diff --git a/checklists-ext/appservicewebapps_sg_checklist.en.json b/checklists-ext/appservicewebapps_sg_checklist.en.json index ef1fe5593..d00b647a6 100644 --- a/checklists-ext/appservicewebapps_sg_checklist.en.json +++ b/checklists-ext/appservicewebapps_sg_checklist.en.json @@ -195,28 +195,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -253,6 +253,6 @@ "name": "App Service Web Apps Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureapplicationgateway_sg_checklist.en.json b/checklists-ext/azureapplicationgateway_sg_checklist.en.json index aea375e93..acae85714 100644 --- a/checklists-ext/azureapplicationgateway_sg_checklist.en.json +++ b/checklists-ext/azureapplicationgateway_sg_checklist.en.json @@ -243,28 +243,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -301,6 +301,6 @@ "name": "Azure Application Gateway Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureblobstorage_sg_checklist.en.json b/checklists-ext/azureblobstorage_sg_checklist.en.json index f1ded7674..4a4fc4814 100644 --- a/checklists-ext/azureblobstorage_sg_checklist.en.json +++ b/checklists-ext/azureblobstorage_sg_checklist.en.json @@ -219,28 +219,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -277,6 +277,6 @@ "name": "Azure Blob Storage Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureexpressroute_sg_checklist.en.json b/checklists-ext/azureexpressroute_sg_checklist.en.json index 97918d9df..71008e981 100644 --- a/checklists-ext/azureexpressroute_sg_checklist.en.json +++ b/checklists-ext/azureexpressroute_sg_checklist.en.json @@ -219,28 +219,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -277,6 +277,6 @@ "name": "Azure Expressroute Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefiles_sg_checklist.en.json b/checklists-ext/azurefiles_sg_checklist.en.json index a57ccfa08..394e12d7c 100644 --- a/checklists-ext/azurefiles_sg_checklist.en.json +++ b/checklists-ext/azurefiles_sg_checklist.en.json @@ -243,28 +243,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -301,6 +301,6 @@ "name": "Azure Files Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefirewall_sg_checklist.en.json b/checklists-ext/azurefirewall_sg_checklist.en.json index 6faef37b9..b6e3c02e8 100644 --- a/checklists-ext/azurefirewall_sg_checklist.en.json +++ b/checklists-ext/azurefirewall_sg_checklist.en.json @@ -379,28 +379,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -437,6 +437,6 @@ "name": "Azure Firewall Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefrontdoor_sg_checklist.en.json b/checklists-ext/azurefrontdoor_sg_checklist.en.json index c24f3fa21..abc24b9c7 100644 --- a/checklists-ext/azurefrontdoor_sg_checklist.en.json +++ b/checklists-ext/azurefrontdoor_sg_checklist.en.json @@ -187,28 +187,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -245,6 +245,6 @@ "name": "Azure Front Door Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurekubernetesservice_sg_checklist.en.json b/checklists-ext/azurekubernetesservice_sg_checklist.en.json index 434ccb03a..c25c8b8d7 100644 --- a/checklists-ext/azurekubernetesservice_sg_checklist.en.json +++ b/checklists-ext/azurekubernetesservice_sg_checklist.en.json @@ -319,7 +319,7 @@ "text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.", "description": "Container insights help monitor the performance of containers by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API and container logs.", "type": "recommendation", - "guid": "6a9671bd-a6e9-46c3-bd2e-8aecaf8f59d6" + "guid": "76d86a61-446d-4597-a547-9ba4d9c25377" }, { "waf": "Operations", @@ -343,7 +343,7 @@ "text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.", "description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.", "type": "recommendation", - "guid": "d0846227-0052-44a1-b340-25e6e3b9aebe" + "guid": "72c0719b-444b-49fa-b3fb-598de4c4a99d" }, { "waf": "Operations", @@ -419,28 +419,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -477,6 +477,6 @@ "name": "Azure Kubernetes Service Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azuremachinelearning_sg_checklist.en.json b/checklists-ext/azuremachinelearning_sg_checklist.en.json index 1992306e2..d41ce6801 100644 --- a/checklists-ext/azuremachinelearning_sg_checklist.en.json +++ b/checklists-ext/azuremachinelearning_sg_checklist.en.json @@ -275,28 +275,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -333,6 +333,6 @@ "name": "Azure Machine Learning Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureopenai_sg_checklist.en.json b/checklists-ext/azureopenai_sg_checklist.en.json index 2636c7de7..cc967d81b 100644 --- a/checklists-ext/azureopenai_sg_checklist.en.json +++ b/checklists-ext/azureopenai_sg_checklist.en.json @@ -115,28 +115,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -173,6 +173,6 @@ "name": "Azure Openai Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/virtualmachines_sg_checklist.en.json b/checklists-ext/virtualmachines_sg_checklist.en.json index ed27db4ac..81dbed2d2 100644 --- a/checklists-ext/virtualmachines_sg_checklist.en.json +++ b/checklists-ext/virtualmachines_sg_checklist.en.json @@ -235,28 +235,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -293,6 +293,6 @@ "name": "Virtual Machines Service Guide", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file diff --git a/checklists-ext/wafsg_checklist.en.json b/checklists-ext/wafsg_checklist.en.json index 5221b8214..a37663554 100644 --- a/checklists-ext/wafsg_checklist.en.json +++ b/checklists-ext/wafsg_checklist.en.json @@ -535,7 +535,7 @@ "text": "Plan for rule updates", "description": "Plan enough time for updates before accessing Application Gateway or making further changes. For example, removing servers from backend pool might take some time because they have to drain existing connections.", "type": "recommendation", - "guid": "84e9e05f-2ab2-4087-8c5a-f1ae29768a58" + "guid": "f6991e25-5c9d-4b36-9df6-d4cd17d6d7cc" }, { "waf": "Reliability", @@ -543,7 +543,7 @@ "text": "Use health probes to detect backend unavailability", "description": "If Application Gateway is used to load balance incoming traffic over multiple backend instances, we recommend the use of health probes. These will ensure that traffic is not routed to backends that are unable to handle the traffic.", "type": "recommendation", - "guid": "8947f1ed-79a0-428f-8c2a-66ba0aba1069" + "guid": "93d5c5fc-95da-40dc-a935-bcdf72bb49bc" }, { "waf": "Reliability", @@ -551,7 +551,7 @@ "text": "Review the impact of the interval and threshold settings on health probes", "description": "The health probe sends requests to the configured endpoint at a set interval. Also, there's a threshold of failed requests that will be tolerated before the backend is marked unhealthy. These numbers present a trade-off.- Setting a higher interval puts a higher load on your service. Each Application Gateway instance sends its own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.- Setting a lower interval leaves more time before an outage is detected.- Setting a low unhealthy threshold might mean that short, transient failures might take down a backend. - Setting a high threshold it can take longer to take a backend out of rotation.", "type": "recommendation", - "guid": "57a75825-4393-4411-a927-51c45e2c197e" + "guid": "e4a0745d-0b8a-459b-8fc0-0399061a6425" }, { "waf": "Reliability", @@ -559,7 +559,7 @@ "text": "Verify downstream dependencies through health endpoints", "description": "Suppose each backend has its own dependencies to ensure failures are isolated. For example, an application hosted behind Application Gateway might have multiple backends, each connected to a different database (replica). When such a dependency fails, the application might be working but won't return valid results. For that reason, the health endpoint should ideally validate all dependencies. Keep in mind that if each call to the health endpoint has a direct dependency call, that database would receive 100 queries every 30 seconds instead of 1. To avoid this, the health endpoint should cache the state of the dependencies for a short period of time.", "type": "recommendation", - "guid": "18a6131e-128d-4b71-8daa-1c0beab8e7a5" + "guid": "4d7b12c2-d9bb-4547-8238-c2c93491afed" }, { "waf": "Reliability", @@ -639,7 +639,7 @@ "text": "Set up a TLS policy for enhanced security", "description": "Set up a TLS policy for extra security. Ensure you're always using the latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.", "type": "recommendation", - "guid": "494320e9-b38c-4370-959d-094a44094864" + "guid": "c394ed0c-ddb2-4efa-b4eb-deb2f11cff32" }, { "waf": "Security", @@ -647,7 +647,7 @@ "text": "Use AppGateway for TLS termination", "description": "There are advantages of using Application Gateway for TLS termination:- Performance improves because requests going to different backends to have to re-authenticate to each backend.