", - "guid": "ef124dcd-17e6-4b4e-9bdd-511ef1959a05" + "guid": "8e0ef0ec-36df-4985-8bc2-761ef50f381f" }, { "waf": "security", "service": "Azure Expressroute", - "text": "Configure MD5 hash on ExpressRoute circuit.", + "text": "Configure ExpressRoute encryption: Encrypt data in transit over ExpressRoute circuits to ensure that data transmitted between on-premises networks and Azure virtual networks is secure and protected from unauthorized access. ExpressRoute supports the following encryption options:", "description": "", "type": "checklist", - "guid": "23fbb2f6-a269-4fb5-a3a0-04aae0516c91" + "guid": "3b3fc985-c0ba-48d8-9b3e-fc0d65fcdb17" }, { "waf": "security", "service": "Azure Expressroute", - "text": "Configure MACSec for ExpressRoute Direct resources.", + "text": "Configure MD5 hash on ExpressRoute circuit: During configuration of private peering or Microsoft peering, apply an MD5 hash to secure messages between the on-premises router and the MSEE routers.", "description": "", "type": "checklist", - "guid": "8e02b876-d810-498b-b9a5-e50730fb10d6" + "guid": "46c4f201-d8b4-4545-9ea2-fe9a7373eeab" }, { "waf": "security", "service": "Azure Expressroute", - "text": "Encrypt traffic over private peering and Microsoft peering for virtual network traffic.", + "text": "Configure Activity log to send logs to archive: Activity logs are essential for auditing, compliance, incident response, operational visibility, and policy enforcement for ExpressRoute. Configure Activity log to send logs to an archive for long-term retention and analysis.", "description": "", "type": "checklist", - "guid": "946a3e3d-bbaf-4b4a-ab80-2ef0a4631f30" + "guid": "79a4a9cf-38fb-4e5d-a947-89baeadab6e9" + }, + { + "waf": "Security", + "service": "Azure Expressroute", + "text": "Leverage Azure Security Baseline for ExpressRoute. This security baseline applies guidance from the Microsoft Cloud Security Benchmark version 1.0 to ExpressRoute.", + "description": "The content is organized by the security controls defined in the benchmark and includes related guidance specific to ExpressRoute.", + "type": "recommendation", + "guid": "efa8069f-c372-401f-bf50-515b9e24cbcc" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Configure Activity log to send logs to archive", - "description": "Activity logs provide insights into operations that were performed at the subscription level for ExpressRoute resources. With Activity logs, you can determine who and when an operation was performed at the control plane. Data retention is only 90 days and required to be stored in Log Analytics, Event Hubs or a storage account for archive.", + "text": "Implement Azure Role-Based Access Control (RBAC) to control who can manage ExpressRoute resources such as ExpressRoute circuits and gateways.", + "description": "By providing granular access management to resources, you can maintain an inventory of administrative accounts with access to ExpressRoute resources and ensure that only authorized users can perform specific actions.", "type": "recommendation", - "guid": "9631d7ef-657c-4b07-9c75-96b2dcc5c5d2" + "guid": "c2dfe99d-0d27-429a-9f06-2e572f755227" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Maintain inventory of administrative accounts", - "description": "Use Azure RBAC to configure roles to limit user accounts that can add, update, or delete peering configuration on an ExpressRoute circuit.", + "text": "Configure MACsec for ExpressRoute Direct ports.", + "description": "MACsec (Media Access Control security) enhances security by encrypting data, ensuring data integrity, protecting vulnerable protocols. It secures protocols that are typically not protected on Ethernet links, such as ARP, DHCP, and LACP, thereby preventing potential security threats targeting these protocols.", "type": "recommendation", - "guid": "42b91c75-909f-4366-b014-48ab48639faf" + "guid": "5d74d5bf-40a6-43ad-b923-0b7db390a9dc" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Configure MD5 hash on ExpressRoute circuit", - "description": "During configuration of private peering or Microsoft peering, apply an MD5 hash to secure messages between the on-premises route and the MSEE routers.", + "text": "Encrypt traffic using IPsec (Internet Protocol Security) for ExpressRoute private peering or configure a tunnel using private peering.", + "description": "IPsec encrypts data at the network layer (Layer 3) and enhances