From 473ee6f451c5fd1f474dfb46d73e2f35e15c5fb5 Mon Sep 17 00:00:00 2001
From: Jose Moreno <jose.moreno@microsoft.com>
Date: Fri, 1 Dec 2023 11:45:09 +0100
Subject: [PATCH] Update alz_checklist.en.json

---
 checklists/alz_checklist.en.json | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json
index d5ad9840e..09c6d9818 100644
--- a/checklists/alz_checklist.en.json
+++ b/checklists/alz_checklist.en.json
@@ -887,7 +887,7 @@
         {
             "category": "Network Topology and Connectivity",
             "subcategory": "Hybrid",
-            "text": "Use Connection Monitor for connectivity monitoring across the environment.",
+            "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
             "waf": "Operations",
             "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
             "id": "D04.13",
@@ -929,6 +929,17 @@
             "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
             "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))"
         },
+        {
+            "category": "Network Topology and Connectivity",
+            "subcategory": "Hybrid",
+            "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should fail over to the second connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
+            "waf": "Reliability",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "id": "D04.17",
+            "ammp": true,
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections"
+        },
         {
             "category": "Network Topology and Connectivity",
             "subcategory": "IP plan",