- Better utilization of backend servers because they don't have to perform TLS processing- Intelligent routing by accessing the request content.- Easier certificate management because the certificate only needs to be installed on Application Gateway.", "type": "recommendation", - "guid": "8df6ae56-3bfc-4244-81d6-9a725b5ed412" + "guid": "f2c0a397-56bb-45f1-ac4d-b1837045db05" }, { "waf": "Security", @@ -655,7 +655,7 @@ "text": "Use Azure Key Vault to store TLS certificates", "description": "Application Gateway can be integrated with Key Vault. This provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", "type": "recommendation", - "guid": "8b6244e7-e6ed-4eab-927c-ddbd506a87cf" + "guid": "db6594c5-00d9-42e3-9190-0da310bd8af5" }, { "waf": "Security", @@ -663,7 +663,7 @@ "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", "description": "A TLS certificate of the backend server must be issued by a well-known CA. If the certificate was not issued by a trusted CA, the Application Gateway checks if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate is found. Only then a secure connection is established. Otherwise, Application Gateway marks the backend as unhealthy.", "type": "recommendation", - "guid": "d91bace4-beb9-4644-b8bc-f6565a84109b" + "guid": "79778b7d-1a8d-47bf-9000-cfe8f28007ed" }, { "waf": "Security", @@ -671,7 +671,7 @@ "text": "Use an appropriate DNS server for backend pool resources", "description": "When the backend pool contains a resolvable FQDN, the DNS resolution is based on a private DNS zone or custom DNS server (if configured on the VNet), or it uses the default Azure-provided DNS.", "type": "recommendation", - "guid": "12e3495d-cedc-48c3-9f80-6d61f4409aec" + "guid": "32630271-62af-4005-933b-36e73b3d6c43" }, { "waf": "Security", @@ -679,7 +679,7 @@ "text": "Comply with all NSG restrictions for Application Gateway", "description": "NSGs are supported on Application Gateway subnet, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions. For details, see Network security groups.", "type": "recommendation", - "guid": "7367ddbb-675a-4f67-8341-0ae2614fb35b" + "guid": "5644f4cb-0c54-41d6-9aff-27357089743c" }, { "waf": "Security", @@ -695,7 +695,7 @@ "text": "Be aware of Application Gateway capacity changes when enabling WAF", "description": "When WAF is enabled, every request must be buffered by the Application Gateway until it fully arrives, checks if the request matches with any rule violation in its core rule set, and then forwards the packet to the backend instances. When there are large file uploads (30MB+ in size), it can result in a significant latency. Because Application Gateway capacity requirements are different with WAF, we do not recommend enabling WAF on Application Gateway without proper testing and validation.", "type": "recommendation", - "guid": "5e2a741b-2faa-4fce-b04f-656985ca8bca" + "guid": "3ac67acb-dcca-413d-b0f9-50441d51675f" }, { "waf": "cost", @@ -743,7 +743,7 @@ "text": "Familiarize yourself with Application Gateway pricing", "description": "For information about Application Gateway pricing, see Understanding Pricing for Azure Application Gateway and Web Application Firewall. You can also leverage the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", "type": "recommendation", - "guid": "167eeaec-1064-4598-a4c8-db6255140d52" + "guid": "dc1995b1-dcc3-4864-a862-0c5ceeb3452c" }, { "waf": "Cost", @@ -751,7 +751,7 @@ "text": "Review underutilized resources", "description": "Identify and delete Application Gateway instances with empty backend pools to avoid unnecessary costs.", "type": "recommendation", - "guid": "5a3afdb7-3da6-400c-9761-822fdcc4c1f3" + "guid": "baadcfab-050c-4d30-a79a-a235e775836a" }, { "waf": "Cost", @@ -767,7 +767,7 @@ "text": "Have a scale-in and scale-out policy", "description": "A scale-out policy ensures that there will be enough instances to handle incoming traffic and spikes. Also, have a scale-in policy that makes sure the number of instances are reduced when demand drops. Consider the choice