security by providing encryption, authentication, integrity protection, and compliance. This ensures that data transmitted over ExpressRoute circuits is secure and protected from unauthorized access and tampering.", "type": "recommendation", - "guid": "78f7d298-53bf-49ae-8ed7-994d46ccf2dd" + "guid": "112fcea7-1bcd-4911-9430-5fab3b9f8c01" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Configure MACSec for ExpressRoute Direct resources", - "description": "Media Access Control security is a point-to-point security at the data link layer. ExpressRoute Direct supports configuring MACSec to prevent security threats to protocols such as ARP, DHCP, LACP not normally secured on the Ethernet link. For more information on how to configure MACSec, see MACSec for ExpressRoute Direct ports.", + "text": "Configure MD5 hash on ExpressRoute circuit during configuration of private peering or Microsoft peering to secure messages between the on-premises route and the MSEE routers.", + "description": "By generating an MD5 hash of the data before transmission and comparing it with the hash generated after reception, you can ensure that the data hasn't been tampered with during transit.", "type": "recommendation", - "guid": "d495a140-702d-4e08-bb86-7ceac8141df2" + "guid": "d6f93bd7-3713-42bf-bb3e-7c9fb2071e43" }, { "waf": "Security", "service": "Azure Expressroute", - "text": "Encrypt traffic using IPsec", - "description": "Configure a Site-to-site VPN tunnel over your ExpressRoute circuit to encrypt data transferring between your on-premises network and Azure virtual network. You can configure a tunnel using private peering or using Microsoft peering.", + "text": "Configure activity logs and send logs an to archive. Data retention is only 90 days and required to be stored in Log Analytics, Event Hubs or a storage account for archive. For more information about Activity logs in ExpressRoute, see Monitor Azure ExpressRoute.", + "description": "Activity logs provide insights into operations that were performed at the subscription level for ExpressRoute resources. With Activity logs, you can determine who and when an operation was performed at the control plane.", "type": "recommendation", - "guid": "7729c230-dbdf-4aec-9295-fcb0a0c365f2" + "guid": "f616fbf3-1c9d-4ffb-82ae-aba4fb6ad730" }, { "waf": "cost", "service": "Azure Expressroute", - "text": "Familiarize yourself with ExpressRoute pricing.", + "text": "Familiarize yourself with ExpressRoute pricing: As part of your cost model exercise, estimate the cost of ExpressRoute. Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", "description": "", "type": "checklist", - "guid": "43d6df90-c15b-494c-8d35-c4fc9180fbdb" + "guid": "2dde8e01-0cf8-4752-88fd-99ad7a6d3505" }, { "waf": "cost", "service": "Azure Expressroute", - "text": "Determine the ExpressRoute circuit SKU and bandwidth required.", + "text": "Determine circuit SKU and bandwidth required: Base your selection of ExpressRoute circuit and virtual network gateway SKU and bandwidth on the capacity demand and performance requirements of your workload.", "description": "", "type": "checklist", - "guid": "92065590-2f1a-4a81-a6a6-2b102f66f9e3" + "guid": "acb8e056-353d-45ed-98b6-708b373ecaa6" }, { "waf": "cost", "service": "Azure Expressroute", - "text": "Determine the ExpressRoute virtual network gateway size required.", + "text": "Determine the ExpressRoute virtual network gateway size: Choose the right size for your ExpressRoute virtual network gateway based on the capacity demand and performance requirements of your workload.", "description": "", "type": "checklist", - "guid": "f6e0770f-fa13-450e-8c81-baf51ba1b550" + "guid": "4e4f299e-8634-432b-8021-a56a494fffed" }, { "waf": "cost", "service": "Azure Expressroute", - "text": "Monitor cost and create budget alerts.", + "text": "Monitor cost and create budget alerts: Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks.", "description": "", "type": "checklist", - "guid": "07d0ba21-7eef-47d1-8ba0-26fefa26c733" + "guid": "a0b8c0b6-b401-4078-98ff-82e9d4363ef1" }, { "waf": "cost", "service": "Azure Expressroute", - "text": "Deprovision ExpressRoute circuits no longer in use.", + "text": "Deprovision and delete unused ExpressRoute circuits: Azure Advisor can detect ExpressRoute circuits that have been deployed for a significant time but have a provider status of Not