Skip to content

Commit

Permalink
Merge pull request #859 from igorjnzl/main
Browse files Browse the repository at this point in the history 
Adding resiliency checks for alz services
  • Loading branch information
@igorjnzl
igorjnzl authored Sep 13, 2024
2 parents 8d6e4cc + 8fc2b35 commit dac44ef
Showing 1 changed file with 100 additions and 13 deletions.
113 changes: 100 additions & 13 deletions checklists/alz_checklist.en.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,14 +284,27 @@
"training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
"link": "https://learn.microsoft.com/entra/identity/domain-services/overview"
},
{
"category": "Identity and Access Management",
"subcategory": "Identity",
"text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ",
"waf": "Reliability",
"service": "Entra",
"guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761",
"id": "B03.12",
"graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)",
"severity": "Medium",
"training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services",
"link": "https://learn.microsoft.com/entra/identity/domain-services/overview"
},
{
"category": "Identity and Access Management",
"subcategory": "Identity",
"text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
"waf": "Security",
"service": "Entra",
"guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
"id": "B03.12",
"id": "B03.13",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
"training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs"
Expand All @@ -303,7 +316,7 @@
"waf": "Security",
"service": "Entra",
"guid": "984a859c-773e-47d2-9162-3a765a917e1f",
"id": "B03.13",
"id": "B03.14",
"ammp": true,
"severity": "High",
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
Expand All @@ -315,7 +328,7 @@
"text": "When deploying Microsoft Entra Connect, use a staging sever for high availability/disaster recovery.",
"waf": "Reliability",
"guid": "cd163e39-84a5-4b39-97b7-6973abd70d94",
"id": "B03.14",
"id": "B03.15",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
"training": "https://learn.microsoft.com/entra/identity/hybrid/connect/plan-connect-topologies"
Expand All @@ -327,7 +340,7 @@
"waf": "Security",
"service": "Entra",
"guid": "35037e68-9349-4c15-b371-228514f4cdff",
"id": "B03.15",
"id": "B03.16",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
"link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices"
Expand All @@ -339,7 +352,7 @@
"waf": "Security",
"service": "Entra",
"guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
"id": "B03.16",
"id": "B03.17",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy"
Expand Down Expand Up @@ -734,6 +747,30 @@
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
"training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "Hub and spoke",
"text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.",
"waf": "Reliability",
"service": "Load Balancers",
"guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe",
"id": "D01.11",
"severity": "High",
"graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)",
"link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "Hub and spoke",
"text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.",
"waf": "Reliability",
"service": "Load Balancers",
"guid": "48682fb1-1e86-4458-a686-518ebd47393d",
"id": "D01.12",
"severity": "High",
"graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))",
"link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "Encryption",
Expand Down Expand Up @@ -808,14 +845,27 @@
"training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "IP plan",
"text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ",
"waf": "Reliability",
"service": "Public IP Addresses",
"guid": "0c47f486-656d-4699-8c30-edef5b8a93c4",
"id": "D03.05",
"graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)",
"severity": "High",
"training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing",
"link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "IP plan",
"text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
"waf": "Operations",
"service": "DNS",
"guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
"id": "D03.05",
"id": "D03.06",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal"
Expand All @@ -827,7 +877,7 @@
"waf": "Security",
"service": "DNS",
"guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
"id": "D03.06",
"id": "D03.07",
"severity": "Medium",
"training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
"link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview"
Expand All @@ -839,7 +889,7 @@
"waf": "Operations",
"service": "DNS",
"guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
"id": "D03.07",
"id": "D03.08",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
"training": "https://learn.microsoft.com/training/courses/az-700t00"
Expand All @@ -851,7 +901,7 @@
"waf": "Operations",
"service": "DNS",
"guid": "614658d3-558f-4d77-849b-821112df27ee",
"id": "D03.08",
"id": "D03.09",
"severity": "High",
"training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration"
Expand Down Expand Up @@ -1491,7 +1541,7 @@
{
"category": "Network Topology and Connectivity",
"subcategory": "Firewall",
"text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
"text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.",
"waf": "Operations",
"service": "Firewall",
"guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
Expand All @@ -1512,14 +1562,39 @@
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
"training": "https://learn.microsoft.com/training/courses/az-104t00/"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "Firewall",
"text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.",
"waf": "Reliability",
"service": "Firewall",
"guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707",
"id": "D07.21",
"severity": "High",
"graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'",
"link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell",
"training": "https://learn.microsoft.com/training/courses/az-104t00/"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "Firewall",
"text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ",
"waf": "Reliability",
"service": "Firewall",
"guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc",
"id": "D07.22",
"severity": "High",
"graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'",
"link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "PaaS",
"text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
"waf": "Security",
"service": "App Gateway",
"guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
"id": "D07.21",
"id": "D07.23",
"severity": "High",
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
Expand Down Expand Up @@ -2113,8 +2188,20 @@
"guid": "aa45be6a-8f2d-4896-b0e3-885e6e94e770",
"id": "F01.20",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview",
"training": "https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview#installation"
"link": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview",
"training": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview#installation"
},
{
"category": "Management",
"subcategory": "Data Protection",
"text": "Ensure that storage accounts are zone or region redundant, Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.",
"waf": "Reliability",
"guid": "0d83fd81-952c-4d47-a6cb-3a930925ef2e",
"id": "F01.21",
"graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)",
"severity": "High",
"link": "https://learn.microsoft.com/en-gb/azure/storage/common/redundancy-migration?tabs=portal",
"training": "https://learn.microsoft.com/azure/storage/common/storage-redundancy"
},
{
"category": "Management",
Expand Down

0 comments on commit dac44ef

Please sign in to comment.