of instance size. The size can significantly impact the cost. Some considerations are described in the Estimate the Application Gateway instance count.For more information, see What is Azure Application Gateway v2?", "type": "recommendation", - "guid": "48d3c23e-76e5-43c7-83c9-6cc79abe08e0" + "guid": "a63e6bb7-8040-4b43-9d0e-6ca8a3413315" }, { "waf": "Cost", @@ -775,7 +775,7 @@ "text": "Review consumption metrics across different parameters", "description": "You're billed based on metered instances of Application Gateway based on the metrics tracked by Azure. Evaluate the various metrics and capacity units and determine the cost drivers. For more information, see Microsoft Cost Management and Billing. The following metrics are key for Application Gateway. This information can be used to validate that the provisioned instance count matches the amount of incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units- Current Capacity UnitsFor more information, see Application Gateway metrics.Make sure you account for bandwidth costs.", "type": "recommendation", - "guid": "bc2c5670-3d5d-40bb-a600-0de389c60eb3" + "guid": "352664a9-dea7-4e45-9f4a-b1160768ac1b" }, { "waf": "operations", @@ -839,7 +839,7 @@ "text": "Monitor capacity metrics", "description": "Use these metrics as indicators of utilization of the provisioned Application Gateway capacity. We strongly recommend setting up alerts on capacity. For details, see Application Gateway high traffic support.", "type": "recommendation", - "guid": "cd9a502b-e1a0-4e5a-934a-ecd1bfdef9fc" + "guid": "2aeef441-2f0c-4f28-b3fe-85bb210e70d4" }, { "waf": "Operations", @@ -855,7 +855,7 @@ "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", "description": "Diagnostic logs allow you to view firewall logs, performance logs, and access logs. Use these logs to manage and troubleshoot issues with Application Gateway instances. For more information, see Back-end health and diagnostic logs for Application Gateway.", "type": "recommendation", - "guid": "85525215-51d6-4ed6-8206-2a0871054288" + "guid": "2a3d27da-fdb8-49b0-95ed-7f9b32b4f7ca" }, { "waf": "Operations", @@ -863,7 +863,7 @@ "text": "Use Azure Monitor Network Insights", "description": "Azure Monitor Network Insights provides a comprehensive view of health and metrics for network resources, including Application Gateway. For additional details and supported capabilities for Application Gateway, see Azure Monitor Network insights.", "type": "recommendation", - "guid": "5eaa9827-d3b5-4be9-a0d4-4838a2ff255b" + "guid": "69a9c288-6a98-447b-92f8-68c84adc85cd" }, { "waf": "Operations", @@ -871,7 +871,7 @@ "text": "Match timeout settings with the backend application", "description": "Ensure you have configured the IdleTimeout settings to match the listener and traffic characteristics of the backend application. The default value is set to four minutes and can be configured to a maximum of 30. For more information, see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring application health for reliability.", "type": "recommendation", - "guid": "fc7095dc-d1e1-473c-8eac-17cde3631926" + "guid": "82f522dd-25e0-4e7c-a547-bc23577f7f1c" }, { "waf": "Operations", @@ -879,7 +879,7 @@ "text": "Monitor Key Vault configuration issues using Azure Advisor", "description": "Application Gateway checks for the renewed certificate version in the linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation. You must configure the Advisor alerts to stay updated and fix such issues immediately to avoid any Control or Data plane related problems. For more information, see Investigating and resolving key vault errors. To set an alert for this specific case, use the Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.", "type": "recommendation", - "guid": "926a13b1-2678-47b0-bacf-ffa0a459c2d8" + "guid": "6f9954fb-dff1-4d54-8672-0c1245908dca" }, { "waf": "Operations", @@ -887,7 +887,7 @@ "text": "Consider SNAT port limitations in your design", "description": "SNAT port limitations are important for backend connections on the Application Gateway. There are separate factors that affect how Application Gateway reaches the SNAT port limit. For example, if the backend is a public IP address, it will require its own SNAT port. In order to avoid SNAT port