Provisioned.", "description": "", "type": "checklist", - "guid": "d7be65f4-6500-49ea-92e3-3121fca4a076" + "guid": "659f9ca0-27d5-4c29-8d13-33a5c1a3a45c" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Familiarize yourself with ExpressRoute pricing", - "description": "For information about ExpressRoute pricing, see Understand pricing for Azure ExpressRoute. You can also use the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", + "text": "Familiarize yourself with ExpressRoute pricing. Use the Azure Pricing Calculator to estimate the cost. ExpressRoute Direct has a monthly port fee that includes the circuit fee for Local and Standard SKU ExpressRoute circuits. For Premium SKU circuits, there's an additional circuit fee. Outbound data transfer is charged per GB used, depending on the zone number of the peering location. The outbound data charge applies only to Standard and Premium SKUs. For more information, see plan and manage costs for Azure ExpressRoute.", + "description": "Understanding ExpressRoute pricing enables better cost management, informed decision-making, avoidance of unexpected charges and maximization of value.", "type": "recommendation", - "guid": "f230ac81-7590-4300-9b9f-95d784e60ab2" + "guid": "be226fcf-d836-47ca-bcdc-a67fb6cd4b28" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Determine SKU and bandwidth required", - "description": "The way you're charged for your ExpressRoute usage varies between the three different SKU types. With Local SKU, you're automatically charged with an Unlimited data plan. With Standard and Premium SKU, you can select between a Metered or an Unlimited data plan. All ingress data are free of charge except when using the Global Reach add-on. It's important to understand which SKU types and data plan works best for your workload to best optimize cost and budget. For more information resizing ExpressRoute circuit, see upgrading ExpressRoute circuit bandwidth.", + "text": "Determine circuit SKU and bandwidth required. The way you're charged for your ExpressRoute usage varies between the three different SKU types. With the Local SKU, you're automatically charged with an Unlimited data plan. With the Standard and Premium SKUs, you can choose between a Metered or an Unlimited data plan. All ingress data is free of charge, except when using the Global Reach add-on, which incurs additional costs for data transfer between different geographical locations. It's important to review and resize your ExpressRoute circuit.", + "description": "It's important to understand which SKU types and data plan works best for your workload to best optimize cost and budget.", "type": "recommendation", - "guid": "3d8a5d49-af34-431f-b47f-ee8cf05479b5" + "guid": "d63e8bae-4dc1-4630-964e-d3a2776f515e" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Determine the ExpressRoute virtual network gateway size", - "description": "ExpressRoute virtual network gateways are used to pass traffic into a virtual network over private peering. Review the performance and scale needs of your preferred Virtual Network Gateway SKU. Select the appropriate gateway SKU on your on-premises to Azure workload.", + "text": "Determine the size of the ExpressRoute Virtual Network Gateway. ExpressRoute virtual network gateways are used to pass traffic into a virtual network over private peering. Select the appropriate gateway SKU on your on-premises to Azure workload. Understand ExpressRoute Gateway pricing based on region and type. ExpressRoute Gateways are charged at an hourly rate plus the cost of an ExpressRoute circuit. Configure scalable ExpressRoute gateways to set minimum and maximum scale units for the gateway, which auto-scales based on active bandwidth or flow count. See ExpressRoute pricing and select ExpressRoute Gateways to see rates for different gateway SKUs.", + "description": "This benefits you by enabling right-sizing of resources, providing flexibility to scale, optimizing performance, and supporting proactive cost management. This approach ensures that you're using resources efficiently and cost-effectively.", "type": "recommendation", - "guid": "82224292-a5a6-4b85-9b2f-b617117c4285" + "guid": "01090a40-e091-464e-aeb8-2181ddbb50a6" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Monitor cost and create budget alerts", - "description": "Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks. For more information, see Monitoring ExpressRoute costs.", + "text": "Monitor costs and create budget alerts. Monitor the cost of your ExpressRoute circuit and create alerts for spending anomalies and overspending risks.", + "description": "Monitoring and alerts provide you with tools to control spending, enhance financial planning, ensure accountability, and optimize resource usage.", "type": "recommendation", - "guid": "e2e81918-e05e-49e1-a37c-cb65840c8699" + "guid": "cd52eea6-2701-4bb7-a5fc-ac5e63062e27" }, { "waf": "Cost", "service": "Azure Expressroute", - "text": "Deprovision and delete ExpressRoute circuits no longer in use.", - "description": "ExpressRoute circuits are charged from the moment they're created. To reduce unnecessary cost, deprovision the circuit with the service provider and delete the ExpressRoute circuit from your subscription. For steps on how to remove an ExpressRoute circuit, see Deprovisioning an ExpressRoute circuit.", + "text": "Deprovision and delete unused ExpressRoute circuits. Azure Advisor can detect ExpressRoute circuits that have been deployed for a significant time but have a provider status of Not Provisioned.", + "description": "ExpressRoute circuits are charged from the moment they're created. To reduce unnecessary cost, deprovision the circuit with the service provider and delete the ExpressRoute circuit from your subscription.", "type": "recommendation", - "guid": "131104a1-a17f-4b6b-9384-0b636a5d5265" + "guid": "51ccb1fa-9ca2-427b-9140-0496e36fd503" }, { "waf": "operations", "service": "Azure Expressroute", - "text": "Configure connection monitoring between your on-premises and Azure network.", + "text": "Choose the closest peering locations: Choose the closest peering locations to your on-premises network to reduce latency and costs.", "description": "", "type": "checklist", - "guid": "4c7d0c83-02a0-4535-a378-c2ab4c13469c" + "guid": "673a0251-52de-4ef7-9afb-3cb93d38082f" }, { "waf": "operations", "service": "Azure Expressroute", - "text": "Configure Service Health for receiving notification.", + "text": "Configure connection monitoring between your on-premises and Azure network: Use Connection Monitor to monitor connectivity between your on-premises resources and Azure over the ExpressRoute private peering and Microsoft peering connection.", "description": "", "type": "checklist", - "guid": "69c4fb71-4d2c-4534-a4db-5e3146a31e1d" + "guid": "8eeadeaf-fde7-4697-bbd6-b44d8dc9afe9" }, { "waf": "operations", "service": "Azure Expressroute", - "text": "Review metrics and dashboards available through ExpressRoute Insights using Network Insights.", + "text": "Configure dynamic routing for your Microsoft peering enabled ExpressRoute circuit: Dynamic routing for ExpressRoute leverages BGP to provide automatic route updates, optimal path selection, scalability, and interoperability for your network.", "description": "", "type": "checklist", - "guid": "33b4fca5-1f90-4947-8091-6c23aba0651a" + "guid": "44aaf506-aea8-41d5-aac8-b8e663be569c" }, { "waf": "operations", "service": "Azure Expressroute", - "text": "Review ExpressRoute resource metrics.", + "text": "Configure Service Health for receiving notification: Configure Service Health notifications to alert you when planned and upcoming maintenance is happening to all ExpressRoute circuits in your subscription. For more information on how to integrate with the overall health model for your workload, see Health modeling for workloads.", "description": "", "type": "checklist", - "guid": "638c050d-7555-4575-bb8d-a4f2b613fa87" + "guid": "a3a7133c-6971-40c7-892e-b57b6d3c806b" + }, + { + "waf": "operations", + "service": "Azure Expressroute", + "text": "Configure Traffic Collector for ExpressRoute: ExpressRoute Traffic Collector enables the sampling of network flows over your ExpressRoute circuits.", + "description": "", + "type": "checklist", + "guid": "f275a323-3072-4db2-90b9-1191033408db" + }, + { + "waf": "operations", + "service": "Azure Expressroute", + "text": "Collect, analyze, and visualize metrics and logs: Collect metrics and logs as part of the overall monitoring strategy of your solution. Set alerts to proactively notify you when a certain threshold is met. Review metrics and dashboards available through ExpressRoute Insights to view details of your peering components all in a single place.", + "description": "", + "type": "checklist", + "guid": "b6af0be2-907d-415a-a25f-11e25a825498" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Configure