limitations, you can increase the number of instances per Application Gateway, scale out the backends to have more IP addresses, or move your backends into the same virtual network and use private IP addresses for the backends.Requests per second (RPS) on the Application Gateway will be affected if the SNAT port limit is reached. For example, if an Application Gateway reaches the SNAT port limit, then it won't be able to open a new connection to the backend, and the request will fail.", "type": "recommendation", - "guid": "2c659b9a-c873-4274-ba4f-752f8f44e31c" + "guid": "ca428415-6120-410f-9a91-c1baeb6c0084" }, { "waf": "performance", @@ -935,7 +935,7 @@ "text": "Define the minimum instance count", "description": "For Application Gateway v2 SKU, autoscaling takes some time (approximately six to seven minutes) before the additional set of instances is ready to serve traffic. During that time, if there are short spikes in traffic, expect transient latency or loss of traffic.We recommend that you set your minimum instance count to an optimal level. After you estimate the average instance count and determine your Application Gateway autoscaling trends, define the minimum instance count based on your application patterns. For information, see Application Gateway high traffic support.Check the Current Compute Units for the past one month. This metric represents the gateway's CPU utilization. To define the minimum instance count, divide the peak usage by 10. For example, if your average Current Compute Units in the past month is 50, set the minimum instance count to five.", "type": "recommendation", - "guid": "ce9ccebe-833d-425d-ad18-75b2674c5852" + "guid": "4d24ceaf-6ff5-4b88-96e2-851546c368c1" }, { "waf": "Performance", @@ -943,7 +943,7 @@ "text": "Define the maximum instance count", "description": "We recommend 125 as the maximum autoscale instance count. Make sure the subnet that has the Application Gateway has sufficient available IP addresses to support the scale-up set of instances.Setting the maximum instance count to 125 has no cost implications because you're billed only for the consumed capacity.", "type": "recommendation", - "guid": "cf5545a9-617c-41b4-be24-364c29921643" + "guid": "895dcecb-9895-4a39-bafd-4df574353366" }, { "waf": "Performance", @@ -951,7 +951,7 @@ "text": "Define Application Gateway subnet size", "description": "Application Gateway needs a dedicated subnet within a virtual network. The subnet can have multiple instances of the deployed Application Gateway resource. You can also deploy other Application Gateway resources in that subnet, v1 or v2 SKU.Here are some considerations for defining the subnet size:- Application Gateway uses one private IP address per instance and another private IP address if a private front-end IP is configured.- Azure reserves five IP addresses in each subnet for internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support up to 125 instances, using the same calculation, a subnet size of /24 is recommended.- If you want to deploy additional Application Gateway resources in the same subnet, consider the additional IP addresses that will be required for their maximum instance count for both, Standard and Standard v2.", "type": "recommendation", - "guid": "f84de96e-5a5f-4977-b349-c78ec00f7086" + "guid": "57675336-826b-4523-b248-bfe3c324c38a" }, { "waf": "Performance", @@ -1847,7 +1847,7 @@ "text": "Test ExpressRoute gateway performance to meet work load requirements.", "description": "Use Azure Connectivity Toolkit to test performance across your ExpressRoute circuit to understand bandwidth capacity and latency of your network connection.", "type": "recommendation", - "guid": "587ddb10-bc25-40df-8133-61172142bbfe" + "guid": "256753af-fb4b-49b2-a965-4b65265ee8dd" }, { "waf": "Performance", @@ -1855,7 +1855,7 @@ "text": "Increase the size of the ExpressRoute gateway.", "description": "Upgrade to a higher gateway SKU for improved throughput performance between on-premises and Azure environment.", "type": "recommendation", - "guid": "095083c6-98ff-40ad-ac52-f87b1adaa800" + "guid": "9bc85bda-be71-4df0-924c-2604ef7f05fa" }, { "waf": "Performance", @@ -1903,7 +1903,7 @@ "text": "Configure data redundancy: For maximum durability, choose a configuration that copies data across