connection monitoring", - "description": "Connection monitoring allows you to monitor connectivity between your on-premises resources and Azure over the ExpressRoute private peering and Microsoft peering connection. Connection monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures.", + "text": "Choose the closest peering locations to your on-premises network to reduce latency and costs.", + "description": "By choosing the closest peering location to your on-premises network, you can reduce latency and costs, ensuring optimal performance and cost-effectiveness.", "type": "recommendation", - "guid": "c6766a4e-7531-4335-af44-4fd1a3c706f4" + "guid": "8ab284de-5257-4574-b393-fbb6082db208" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Configure Service Health", - "description": "Set up Service Health notifications to alert when planned and upcoming maintenance is happening to all ExpressRoute circuits in your subscription. Service Health also displays past maintenance along with RCA if an unplanned maintenance were to occur.", + "text": "Configure Connection Monitor between your on-premises and Azure network.", + "description": "Connection Monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures. Connection Monitor is part of Azure Monitor logs.", "type": "recommendation", - "guid": "5ff3a7b5-974a-466d-ab01-ad90c143969d" + "guid": "827b212c-c289-43da-9c9a-5f0ceb2aa08e" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Review metrics with Network Insights", - "description": "ExpressRoute Insights with Network Insights allow you to review and analyze ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute Insights also provide a topology view of your ExpressRoute connections where you can view details of your peering components all in a single place.Metrics available:- Availability- Throughput- Gateway metrics", + "text": "Configure dynamic routing your Microsoft peering enabled ExpressRoute circuit.", + "description": "Dynamic routing allows for more efficient and flexible routing, ensuring optimal path selection and automatic updates to routing tables in response to network changes.", "type": "recommendation", - "guid": "210546e8-29e3-40d9-869f-6236fddaadd0" + "guid": "30d4d653-9a82-47c5-90ff-c13eaf9dd779" }, { "waf": "Operations", "service": "Azure Expressroute", - "text": "Review ExpressRoute resource metrics", - "description": "ExpressRoute uses Azure Monitor to collect metrics and create alerts base on your configuration. Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.", + "text": "Configure Service Health notifications to alert you when planned and upcoming maintenance is scheduled for all ExpressRoute circuits in your subscription. Service Health also displays past maintenance events along with Root Cause Analysis (RCA) if unplanned maintenance event occurs.", + "description": "Service Health notifications provide timely alerts about planned and unplanned maintenance, outages, and early warnings about potential issues. This allows you to stay informed about the status of your ExpressRoute circuits.", "type": "recommendation", - "guid": "8031ed87-7573-469a-9b05-01f4ff4d9231" + "guid": "e1d7ea73-b765-411e-9b0a-19fafdc40861" }, { - "waf": "performance", + "waf": "Operations", "service": "Azure Expressroute", - "text": "Test ExpressRoute gateway performance to meet work load requirements.", - "description": "", - "type": "checklist", - "guid": "256753af-fb4b-49b2-a965-4b65265ee8dd" + "text": "Configure Traffic Collector for ExpressRoute", + "description": "ExpressRoute Traffic Collector enables the sampling of network flows over your ExpressRoute circuits. It supports both Private peering and Microsoft peering, providing near real-time visibility into network throughput and performance.", + "type": "recommendation", + "guid": "e2f261e7-a497-42e3-91a7-57ab48fac835" }, { - "waf": "performance", + "waf": "Operations", "service": "Azure Expressroute", - "text": "Increase the size of the ExpressRoute gateway.", - "description": "", - "type": "checklist", - "guid": "9bc85bda-be71-4df0-924c-2604ef7f05fa" + "text": "Review metrics with Network Insights. ExpressRoute Insights with Network Insights allow you to review and analyze ExpressRoute circuits, gateways, connections metrics and health dashboards. ExpressRoute Insights also provide a topology view of your ExpressRoute connections where you can view details of your peering components all in a single place.", + "description": "Network Insights offers a centralized platform to monitor various metrics across ExpressRoute circuits, gateways, and connections, providing a comprehensive view of network health and performance.", + "type": "recommendation", + "guid": "cd2b5c2a-24a5-4a3a-8a72-0e9ddae06342" + }, + { + "waf": "Operations", + "service": "Azure Expressroute", + "text": "Review ExpressRoute resource metrics. Use Azure Monitor to collect metrics and create alerts based on your configuration.", + "description": "Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.", + "type": "recommendation", + "guid": "c2891c02-3d0d-4441-9610-ae62ce9ed054" + }, + { + "waf": "Operations", + "service": "Azure Expressroute", + "text": "Review ExpressRoute metrics and create alerts. ExpressRoute uses Azure Monitor to collect metrics and create alerts based on your configuration. Follow the recommendations for designing and creating a monitoring system to implement your monitoring strategy for ExpressRoute and your workloads.", + "description": "Metrics are collected for ExpressRoute circuits, ExpressRoute gateways, ExpressRoute gateway connections, and ExpressRoute Direct. These metrics are useful for diagnosing connectivity problems and understanding the performance of your ExpressRoute connection.", + "type": "recommendation", + "guid": "92e6413e-6737-4aff-8c97-b9532485e43a" }, { "waf": "performance", "service": "Azure Expressroute", - "text": "Upgrade the ExpressRoute circuit bandwidth.", + "text": "Test ExpressRoute gateway performance to meet work load requirements: Use the Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection.", "description": "", "type": "checklist", - "guid": "102ee202-4b37-498a-8826-d698d11e3b03" + "guid": "26aea392-63b4-4036-a70c-3d2e505c15f4" }, { "waf": "performance", "service": "Azure Expressroute", - "text": "Enable ExpressRoute FastPath for higher throughput.", + "text": "Plan for scaling: Based on your scalability requirements, choose the right ExpressRoute circuit SKU and also the Virtual Network Gateway SKUs. Each SKU offers different features and limits. Take into consideration the performance, feature, and routing needs of your network. For additional scalability guidance for your solution, see Recommendations for optimizing scaling and partitioning.", "description": "", "type": "checklist", - "guid": "627c2d5f-e638-41fd-be98-9ba1bf195ce3" + "guid": "e47ca257-b734-4304-8e50-0d27286f45ba" }, { "waf": "performance", "service": "Azure Expressroute", - "text": "Monitor the ExpressRoute circuit and gateway metrics.", + "text": "Monitor the performance of ExpressRoute resources: Collect and analyze the performance telemetry in accordance with the WAF Recommendations for collecting performance data. Validate that it meets your performance targets and set up alerts to proactively notify you when a certain threshold is met.", "description": "", "type": "checklist", - "guid": "040f4b75-2706-42f3-9a9c-cee611032d91" + "guid": "0f31e8d8-8393-488d-bbd8-3e5e65edd06f" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Test ExpressRoute gateway performance to meet work load requirements.", - "description": "Use Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection.", + "text": "Test ExpressRoute gateway performances to meet work load requirements with the Azure Connectivity Toolkit. Schedule bandwidth-intensive operations such as backups and performance testing at times of low production traffic.", + "description": "The toolkit provides user-friendly tools and interfaces that simplify the process of configuring and managing network connections to Azure. The toolkit includes tools to optimize network performance, ensuring efficient and reliable connectivity to Azure services.", "type": "recommendation", - "guid": "256753af-fb4b-49b2-a965-4b65265ee8dd" + "guid": "e7f88c9c-c205-40f6-86fd-5d662e5569ec" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Increase the size of the ExpressRoute gateway.", - "description": "Upgrade to a higher gateway SKU for improved throughput performance between on-premises and Azure environment.", + "text": "Plan for scaling of ExpressRoute circuits. Upgrade your ExpressRoute circuit bandwidth to meet your production workload requirements. Circuit bandwidth is shared between all virtual networks connected to the ExpressRoute circuit. Depending