availability zones or global regions. For maximum availability, choose a configuration that allows clients to read data from the secondary region during an outage of the primary region.", "description": "", "type": "checklist", - "guid": "d4d81d5e-7082-4cd2-8198-52f388cafdd8" + "guid": "f9c07c6b-c5ab-4e57-83f7-9455042e2e23" }, { "waf": "reliability", @@ -1927,7 +1927,7 @@ "text": "Create a recovery plan: Consider data protection features, backup and restore operations, or failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over. For more information, see Recommendations for designing a disaster recovery strategy.", "description": "", "type": "checklist", - "guid": "a2ff95c9-d626-4081-9263-9cf69bdad742" + "guid": "3a9677e5-9506-4aaa-bac6-48b5002070c1" }, { "waf": "reliability", @@ -2271,7 +2271,7 @@ "text": "Create maintenance and emergency recovery plans: Consider data protection features, backup and restore operations, and failover procedures. Prepare for potential data loss and data inconsistencies and the time and cost of failing over.", "description": "", "type": "checklist", - "guid": "9255b4bb-6217-43e4-84ee-4fc892c834c0" + "guid": "ab85e732-c3b0-47d2-ae0c-fa0ccf3ee4d1" }, { "waf": "operations", @@ -2295,7 +2295,7 @@ "text": "Use infrastructure as code (IaC) to define the details of your storage accounts in Azure Resource Manager templates (ARM templates), Bicep, or Terraform.", "description": "You can use your existing DevOps processes to deploy new storage accounts, and use Azure Policy to enforce their configuration.", "type": "recommendation", - "guid": "357d0398-f29a-4041-b9b5-1caf52e2e9da" + "guid": "d069785a-7a9f-4a12-9642-3987b04328d1" }, { "waf": "Operations", @@ -2303,7 +2303,7 @@ "text": "Use Storage insights to track the health and performance of your storage accounts. Storage insights provides a unified view of the failures, performance, availability, and capacity for all your storage accounts.", "description": "You can track the health and operation of each of your accounts. Easily create dashboards and reports that stakeholders can use to track the health of your storage accounts.", "type": "recommendation", - "guid": "68d10f36-7a7f-46fd-a722-69fc489e4df6" + "guid": "9475eb5c-afb9-446a-bcb1-85ecc26112a9" }, { "waf": "Operations", @@ -3639,7 +3639,7 @@ "text": "Workload architecture: Use a Web Application Firewall to secure HTTP(S) traffic.", "description": "To scan incoming traffic for potential attacks, use a web application firewall such as Azure Web Application Firewall (WAF) on Azure Application Gateway or Azure Front Door.", "type": "recommendation", - "guid": "57f972b6-5cb8-4041-a171-2f74e0fc3fdc" + "guid": "4658f193-0b5d-41c9-b2c9-0a5f500799ea" }, { "waf": "Security", @@ -3911,7 +3911,7 @@ "text": "Cluster and workload architectures: Configure monitoring of cluster with Container insights.", "description": "Container insights help monitor the performance of containers by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API and container logs.", "type": "recommendation", - "guid": "0e96c4ea-2e5d-4890-acaf-bfed9976c3e5" + "guid": "6661db46-26b0-4cc9-9002-f52bce55ca03" }, { "waf": "Operations", @@ -3935,7 +3935,7 @@ "text": "Cluster architecture: Adopt a multiregion strategy by deploying AKS clusters deployed across different Azure regions to maximize availability and provide business continuity.", "description": "Internet facing workloads should leverage Azure Front Door or Azure Traffic Manager to route traffic globally across AKS clusters.", "type": "recommendation", - "guid": "c7f704cc-a8fc-418f-bd82-454ea7c4c891" + "guid": "844d923f-cfe0-4a3a-97ff-67c072c4220c" }, { "waf": "Operations", @@ -5555,28 +5555,28 @@ "name": "security" }, { - "name": "Security" + "name": "Operations" }, { - "name": "operations" + "name": "performance" }, { - "name": "Reliability" + "name": "Security" }, { - "name": "Cost" + "name": "cost" }, { - "name": "performance" + "name": "operations" }, { "name": "reliability" }, { - "name": "Operations" + "name": "Cost" }, { - "name": "cost" + "name": "Reliability" } ], "yesno": [ @@ -5613,6 +5613,6 @@ "name": "WAF Service Guides", "waf": "all", "state": "preview", - "timestamp": "July 14, 2024" + "timestamp": "July 28, 2024" } } \ No newline at end of file