on your workload, one or more virtual networks can use up all the bandwidth on the circuit. For more information, see ExpressRoute limits.", + "description": "Upgrading the bandwidth ensures that the network can handle increasing data volumes and more users without compromising performance.", "type": "recommendation", - "guid": "9bc85bda-be71-4df0-924c-2604ef7f05fa" + "guid": "3ee8d426-5575-4ebf-9bda-2815fc737bf5" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Upgrade ExpressRoute circuit bandwidth", - "description": "Upgrade your circuit bandwidth to meet your work load requirements. Circuit bandwidth is shared between all virtual networks connected to the ExpressRoute circuit. Depending on your work load, one or more virtual networks can use up all the bandwidth on the circuit.", + "text": "Plan for scaling of ExpressRoute Virtual Network Gateway. Upgrade your ExpressRoute Virtual Network Gateway SKU to meet your production workload requirements.", + "description": "Upgrading to a larger gateway SKU provides higher throughput capabilities, allowing more data to be transferred between on-premises networks and Azure more quickly. A larger gateway can manage more simultaneous connections and higher volumes of traffic, reducing the likelihood of network congestion and bottlenecks.", "type": "recommendation", - "guid": "db8f8202-db07-497f-be72-17db8bda90c5" + "guid": "25ef127a-4ad9-44e2-8834-87bbbd6a91ce" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Enable ExpressRoute FastPath for higher throughput", - "description": "If you're using an Ultra performance or an ErGW3AZ virtual network gateway, you can enable FastPath to improve the data path performance between your on-premises network and Azure virtual network.", + "text": "Configure Scalable Gateways to automatically scale for performance.", + "description": "Scalable Gateways allows you to scale up and down automatically with your gateway instances to accommodate performance needs. ErGwScale SKU also enables you to achieve 40-Gbps connectivity to virtual machines and Private Endpoints within the virtual network.", "type": "recommendation", - "guid": "01566559-f881-409b-b04e-7d79a71f18e4" + "guid": "d6f28bdb-d970-4f2e-aa8f-0b3ac527f5e6" }, { "waf": "Performance", "service": "Azure Expressroute", - "text": "Monitor ExpressRoute circuit and gateway metrics", - "description": "Set up alerts base on ExpressRoute metrics to proactively notify you when a certain threshold is met. These metrics are useful to understand anomalies that can happen with your ExpressRoute connection such as outages and maintenance happening to your ExpressRoute circuits.", + "text": "Enable ExpressRoute FastPath for higher throughput on your virtual network gateway.", + "description": "This feature improves the data path performance between your on-premises network and your virtual network resources by bypassing the gateway. As business needs grow, FastPath provides the necessary bandwidth and performance to support increasing data volumes and more users without compromising performance. Enabling FastPath ensures that the network can handle future expansions and new applications, providing long-term performance efficiency.", "type": "recommendation", - "guid": "6440df71-d371-4190-920f-01c1815446db" + "guid": "ffea28eb-c146-445c-960a-b34632aec347" + }, + { + "waf": "Performance", + "service": "Azure Expressroute", + "text": "Monitor Monitor ExpressRoute circuit, port, and gateway metrics. Configure alerts for ExpressRoute metrics to proactively notify you when a certain threshold is met. ExpressRoute circuit metrics supports metrics such as Arp Availability, BitsInPerSecond, DroppedInBitsPerSecond. ExpressRoute port metrics supports metrics such as AdminState, BitsInPerSecond, and FastPathRoutesCount. ExpressRoute Gateway metrics supports metrics such as Bits In Per Second, Active Flows, and Count Of Routes Advertised to Peer.
Monitor performance targets with Connection Monitor.", + "description": "ExpressRoute circuit, port, and gateway metrics are useful to understand anomalies that can happen with your ExpressRoute connection such as outages and maintenance happening to your ExpressRoute circuits. Connection Monitor can detect networking issues by identifying where along the network path the problem is and help you quickly resolve configuration or hardware failures.", + "type": "recommendation", + "guid": "69503754-2f8b-4137-b31f-1bea8ab0c007" }, { "waf": "reliability", @@ -3133,7 +3309,7 @@ "waf": "Reliability", "service": "Azure Kubernetes Service", "text": "Cluster architecture: Use availability zones to maximize resilience within an Azure region by distributing AKS agent nodes across physically separate data centers.", - "description": "By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down. If colocality requirements exist, either a regular VMSS-based AKS deployment into a single zone or proximity placement groups can be used to minimize internode latency.", + "description": "By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down. If colocality requirements exist, either a regular Virtual Machine Scale Sets based AKS deployment into a single zone or proximity placement groups can be used to minimize internode latency.", "type": "recommendation", "guid": "74ff8612-55b7-4029-81bc-da363b133f16" }, @@ -3373,7 +3549,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Cluster architecture: Select virtual machines based on the Arm architecture.", - "description": "AKS supports creating ARM64 Ubuntu agent nodes, as well as a of mix Intel and ARM architecture nodes within a cluster that can bring better performance at a lower cost.", + "description": "AKS supports creating Arm64 Ubuntu agent nodes, as well as a mix of Intel and ARM architecture nodes within a cluster that can bring better performance at a lower cost.", "type": "recommendation", "guid": "ce50c713-ad3e-4781-9193-63485491aa48" }, @@ -3389,7 +3565,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Cluster architecture: Select the appropriate region.", - "description": "Due to many factors, cost of resources varies per region in Azure. Evaluate the cost, latency, and compliance requirements to ensure you are running your workload cost-effectively and it doesn't affect your end-users or create extra networking charges.", + "description": "Due to many factors, cost of resources varies per region in Azure. Evaluate the cost, latency, and compliance requirements to ensure you're running your workload cost-effectively and it doesn't affect your end-users or create extra networking charges.", "type": "recommendation", "guid": "433efe5b-3776-459c-8560-058f87773838" }, @@ -3437,7 +3613,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Workload architecture: Use Kubernetes Event Driven Autoscaling (KEDA).", - "description": "Scale based on the number of events being processed. Choose from a rich catalogue of 50+ KEDA scalers.", + "description": "Scale based on the number of events being processed. Choose from a rich catalog of 50+ KEDA scalers.", "type": "recommendation", "guid": "fe3d7c5f-f5a9-4b5e-a4f9-81bf76930967" }, @@ -3445,7 +3621,7 @@ "waf": "Cost", "service": "Azure Kubernetes Service", "text": "Cluster and workload architectures: Adopt a cloud financial discipline and cultural practice to drive ownership of cloud usage.", - "description": "The foundation of enabling cost optimization is the spread of a cost saving cluster. A financial operations approach (FinOps) is often used to help organizations reduce cloud costs. It is a practice involving collaboration between finance, operations, and engineering teams to drive alignment on cost saving goals and bring transparency to cloud costs.", + "description": "The foundation of enabling cost optimization is the spread of a cost saving cluster. A financial operations approach (FinOps) is often used to help organizations reduce cloud costs. It's a practice involving collaboration between finance, operations, and engineering teams to drive alignment on cost saving goals and bring transparency to cloud costs.", "type": "recommendation", "guid": "3a7d1aa1-37a0-40aa-acbf-ff1852c15c93" }, @@ -5173,10 +5349,7 @@ "categories": [], "waf": [ { - "name": "reliability" - }, - { - "name": "Cost" + "name": "cost" }, { "name": "Operations" @@ -5185,22 +5358,25 @@ "name": "security" }, { - "name": "Performance" + "name": "reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Security" + "name": "Cost" }, { - "name": "performance" + "name": "Reliability" }, { - "name": "cost" + "name": "Performance" + }, + { + "name": "Security" } ], "yesno": [ @@ -5237,6 +5413,6 @@ "name": "WAF Service Guides", "waf": "all", "state": "preview", - "timestamp": "October 20, 2024" + "timestamp": "November 10, 2024" } } \ No newline at end of file